With the growing complexity of IT environments and increased security threats, it’s no surprise that corporate spending on information security products and services continues to rise. In fact, Gartner predicts that worldwide spending on information security products and services will reach $81.6 billion in 2016. That is an increase of 7.9 percent over 2015 numbers. Gartner also expects secure web gateways (SWGs) to maintain growth of 5 to 10 percent through 2020. This is due to the fact that companies depend on this infrastructure to support detection and response approaches of IT security management (Source: Gartner).
The TCO for security products (i.e. firewalls, intrusion detection systems (IDSs), IP-VPNs, end-point threat protection, authentication and vulnerability assessment) can be a barrier for many small to mid-size organizations. The total lifecycle costs for security products should include the product costs as well as technical support and maintenance. Faced with these challenges, many organizations are looking to complement their internal IT teams. Support and services from security vendors is one way to build a tighter and more scalable corporate security framework. Security-as-a-Service solutions (on premise or cloud) are in high demand because these services combine the very best of detection and response strategies along with the right mix of tools and expertise.
If you’re considering adding a security-as-a-service partner to your governance and control framework, consider these recommendations:
- Go beyond compliance– Keeping pace with the latest regulatory compliance requirements is necessary from a legal standpoint. However, it may leave your company behind the eight ball when it comes to protection from current vulnerabilities. Keep in mind, a compliance approach vs. a risk-based program can leave you reliant on out-of-date benchmarks and risk assessments and as a result vulnerable to unwanted threats. Not only that, even if you’re not focused in healthcare or financial services industries, there are reasons to be aware of continuous rule changes. Regulations from Health Insurance Portability and Accountability Act (HIPAA), the Consumer Financial Protection Bureau (CFPB) or the USA Patriot Act, can have downstream impacts on your business.
- Focus on detection and response– We’d like to think that we can thwart threats with the right security solutions. But, investment in modern security equipment can only take you so far. Many believe security threats are a consistent and growing cost of doing business. Based on a study by the Ponemon Institute, the average total cost of a data breach increased to $4 million in 2016. Researchers believe the biggest cost of a data breach is lost business due to a loss of trust. This means that while you cannot defend your organization entirely from security holes, you can certainly make it worse by not being proactive, responsive and transparent if and when a breach is exposed. (Source: Formtek). While the concepts of security and transparency generally don’t belong in the same sentience, in the case of responding to a data breach, they do. It is imperative that organizations have the security framework in place (SWGs, encryption and endpoint security solutions) to eliminate the threat as well as a communication plan in place should breaches happen. Open communication with consistent and responsive messaging will go a long way in rebuilding trust from stakeholders and show the underlying health of the company’s security policies.
- The forecast is cloudy– Cloud-based options offer simplified and reliable data security programs. Not only that, security services can be delivered either as stand-alone features−such as deploying a Cloud-based IAM solution− or as part of a larger integrated SaaS package. Depending on the size of the enterprise, some organizations utilize a mixture of legacy and web-architected cloud and on premises applications. Because of the nature of cloud, these Security-as-a-Service options are highly scalable meaning they can expand as the business grows, or as regulations and compliance rules change. In general, cloud-based vendor security options can also reduce IT costs by minimizing capital investments and driving consistency in costs overtime. Network intrusion detection and web application security cloud services provide up-to-date protection of the network and firewall protection. These are critical for minimizing exposure to risk and data breaches. Another consideration for cloud-based security is encryption options. Many providers that offer cloud-based encryption services can encrypt data in-transit, in-use, and at-rest for public and private cloud web applications. If considering cloud-based encryption options, be sure to ask if this protection also extends to behind-the-firewall intranet applications.
When considering Security options, it’s important to keep in mind that services can be added to ‘fill the gaps’ in an organization’s overall security strategy. Cloud-based Security services, legacy and web-architected cloud and on premises applications, and other managed vendor security services can be used in sync to alleviate the burden on internal IT teams. The right mix of Security-as-a-Service options will help to reduce costs across your organization. These services also offer greater flexibility and a stronger position in meeting regulatory requirements, defending against security breaches, and responding to vulnerabilities.