Written by Giuseppe Brizio, EMEA CISO, Qualys
While regional IT chiefs face mounting pressure on issues like application performance and customer experience, they must also contend with an escalation in threats from those who are simply looking to steal, damage, disrupt, or embarrass. In December 2020, the United Arab Emirates’ (UAE) cybersecurity head flagged a 250% increase in cyberattacks during the pandemic. And UAE telecom giant Etisalat’s digital-security arm Help AG this year warned of a 183% uptick in DDoS campaigns.
Whether an enterprise has a separate CISO or looks to the CIO on security issues, regional firms still must find ways of fulfilling their compliance obligations amid a sea of complexity brought about by COVID migration. Thousands of employees working on home devices of unknown pedigree present a risk, as does the presence of multiple domains through which sensitive data travels, en route from the datacenter to the unvetted endpoint and back again. IT leaders and business stakeholders are confronted with costly paths to adequate security, with no guarantees that they have the in-house skills to manage these solutions.
Enter Security-as-a-Service (SECaaS) — the increasingly popular solution to modern resilience. Businesses can outsource the security function to a trusted partner while retaining granular control of IT policy and business operations. And for a region with economies that are majority-SME, the SECaaS proposition is particularly alluring. Even before COVID struck, smaller businesses were continually looking for ways to streamline their business models for cost-effectiveness and operational efficiency.
I would however be remiss if I didn’t point out that while a business can outsource responsibility to a third party for carrying out cybersecurity activities, it cannot, and should not, outsource the related accountability.
A ready-skilled team
There is so much to think about for the IT team that looks after Web and mobile platforms; remote workers and their unpatched devices; multiple network environments, many of which they do not own; and possibly DevOps workflows, with all their attendant code changes and cloud-native requirements. Add to that, the skills shortage — this year, an estimated 3.5 million cybersecurity jobs around the world will be unfilled.
SECaaS delivers not only the right technology but a ready-skilled team of professional threat hunters that are well-versed in the issues surrounding the protection of data, networks, endpoints, and applications. In addition, they have spent decades studying the behavior of bad actors and have a keen sense for how they think and what they will target. These professionals deliver a 24/7, year-round security operations center (SOC) to SECaaS customers at a fraction of the cost it would require for those enterprises to build their own.
SECaaS is cost-effective; it allows customers to subscribe to a service that is continually improving — through the latest tools and intelligence — rather than buying an asset that requires time-consuming maintenance and eventual replacement. With SECaaS, third-party experts are active on Day One and in-house security teams’ workloads are diminished and rationalized. By outsourcing humdrum tasks such as monitoring, vulnerability management, threat detection, remediation, detection, and response to external teams equipped with the industry’s most advanced tools, in-house specialists can devote their time to chasing down the most advanced threats. The white noise of multivendor telemetry and the flood of alerts that end up amounting to nothing are now things of the past — eliminated by the SECaaS provider.
Scalability, visibility, and confidence
SECaaS is also scalable, allowing instantaneous protection of new applications, databases, and workloads. It provides peerless visibility through rich dashboards, delivering confidence to CISOs that their security partner is operating effectively. And the partner will also raise non-trivial alerts in real-time for in-house teams to action.
In addition, SECaaS providers offer a continuous assessment of threat postures, suggesting alternative best practices, tools, and policies as new intelligence arises. From endpoint protection, detection, and response to security information and event management (SIEM), SECaaS providers integrate themselves, benignly, into a customer’s operations, advising on the best course of action regarding every aspect of security, from prevention to business continuity.
Because the partner is such a core component of business resilience, the importance of due diligence in their selection cannot be overstated. They must demonstrate their willingness to work within the confines of an SLA and acknowledge that they will be available around the clock, throughout the year, in terms of consultancy and platform uptime.
Best practices for selecting SECaaS provider
The provider’s disaster recovery plans — from cyber incidents to natural phenomena — should be subject to thorough scrutiny, as should its vendor partners. Organizations considering SECaaS should also ensure that the provider and their vendor partners are able to package their offerings in a way that delivers the flexibility and futureproofing that the customer seeks. Such offerings should also compare favorably with others in the market when it comes to the cost of ownership.
And everyone needs to be on the same page when it comes to best practices. Encryption should be applied to data at rest and in transit, and keys should be customer-specific and renewed regularly. Data retention policies should be well-defined, as should those on identity and access management, passwords, multi-factor authentication, back-up, alerting systems, and threat response.
SECaaS migration has been gaining momentum in the region because business and IT stakeholders are starting to recognize its benefits. In the wake of COVID, as enterprises contemplate resilience in the context of continuing compliance, the model will make more and more sense. In the face of overwhelming threat escalation, growing IT complexity, and persistent skills gaps, SECaaS is, quite simply, a smart way forward for most organizations.