Despite the importance of investing in effective cybersecurity, many organisations must strike a difficult balance between the cost of resources, services, tools and their available budget. Prioritisation is key, because in most organisations, there isn’t enough money available to cover everything on their security wish list, and IT leaders must balance risk against affordability.
And that’s not easy. With so many areas competing for attention, Chief Information Security Officers (CISOs) are often faced with tricky decisions. For example, some organisations look to advanced threat protection to combat the ongoing spate of recent high-profile breaches, while for others, application security and testing is a regulatory requirement and therefore, frequently non-negotiable. The list goes on: the growth of bring your own device (BYOD) programs, for instance, has broadened attack vectors for cybercriminals, and data loss prevention is always a top concern so it must be accounted for.
As a result, CISOs are experienced in exploring all options that can give them the ability to achieve their security goals while also satisfying the available budget. One option that’s growing in popularity is that of outsourcing the security function either partially or in its entirety. By opting for a managed security service, organisations can benefit from specialist security knowledge, while handing off issues associated with the deployment, management and monitoring of applications to a trusted third party.
With security as a service (SECaaS), security solutions are no longer delivered locally, where the IT department installs virus protection software, spam filtering software, and other security tools on each machine or on the network or server in the workplace, keeping the software up-to-date or telling them to use it. The old way of doing things is also expensive; not only are there upfront costs for hardware but there are also continuing costs for items such as software licenses. Instead, security as a service allows organisations to use the same tools using only a web browser, making it direct and affordable.
SECaaS can include a whole range of cloud-delivered capabilities, as well as in-house security management offered by a third party. Options range from disaster recovery, business continuity to encryption, network security and intrusion management - and the list goes on.
It’s an approach that offers a range of potential benefits: it can accelerate return on security investments, improve security effectiveness, while simultaneously reducing overhead and capital budgets. While the provision of security-as-a-service is not new to market, the sophistication of the options available and the increasingly favourable ‘protection-to-cost ratio’ underlines its value to a wide range of organisations.
Choosing between managed security services and in-house deployment
While managed services aren't necessarily the right fit for every organisation or industry, many of its advocates and users find it can deliver enterprise-grade security for a fraction of the investment required to deploy the same solution in-house. These benefits fall into a range of areas that often inform the decision-making process when considering an outsourced strategy:
For some, concerns about the sensitivity of security reporting data requires that their infrastructure must remain on-premise. But for situations where running software in-house is impractical but outsourcing the responsibility is undesirable, a hybrid model has emerged: on-premise hosting of managed security services. In this approach, the vendor supplies and manages the software used in the managed security program, while the customer manages the infrastructure in its own IT environment. All data remains with the customer while program management responsibilities are looked after by the MSSP. In this way, organisations with the IT bandwidth can securely outsource security operations to their managed service partner(s). In the process, upfront capital expenses are minimised, and concerns about any type of data leaving the premises are eliminated.
- Speeding up time to value
Despite ubiquitous pressure to minimise time to value, deploying new software solutions in-house is not always simple. Internal teams need to learn how to work with new software, successfully manage implementation and train colleagues (among many other priorities). What’s more, the impact of unexpected delays due to lack of familiarity with the tools can also slow down time to value.
Using a managed security service provider, however, can eliminate much of the set-up time and costs associated with deployment. In addition, infrastructure changes can be minimised or eliminated entirely and product experts take responsibility for installation, training, and rollout to all relevant employees. This translates into faster implementation and time to value.
- Access to expertise
Across the entire cybersecurity industry, the scarcest resources, even for those with larger budgets, are skills and experience. The security professionals who deploy, manage, and monitor security activities, and respond to incidents to minimise damage are in exceptionally short supply in every industry, making them a rare (and often expensive) commodity. However, working with a managed services provider gives organisations access to their expertise as set out in every Service Level Agreement. This can be a major advantage, particularly for organisations with lower budgets that cannot afford their own in-house security resource.
Using a managed security service provider is becoming an increasingly popular option among enterprises and SMBs alike. In part, the growing adoption of SECaaS is driven by a shortage of security resources – including qualified infosec professionals as well as skills and tools as a whole – coupled with the ever-expanding threat landscape.
But, choosing a SECaaS partner requires careful consideration, and deciding whether it’s the right choice will depend on a few variables. Organisations with available time, budgets and resources, or with extensive infrastructure already in place, may well find on-premise deployment still makes the most sense. On the other hand, if faster time to value, lower IT overheads, and additional security expertise are more pressing priorities, working with a managed service (or hybrid managed services) provider can offer a highly effective way to a secure future.
Jan van Vliet, VP and MD EMEA, Digital Guardian