Security as a service: how are the patterns of risk and reward
changing?
Security as a service, if implemented and managed properly, can
allow enterprises, and in particular the smaller business, to
outsource essential security tasks for which they do not have the
internal resources or the expertise, writes Paul Williams, chair of
the ISACA
Strategy Group and IT governance adviser to
Protiviti.
For the larger enterprise it can free up scarce internal security
resources from the more mundane tasks associated with managing an
effective information security presence. The key, of course, is
proper implemention and management. It is the failure to do this
that can lead to ineffectiveness, inefficiency and, ultimately, a
failure to adequately mitigate security risks and vulnerabilities.
Providers are still driven by the bottom line and margins. This
creates an environment where the provider can be tempted to deliver
the least possible service for the revenue provided. Contractual
arrangements and SLAs need to be set appropriately to minimise this
risk.
Security as a service needs to be considered in the same way as
any outsourced service. Care must be taken in selecting the
supplier, agreeing the specification and the service level
agreements and ensuring that the service provided is appropriate to
the business needs. The decision to move towards security as a
service should never be taken on cost grounds alone. There has to
be full assurance that this solution is the most appropriate to the
business in all respects and that there is full integration between
the enterprise's security policies and the functionality provided
by the outsourcer. Appropriate metrics need to be developed to
demonstrate the effectiveness of the service and the value for
money provided. Key internal committees, including the Audit
Committee, have a responsibility to ensure that there is
appropriate governance over the security as a service
arrangements.
Above all, it is essential to remember that threats to
information security are a business risk and that, regardless of
the means by which the enterprise chooses to mitigate that risk, it
remains the responsibility of business management to ensure that
security is properly managed and that it is effective in
operation.
Read more expert advice from the Computer Weekly Security Think
Tank >>