Last month, I talked about the elegant beauty in offloading parts of your risk portfolio in four distinct ways.
The logic is to streamline the company’s mitigation efforts and allow you to focus more time and investment where it matters most—on the unique risks inherent to the business.
But there is a fifth element, and it is going to be in your future. While security-as-a-service for functions like WAF and DDoS protection are well-established, they are just the beginning of a new industry that is emerging around consumption-based security models.
To a certain extent, security in the future is going to be Uberized, and for some situations, you may be able to get rid of your car entirely. No insurance. No maintenance. No hassles with parking. And you won’t even have to wash it or vacuum crumbs out of the seat cracks.
That is to say, you won’t hire a company just for DDoS and WAF. You’ll hire a company for IDaaS, IPS, encryption/decryption, SSL orchestration, governance, risk and compliance (GRC).
And over time, you’ll dial in your use of these services. Spin them up when they’re needed most. Ratchet them back when they’re not in demand. Pay only for what you use. This is a strategic way to contain costs as you may only fully use your GRC service when it’s time for an audit, enabling the company to increase its capacity without having a consulting service on site.
All of this will dramatically change how CISOs function and how their teams are structured. Instead of hiring dozens of people to build and maintain multiple systems, CISOs will shift to focus on the data that powers the business and how it flows through and interacts with these outsourced relationships.
And yes, I am going so far as to say this shift is inevitable, because it’s being driven by some pretty clear economic pressures:
It’s well-known that there are a lot of open job reqs in cybersecurity. I mean a lot—more than a million today. And according to Center for Cyber Safety and Education’s 2017 Global Information Security Workforce Study, there may be as many as 1.8 million open jobs in the field by 2022.
In this market, finding the right person can take months. You either have to poach them from another company or develop them yourself. Development means trial by fire. I don’t know about you, but I don’t want trial by fire. And if you do steal a great hire from another company, the cost-benefit analysis is such that you’re basically being driven to a vendor anyway, simply because the salary pressure makes it more cost-effective.
There are also specific areas of risk that require hard-to-find skills, which only exacerbate this phenomenon. Try to hire a great DDoS or application security specialist and you’ll see what I mean. It’s no coincidence that the jobs with the highest degree of talent scarcity are the first ones being outsourced.
The reality of the situation is those specialists increasingly work for … guess who? Security-as-a-service companies. They’re the only ones that can afford that level of talent, and having that talent is their core differentiator.
Economies of scale
Most CISOs will never be able to address all of a company’s risk anyway. They’ll never have enough resources to truly cover all of them.
So take the example of application security, one of those unique skillsets that’s so difficult and expensive to hire for. In this environment, outsourcing application security scanning to a vendor just makes too much sense.
Why? Because of economies of scale. With its crack team of top-tier analysts, the Sec-aaS vendor can provide a complete assessment of the company’s risk footprint in a few weeks.
If a company were to hire those skills in-house, they would make a similar or even larger investment and still wouldn’t have that kind of scale. Your in-house expert, as brilliant as they may be, would not be able to provide an understanding of the entire footprint along with the details of what needs to be done within a few weeks. The scale is just too big.
Taking this to the next level, outsourced vendors are also finding ways to automate these processes, creating platforms that apply the experience of their entire team of experts for the customer’s benefit.
This means they can provide analysis much more quickly, which means you can start doing mitigations much more quickly, which means your window of exposure is much smaller, which ultimately means the benefit for mitigating risk is much more effective.
Companies can expect similar benefits across Sec-aaS categories. If you outsource WAF, you’re no longer focused on implementing that control mechanism. With the right DDoS vendor, your traffic is getting scrubbed all the time. The customer no longer needs to be concerned with those controls.
Like today’s cloud and SaaS platforms, these are cost-effective models. But the benefits of using a security-as-a-service vendor is not only transferring the risk and saving money. Instead of somebody who’s concentrating on learning DDoS, you can hire people who understand the company, its industry and its own unique characteristics. You can give them the time to become a true business partner, working directly with business groups to understand the company’s assets and align security to the business.
And for CISOs, shift your focus to understanding your own data flows and managing your consumption-based security services with pinpoint precision. Solve challenges for your own company that have not already been solved.
Ultimately this movement is going to transform the security industry. Over the next few years, we’ll see a world of security that will be more cost-effective and more focused on user experience. The business will have security ingrained within it, rather than wrapped around it. And removing that friction will allow the business to accelerate.
As for trying to solve DDoS? Application security? Firewalls? Don’t try to solve it yourself. Go ahead and let the fifth element of Sec-aaS providers commoditize where they can. We’ll all be better off.