Security as a service: how are the patterns of risk and reward changing?
Overall, both the sum of risks and the sum of rewards stay constant, they are just distributed differently in the client-provider relationship, writes Ionut Ionescu CISSP, European Advisory Board member at (ISC)2.
A company administering its own security provisions will be exposed to some risks that another company buying security as a service will not be.
Take, for example, an accidental mistake made by a system administrator. A security as a service provider will have more specialised personnel, more resiliency built into its systems and more checking and auditing procedures, to ensure that such mistakes either do not happen or that they cannot wreak much havoc.
In the old days of the MSSP, a client could "take their firewalls" back and they usually retained some kind of technical expertise in house. That may have been more expensive, but now with security provided "in the cloud", if they terminate the relationship with the security as a service provider, the risk is higher, as the client "has nothing".
On the other hand, a security mistake usually is not fatal for the client, but it would most likely destroy the business for the security as a service provider. So, the provider has a more concentrated risk, also from the point of view of new attacks. If it does not respond fast enough, clients will suffer losses, the provider's reputation is destroyed and the business goes south shortly after that.
In summary, the rewards seem higher for the client and the risks higher for the security as a service provider, if things go well and the security as a service does "what it says on the tin". If they do not, both stand to lose, but again, the security as a service provider stands to lose more. For the client, it is just a steep learning curve, or a significant investment required to protect themselves and take things in house, probably at a bad time.