During my 25 years of working in the security space, I’ve seen many shifts both in the security industry and the world outside of it. The technology that has been developed in the last two decades has drastically affected the way we work and the way we secure our business operations and data. I’ve watched as the industry shifted from securing data on servers to the cloud, and I believe another equally disruptive shift is coming soon.
There are many reasons I believe change is looming in the security industry, but two major factors come to mind:
Companies large and small are handling security in-house (whether they actually have a security team). They come up with a strategy, buy tools, outsource the monitoring of those tools to an MSSP, sometimes buy cyber insurance, and handle remediation and recovery internally.
The challenge with this system is that very few companies are truly equipped to meet the ever-increasing cybersecurity challenges. Many companies have neither the budgets nor the resources to field a robust security department. And, to make matters worse, the security talent gap has left many roles unfilled.
The result? Security is managed in-house, but not well. Companies continue to get breached, and the number of attacks is rising. Global cyberattacks increased by 38% in 2022, and it’s estimated that data breaches cost companies an average of $4.24 million. Roughly 43% of cyberattacks target small businesses, likely because the criminals know they lack the resources to defend themselves.
These statistics are alarming, and many CEOs, CISOs, and board members are demanding more security. But the solution isn’t to spend more or invest in more coverage. In fact, I believe the answer is to do less. Or, at least, do less in-house.
The concept of lean management has been around since the 40s, but with the boom of startups in the 2000s, the concept has really taken root. Businesses are constantly looking for ways to become leaner and have begun to outsource various business functions to outside vendors.
Today, few small and mid-sized companies fully manage legal and HR services in-house. Rather than hiring a full legal team, they outsource the work to a law firm and hire a special counsel to manage that relationship. The same goes for HR. Companies outsource payroll, hiring, and developing an onboarding process to an outside vendor. The company then hires an HR director to manage that relationship.
The goal is to become as lean as possible and focus on what the company does best — developing exceptional products or services. Any other functions are outsourced to companies and firms that are experts in their given fields.
Currently, this model is not being used in the security industry. While MSSPs can monitor the tools a company chooses, picking tools, and remediation and recovery fall outside of the MSSP’s jurisdiction, meaning that a company cannot fully outsource security. It’s still very much an inside job. But I believe there are a lot of companies that need to move from running security programs to outsourcing them, much as they do with HR and legal.
Right now, there’s too much responsibility for internal teams to determine where their vulnerabilities lie and which tools they need. As security becomes more complex and requires additional daily maintenance, it’s untenable for an IT manager, or any individual sitting on the tech team, to handle everything in-house.
So, what does security as a service look like? Vendors would offer a full security package that includes a security strategy, a lean and mean tech stack with all the tools a business would need to protect itself, 24/7 monitoring and detection, employee security training, compliance and regulatory adherence as well as remediation and recovery services. Everything would be taken care of by the outsourced vendor and companies would pay a monthly fee for the service. They could then hire an in-house security expert to manage the relationship with the security vendor.
For companies that already have some semblance of a cybersecurity department in-house, they can benefit from a middle of the road solution. They may just want to outsource monitoring and keep their incident response duties in-house or they may need support with the operational aspect of cybersecurity. Cybersecurity risk falls well outside just a cybersecurity department — the entire organization needs to buy into cybersecurity and a small team may not have the time or resources needed to build a security model. Organizations need to look for outside help.
This proposed model for security is similar to what is currently happening in HR or legal; and, quite frankly, in other areas of our lives. Consider entertainment. At one point in time, people purchased titles — whether it was CDs, DVDs, records, or even a VHS. Each product was bought individually for a flat rate. In return, consumers owned that title for life. Now, however, consumers pay a monthly fee for a streaming service where a collection of songs, films, or shows are delivered via one vendor. While consumers give up ownership of individual titles, they never run out of content.
Given that we’re choosing to pay monthly fees for comprehensive services in so many areas of our personal and business lives, it makes sense that security would be next. I truly believe that within the next two to three years, the security industry will have moved to this outsourced program of security-as-a-service model. But I would love to hear your thoughts.
Do you feel an impending shift in security? Where do you see the industry going in the next few years?
If you want to learn more, visit solcyber.com.