Spending large amounts of money on in-house security may not yield as great a reduction in risk as you might hope. A big investment might only result in marginal improvements -- especially with the high price of cyber security labour in the current skills shortage. Finding the right mix of security options is something of a balancing act, and cloud-based security or SaaS security (Security as a Service, or SECaaS) can offer an alternative.
Defending your organisation from today’s sophisticated cyber attackers requires more than just in-house expertise. A complex mix of appliances and applications may also be involved, including Distributed Denial of Service (DDoS) protection, intrusion prevention or detection systems, web application firewalls, data loss prevention, network analyzers, security information, application security, API security and mobile device management.
With the complexities involved and the high cost of labour, it’s little wonder that many organisations are looking beyond their own four walls for external help. In fact, the global Security as a Service (SECaaS) market, which was valued at approximately USD 3.733 billion in 2016, is anticipated to grow at a healthy rate of more than 23.13% in the years leading up to 2025.
Small and medium-sized businesses (SMBs) have less capacity for cyber security expenditure. In fact, a 2019 Keeper Security survey of firms with 500 or fewer employees found that the majority have no dedicated cyber security staff, or an incident response plan -- this, despite the fact that 67% of smaller organisations were targeted in some way over the course of the year. Limited budgets and a sense of complacency are combining to leave modest scale enterprises at risk.
But economics aside, are there any compelling reasons for businesses to shift at least a significant proportion of their security infrastructure solutions and workloads to the cloud?
There are, indeed, quite a few and here are some of the reasons why a SaaS security solution might well enable better protection, performance and ROI compared to an in-house solution.
Access to better expertise
According to recent Security in Focus research, over three-quarters (76%) of all businesses have a shortage of cybersecurity skills and are struggling to hire talent. In fact, this severe shortage of internal skills is currently the biggest obstacle to executing security strategies. SaaS security solutions enable organizations to shift some of the key operational and administrative functions to vendors while they focus their security talent on high-value shared responsibility initiatives.
Access to the latest technologies/solutions
New technologies such as Machine Learning and AI could help address the talent shortage to a certain degree by automating more security workloads though it has to be mentioned that these technologies require specialized skills that are themselves in short supply. However, investment in new technologies and security infrastructure solutions does not appear to be a top priority as yet with 70% of C-suite executives admitting that their organizations have not adopted and/or implemented AI/ML to its fullest potential. In comparison, cloud providers and SaaS security vendors have the commercial and reputational incentive to continuously invest in security innovations, technologies and partnerships.
Access to the latest security updates/patches
In-house security solutions are typically updated a few times a year. This approach does not square with a reality where the threat landscape is evolving on almost a daily basis. Cloud-based security solutions not only provide customers with access to the latest technologies, tools and solutions, but they also ensure that these solutions are constantly and automatically updated with the latest patches and virus definitions.
Access to cross-industry best practices and threat intelligence
Though security strategy may be unique to each organization, there is a huge opportunity for companies and industries to incorporate learning from other sectors into their own security operations. A deep and constantly updated knowledge of global and local security incidents is an important part of threat identification and mitigation. SaaS solutions from security specialist vendors are building on years of accumulated experience and threat intelligence from across companies and sectors. This is a feature that is not that easily replicated in in-house security implementations and customers stand to benefit significantly from the combined threat and mitigation experiences that these specialist service providers bring to the table.
Faster time to value
As-a-Service security solutions provide instant access to clients to best-in-class security infrastructures, applications and tools with autoscaling and load balancing capabilities that automatically respond to changing traffic without any performance degradation. Since it is easy to provision, deploy and operate cloud-based security services with minimal intervention, businesses can get to value faster compared to an in-house implementation of similar solutions.
Converting Capex to Opex
The initial upfront costs for SaaS security solutions are significantly lower that of an in-house implementation. The total cost of ownership is also considerably reduced as companies pay only for the quantum of services they consume and no longer are financially responsible for maintenance, updates, upgrades and other recurring administrative expertise and expenses.
Enterprise security in the cloud is a resource-intensive, critical and continuous exercise. With SaaS solutions, clients can have immediate access to the latest security infrastructure and technologies without the complexities of deploying, operating and maintaining a solution in-house. However, this does not mean that organizations can bank solely on cloud native security solutions and SaaS vendors to cover all their security needs. In fact, Gartner predicts that 99% of cloud security failures will be the customer’s fault. This is where the importance of the principle of shared responsibility comes into play. Cloud customers still have to implement additional measures to not only secure how they configure and operate cloud services but to also monitor the analytical data generated by these services. Choose your SaaS security vendor wisely and they will do much of the heavy lifting, making it much easier for you to deploy the investment, technical and administrative resources required to secure your cloud operations.