Security outsourcing as a means against the shortage of specialists?

The IT security sector has experienced growth of more than 10 percent in the last year alone, according to a survey carried out by market researchers from IDC on behalf of digital association Bitkom. This was announced by Ursula Morgenstern, member of the Bitkom Executive Board, during the press conference at this year’s it-sa which was live-streamed for the first time. Cloud-based security packages have made a significant contribution to this growth. The survey also revealed that in Germany, around half of all companies are already using security technologies as services from the Cloud. Given that small and mid-sized companies in particular often fail to meet the requirements of suitable security solutions, significant growth in this segment can be expected in the next few years. The reason for this is that SMEs have neither the IT specialists to take on the additional tasks involved nor the budget for the associated extra costs. There are suitable service packages on the market for SMEs and other customers.

Confusion about terminology guaranteed

Suitable service packages can generally be found under the term “Security as a Service”, which got around 360 hits alone in the exhibitor database for it-sa 2019. But other designations are also common; often they are simply described as “Managed Services”, although these include traditional services like web hosting. Even the acronym for “Security as a Service” is not completely unambiguous, as both SECaaS and SaaS are used. However, SaaS also stands for “Software as a Service”, e.g. Microsoft’s Office 365.

Another complicating factor is that there is a very wide range of products on offer, from single services like filtering out spam to a complete service covering the entire spectrum of requirements. In the latter case the entire external data traffic has to be routed via the service provider. The service provider not only operates a firewall for the customer but generally also provides a complete Security Operations Center (SOC) where the data traffic is usually analysed for risks, dangerous data packets are filtered out and the customer is informed around the clock in the event of incipient attacks.

Beware of pitfalls

The choice of a suitable package doesn’t only depend on financial issues; security aspects play an equally important role. For example, SECaaS always requires an internet connection to the provider. As well as the risk of connection breakdowns, this also results in additional dangers emanating from the web itself. In addition, existing IT infrastructure often needs to be adapted, for example because software agents need to be installed or the network structure has to be changed. On the other hand, SMEs without their own security products can save the expense of additional hardware.

Although only minimal in-house expertise is necessary to outsource IT security, the choice of provider and suitable package does necessitate specific expert knowledge. However, this is something that can also be provided by consultants. In the long term it can however be advantageous to build up expertise in IT security within your own organisation, as both the threat scenarios and the market are constantly changing.

SECaaS can be associated with special problems, for example because an external SOC does not have any insight into internal processes and procedures. If this results in problems, security deficits cannot be identified from the outside, e.g. if a trainee has access to sensitive data or the building is inadequately secured, allowing someone to break into it with minimal effort to steal a server. Even in the case of SECaaS, it is therefore beneficial to have an overview of IT security and knowledge about the internal IT landscape, especially internal company processes.