Connect with us

Hi, what are you looking for?


Security Infrastructure

Risky Business: The Fifth Element

Last month, I talked about the elegant beauty in offloading parts of your risk portfolio in four distinct ways

Last month, I talked about the elegant beauty in offloading parts of your risk portfolio in four distinct ways

The logic is to streamline the company’s mitigation efforts and allow you to focus more time and investment where it matters most—on the unique risks inherent to the business.

But there is a fifth element, and it is going to be in your future. While security-as-a-service for functions like WAF and DDoS protection are well-established, they are just the beginning of a new industry that is emerging around consumption-based security models.  

To a certain extent, security in the future is going to be Uberized, and for some situations, you may be able to get rid of your car entirely. No insurance. No maintenance. No hassles with parking. And you won’t even have to wash it or vacuum crumbs out of the seat cracks. 

That is to say, you won’t hire a company just for DDoS and WAF. You’ll hire a company for IDaaS, IPS, encryption/decryption, SSL orchestration, governance, risk and compliance (GRC). 

And over time, you’ll dial in your use of these services. Spin them up when they’re needed most. Ratchet them back when they’re not in demand. Pay only for what you use. This is a strategic way to contain costs as you may only fully use your GRC service when it’s time for an audit, enabling the company to increase its capacity without having a consulting service on site. 

All of this will dramatically change how CISOs function and how their teams are structured. Instead of hiring dozens of people to build and maintain multiple systems, CISOs will shift to focus on the data that powers the business and how it flows through and interacts with these outsourced relationships. 

And yes, I am going so far as to say this shift is inevitable, because it’s being driven by some pretty clear economic pressures:

Advertisement. Scroll to continue reading.

Talent scarcity 

It’s well-known that there are a lot of open job reqs in cybersecurity. I mean a lot—more than a million today. And according to Center for Cyber Safety and Education’s 2017 Global Information Security Workforce Study, there may be as many as 1.8 million open jobs in the field by 2022.  

In this market, finding the right person can take months. You either have to poach them from another company or develop them yourself. Development means trial by fire. I don’t know about you, but I don’t want trial by fire. And if you do steal a great hire from another company, the cost-benefit analysis is such that you’re basically being driven to a vendor anyway, simply because the salary pressure makes it more cost-effective. 

There are also specific areas of risk that require hard-to-find skills, which only exacerbate this phenomenon. Try to hire a great DDoS or application security specialist and you’ll see what I mean. It’s no coincidence that the jobs with the highest degree of talent scarcity are the first ones being outsourced. 

The reality of the situation is those specialists increasingly work for … guess who? Security-as-a-service companies. They’re the only ones that can afford that level of talent, and having that talent is their core differentiator. 

Economies of scale

Most CISOs will never be able to address all of a company’s risk anyway. They’ll never have enough resources to truly cover all of them. 

So take the example of application security, one of those unique skillsets that’s so difficult and expensive to hire for. In this environment, outsourcing application security scanning to a vendor just makes too much sense. 

Why? Because of economies of scale. With its crack team of top-tier analysts, the Sec-aaS vendor can provide a complete assessment of the company’s risk footprint in a few weeks. 

If a company were to hire those skills in-house, they would make a similar or even larger investment and still wouldn’t have that kind of scale. Your in-house expert, as brilliant as they may be, would not be able to provide an understanding of the entire footprint along with the details of what needs to be done within a few weeks. The scale is just too big. 

Taking this to the next level, outsourced vendors are also finding ways to automate these processes, creating platforms that apply the experience of their entire team of experts for the customer’s benefit. 

This means they can provide analysis much more quickly, which means you can start doing mitigations much more quickly, which means your window of exposure is much smaller, which ultimately means the benefit for mitigating risk is much more effective. 

Companies can expect similar benefits across Sec-aaS categories. If you outsource WAF, you’re no longer focused on implementing that control mechanism. With the right DDoS vendor, your traffic is getting scrubbed all the time. The customer no longer needs to be concerned with those controls. 

Like today’s cloud and SaaS platforms, these are cost-effective models. But the benefits of using a security-as-a-service vendor is not only transferring the risk and saving money. Instead of somebody who’s concentrating on learning DDoS, you can hire people who understand the company, its industry and its own unique characteristics. You can give them the time to become a true business partner, working directly with business groups to understand the company’s assets and align security to the business. 

And for CISOs, shift your focus to understanding your own data flows and managing your consumption-based security services with pinpoint precision. Solve challenges for your own company that have not already been solved. 

Ultimately this movement is going to transform the security industry. Over the next few years, we’ll see a world of security that will be more cost-effective and more focused on user experience. The business will have security ingrained within it, rather than wrapped around it. And removing that friction will allow the business to accelerate. 

As for trying to solve DDoS? Application security? Firewalls? Don’t try to solve it yourself. Go ahead and let the fifth element of Sec-aaS providers commoditize where they can. We’ll all be better off.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...


Responding to Cyber Threats Against Critical Infrastructures: Wired Business Media Acquires Long Running ICS Cybersecurity Conference Series

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.


The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...