Choose Your Security as a Service Carefully

Author: David Kelleher, Director of Communications, GFI Software

If there's one topic that is likely to make any CIO's or IT Manager's wallet hurt, it's information security. With all the media coverage lately on data theft, credit card theft, Personally Identifiable Information (PII) theft and identity theft, every organisation from the sole proprietorship to the massive international megacorp to the critical government agency knows that they need it and suspects that they lack it. It's one thing when a small-town restaurant's Twitter account gets hacked, but it's something else entirely when a government agency charged with performing background checks for security clearances cannot keep the PII of its investigation subjects secure.

And while the megacorps can call on mega-consultancies, and the big government agencies can call on… well, let's hope they figure that one out… who are the smaller organisations supposed to call upon for help? Information security is a specialty trade and experts do not come cheaply. With so much demand and relatively little supply, the market is primed for a rise in specialty firms and independent consultants offering Security as a Service (SaaS), at great savings. These may be tempting, especially when the latest hacks are front page news, but small to medium sized organisations should think before they act. Here's what you should consider.

There are no silver bullets

First and foremost, there are no silver bullets, quick fixes or easy outs here. Security is a mindset, a way of life, and must be pervasive throughout all your information systems, from logons through drive encryption to application hardening and secure remote access, and dozens of other things as well. If you are looking to ensure your information technology infrastructure is secure, you need to make sure that the consultant or firm you choose to assist you has practical experience with all of your systems.

One size does not fit all

Two organisations with the same number of employees, the same annual revenues and the same number of systems will not have the same needs. You may want to go with a fixed fee engagement, but unless the provider is so large and has such a mark up on services that they can afford a variance from one project to the next, expect the really good ones to quote on time and materials. Security is best when it is layered, and security assessments have to peel back the layers to truly understand what is going on. Until you get three layers down, you won't know what to expect at the fourth layer, so plan for this to cost what it costs.

Expertise is not gained overnight

A lot of consultants may choose to hang their shingle out to meet this rising demand, and may be relatively new working for themselves, but they should have years of industry experience working for companies as security experts in order to be truly qualified to help you with your security. Ask questions, look at resumes, and be sure that the professionals providing your services truly are professional.

Certifications are good, but references are better

There are lots of security certifications on the market, and many are truly challenging to obtain and maintain, but just because someone can pass a test, doesn't mean they are a security expert. Ask for references from previous customers or co-workers and take the time to check out the references before selecting a provider. Unless you truly are their first customer, they should have previous customers willing to take a few minutes to talk with you about their experiences.

This is not a one-time thing

Security assessments, vulnerability scanning, penetration testing, system hardening…these are perpetual needs your information technology infrastructure will have forever. Don't look at a security assessment engagement as a one-time thing. You go to your doctor for an annual check up (I hope!) and you should plan on getting your security posture evaluated at least annually as well. In between those annual full check ups, you should consider a monthly vulnerability assessment just to help make sure you are keeping up with your patching and system configurations.

Does it make sense to subscribe to SaaS or bring expertise in-house?

You could contract with a Security as a Service provider to provide you with regular security services, or you could perhaps have them help your own IT team to deploy in-house systems for vulnerability assessments and patch management, and then use your provider when needed for major projects, upgrades, or annual check ups. If your IT team has the capacity to take on the additional work needed for security, get them the right tools and training and let them take care of it. Get an annual audit to be sure, and again, consider an external monthly vulnerability scan to make sure nothing was missed. But if you are the IT team, as well as the sales manager and delivery driver, you probably already work 25 hours a day, and may need to rely upon the pros going forward. Go with what makes sense for your business and your budget, but remember that a single security incident can put you out of business, so don't leave this to chance!

Information security is critical for any organisation with any IT at all… even if you run your entire business from your mobile phone, imagine what damage would be done if your email was hacked or your credit card processing system was compromised and your customers found bogus charges on their accounts. For any business with any presence online, ensuring your systems are secure and remain so is critical to ensuring you stay in business. There will be many independent consultants and security firms offering to help you do just that, for the right price of course. Ensuring you get the right service for your needs is going to be the right way to help keep your business going strong, staying secure, and remaining trusted by your customers. Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags personally identifiable information (PII)information securitymegacorpssecurityService CarefullySecurity as a Service (SaaS)CSO Australia

More about CSOTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Kelleher

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place