Security as a service: how are the patterns of risk and reward changing?
Security as a service, if implemented and managed properly, can allow enterprises, and in particular the smaller business, to outsource essential security tasks for which they do not have the internal resources or the expertise, writes Paul Williams, chair of the ISACA Strategy Group and IT governance adviser to Protiviti. For the larger enterprise it can free up scarce internal security resources from the more mundane tasks associated with managing an effective information security presence. The key, of course, is proper implemention and management. It is the failure to do this that can lead to ineffectiveness, inefficiency and, ultimately, a failure to adequately mitigate security risks and vulnerabilities. Providers are still driven by the bottom line and margins. This creates an environment where the provider can be tempted to deliver the least possible service for the revenue provided. Contractual arrangements and SLAs need to be set appropriately to minimise this risk.
Security as a service needs to be considered in the same way as any outsourced service. Care must be taken in selecting the supplier, agreeing the specification and the service level agreements and ensuring that the service provided is appropriate to the business needs. The decision to move towards security as a service should never be taken on cost grounds alone. There has to be full assurance that this solution is the most appropriate to the business in all respects and that there is full integration between the enterprise's security policies and the functionality provided by the outsourcer. Appropriate metrics need to be developed to demonstrate the effectiveness of the service and the value for money provided. Key internal committees, including the Audit Committee, have a responsibility to ensure that there is appropriate governance over the security as a service arrangements.
Above all, it is essential to remember that threats to information security are a business risk and that, regardless of the means by which the enterprise chooses to mitigate that risk, it remains the responsibility of business management to ensure that security is properly managed and that it is effective in operation.