4 May 2016

The Case of SECaaS (Security as a Service)

The beginning

First let’s remind ourselves of why the as a Service model is great for everyone. For customers, it enables them to get what they need at a predictable cost without the headaches. For service providers, it enables them to leverage economies of scale without having to do deep customizations.

The need for security changing

Unfortunately, the “bad guys” have evolved. The main threat for most businesses used to be bored teenagers with too much time on their hands. Then it evolved into professional organizations targeting large corporation, for political reason or for profit. Now those same professional are also going down market, targeting smaller and smaller organizations. Although they are numerous reasons for that, the main ones are that new hacking tools make it easier to target more businesses, that smaller businesses tend to be more vulnerable and that there are more attack vectors due to technology becoming so ubiquitous.

So what’s a company to do?

Here is the good news: there are many simple things you can do today that will yield a lot of impact. As the classic tail states, you don’t need to be faster than the bear, you just need to be faster than the person running next to you, aka if you make yourselves a harder target to attack, attackers will focus on easier targets. But, to be honest,  this will only get you so far, at some point, you will be the slowest runner and the damage (real, perceived or reputational) may be un-repairable.

What you should be doing today:

  1. Understand (and accept) that you are a target (yes, even you).
  2. Keep everything up to date (still running Windows 7? don’t. You don’t like applying patches,  though it up buttercup. The new iOS will make your phone too slow, buy a new one.)
  3. Be vigilant: (back to number 1). You get an email from someone you don’t know with an encrypted zip, don’t open it! Someone from Microsoft tech support calls you remove a virus and you’ve never asked for help? Hang up!
  4. Get help from professionals: IT security is now a war for which you need allies to win. Find someone you can trust and that will have your back.

And this is where SECaaS comes in

Personally, I think that in 2016 SECaaS needs to have a very broad definition. Anything that helps promote security should fit under that umbrella. Whether it’s managing end point protection, identity management, making sure things are patched (including the firmware on that switch at the back of your warehouse), firewalls, backups, disaster recovery… All of these things you can do yourself, but I invite you to ask yourself those two questions:

  • Is this the best use of my time?
  • Am I the best person to be performing this task?

If you answered “no” (or “hell, no”) to any or both of those questions, you need somebody to help you and that gives you 3 main choices:

  • Hire a team of professionals on staff to handle it (not often an option for small and medium companies)
  • Build a virtual team of professionals that you pay on a “as needed” basis (and hope they are available when you need them and that you can afford the bill)
  • Subscribe to an as a service model (and know exactly what you are going to get and how much it is going to cost)


The choice is yours, just don’t let the bear catch you…