Are you really ready for Security as a Service?
Security as a Service (SECaaS) – using third-party expertise and technology to manage an organisation’s cyber security – is becoming an increasingly valuable option for security and IT leaders in organisations of all sizes.
That’s because organisations are suffering a skills shortage and SECaaS providers are better able to adapt the security posture to the ever-changing cyber threat landscape. They can aggregate data from across their customers to provide better threat intelligence. And they can offer flexible pricing models that can make robust cyber security more cost effective.
Yet SECaaS does have its challenges.
Unlike Software as a Service, which delivers benefits quickly, SECaaS requires a relatively long implementation period. And many organisations will need to modify their infrastructure to accommodate it, increasing the cost of that implementation.
In the longer term, the reliance on third-party expertise could lead to a loss of critical security capabilities internally, increasing the dependence on service providers. And that could create challenges for industries with unique regulatory requirements that service providers might not consider as standard.
SECaaS must start with a robust strategy
These potential pitfalls mean organisations need to plan carefully to maximise the benefits of SECaaS. Security and IT leaders should work together to build a SECaaS strategy that:
- sets clear goals and a realistic timeframe for achieving them
- assesses SECaaS providers against common standards to ensure there are no interoperability issues when switching suppliers at the end of a contract
- details requirements for SECaaS providers to maintain industry-specific regulatory compliance
- assesses the existing infrastructure to understand technical requirements and things that will need to change
- plans for how a small internal cyber security team will manage the relationship with the SECaaS provider while maintaining an internal capability, with appropriate governance in place.
It’s also important to remember there might not be one ‘perfect’ SECaaS provider that meets every requirement. If necessary, organisations should feel comfortable contracting multiple providers to optimise the service they get.
How to implement your SECaaS strategy
As the full benefit of SECaaS can take time to achieve, organisations should prioritise their implementation to deliver incremental benefits, proving the value of SECaaS early to maintain momentum. To do this, they should first apply SECaaS to their most critical cyber challenges, recognising they can achieve 80 per cent of the outcomes with just 20 per cent of the work.
When onboarding a SECaaS provider, it’s inevitable that the organisation will need to update the IT infrastructure. The changes might be minor, but they will be necessary. Organisations should work closely with the provider to make the right changes to deliver the planned incremental benefits. Using the provider’s technical expertise, or those of an independent implementation specialist, while retaining overall ownership is an efficient way to create the right IT infrastructure. Organisations just need to be careful to avoid being tied to a specific vendor through such changes.
And, as outsourcing erodes internal capability, organisations should establish good governance to prevent complete loss of control. They should retain experts who understand the business, IT and threat landscapes, and who can manage risks. Clear roles and responsibilities for articulating the requirements to the SECaaS vendor and for managing the ongoing relationship are key to a successful partnership. The people in these roles should have the necessary skills and authority to change SECaaS providers, or bring the security responsibilities in-house, if that becomes necessary.
Through all this, keeping regulatory compliance front of mind will be essential. Most organisations must comply with industry-specific regulations. And many would like to align with widely used industry standards and frameworks. So, it’s important to choose providers that have demonstrated continuous compliance. For example, one of our public sector clients has opted to use a Managed Detection and Response provider. As the project moves forward, they’re facing growing questions around compliance with public sector policies – questions that should be answered when first creating the strategy and assessing potential providers.
A strong strategy is essential to prepare for SECaaS
Adopting Security as a Service can bring huge benefits to organisations, but it isn’t as simple as evaluating a few vendors and choosing one to provide a service. Organisations need to develop a robust SECaaS strategy for their needs. Starting with business objectives, this should include legal, regulatory and other industry compliance requirements, architectural changes to the IT infrastructure, and the implementation of an appropriate governance structure. It will also be vital to consider the full vendor lifecycle to avoid supplier lock-ins.