Security as a service: how are the patterns of risk and reward
changing?
Overall, both the sum of risks and the sum of rewards stay
constant, they are just distributed differently in the
client-provider relationship, writes
Ionut
Ionescu CISSP, European Advisory Board member at
(ISC)2.
A company administering its own security provisions will be
exposed to some risks that another company buying
security as a service will not be.
Take, for example, an accidental mistake made by a system
administrator. A security as a service provider will have more
specialised personnel, more resiliency built into its systems and
more checking and auditing procedures, to ensure that such mistakes
either do not happen or that they cannot wreak much havoc.
In the old days of the MSSP, a client could "take their
firewalls" back and they usually retained some kind of technical
expertise in house. That may have been more expensive, but now with
security provided "in the cloud", if they terminate the
relationship with the security as a service provider, the risk is
higher, as the client "has nothing".
On the other hand, a security mistake usually is not fatal for
the client, but it would most likely destroy the business for the
security as a service provider. So, the provider has a more
concentrated risk, also from the point of view of new attacks. If
it does not respond fast enough, clients will suffer losses, the
provider's reputation is destroyed and the business goes south
shortly after that.
In summary, the rewards seem higher for the client and the risks
higher for the security as a service provider, if things go well
and the security as a service does "what it says on the tin". If
they do not, both stand to lose, but again, the security as a
service provider stands to lose more. For the client, it is just a
steep learning curve, or a significant investment required to
protect themselves and take things in house, probably at a bad
time.
Read more expert advice from the Computer Weekly Security Think
Tank >>