When you don’t have the funds for a CSO or IT security manager, it can be tough to keep your business protected. This has led to the emergence of the 'other SaaS' — security-as-a-service — with vendors and managed security providers (MSPs) offering cloud-based threat management.
According to analyst firm Frost & Sullivan, the shift to a security-as-a-service has been driven by a number of factors including a shortage of qualified IT security staff.
The market in Australia and New Zealand earned revenues of $591.6 million in 2012. The analyst firm has forecast that this will reach $1.61 billion by 2019.
- Australian security services worth $38 million: Frost & Sullivan
- Avoiding cloud security pitfalls
- Third-party organisations could pose security challenge: NAB
Frost & Sullivan ICT industry manager Cathy Huang says this rise will be driven by large enterprises in A/NZ leveraging the security know-how of vendors and MSPs.
“Service providers are looking to bundle security services into cloud and mobility service packages to allay security concerns among enterprises regarding the threat exposure posed by the cloud and mobile devices,” she says.
According to Huang, services pertaining to cloud security, data security, forensic services, security analytics and risk assessment services are likely to gain acceptance.
“The growth in managed security services has been in the range of 15 per cent since 2011. There are a few points driving the growth of MSS. The first one is the growing high profile of attacks such as hacktivism,” she says.
“The second point is the mature security mindset in Australia. This means that people are looking for more advanced managed security services capabilities such as forensic services and security analytics.”
Spotlight on: Cloud• Should Australian businesses fear US cloud vendors?
• Amazon vs. Google vs. Windows Azure
• Can Chrome OS challenge Windows in the enterprise?
In a report released in 2011, the analyst firm found that the shift to security-as-a-service was also being driven by business owners wanting to shift IT expenses to opex rather than capital expenses.
This ensured a more predictable monthly expenditure for organisations along with other benefits such as lower up-front costs, greater standardisation, ease of upgrades and ubiquitous access.
Companies were also forced to use IT security contractors and incur higher costs in the process.
According to the analyst firm, security-as-a-service has removed the issue of contractors and lowered maintenance overheads, by placing responsibility for delivery and maintenance of the security offering on the cloud services provider.
A Gartner report entitled Market Trends: Cloud-based Security Services Market, Worldwide, 2014 found that the global cloud-based security services market is forecast to hit US$3.1 billion in 2015. Currently the market is worth US$2.1 billion, according to the firm.
“There are some security services that enterprises have been using that are quite mature such as secure email in the cloud. People have been offering that service for about nine years now. The secure email market is currently worth $800 million,” says Gartner Australia network and mobile security research director Craig Lawson.
“We are seeing a lot of vendors moving to a three pronged approach. They will offer the traditional [security] software, virtual appliances and cloud security.”
He said this three pronged approach is “very attractive” for enterprises because most IT managers only want to run some services in the cloud.
“If you’re in an environment that has lots of smartphones and tablets, cloud Web security makes a lot of sense because staff members will take their tablet home and use Salesforce without connecting via a traditional perimeter security network.”
According to Lawson, software-as-a-service (SaaS) is going to be a driving factor for cloud security spending.
“As businesses move a lot of mission critical information into SaaS delivered applications, that is going to be the next trend we will see in security.”
Some of the popular SaaS solutions are email, Web, identity & access and remote vulnerability assessment.
Lawson agreed with Huang’s assessment that enterprises are moving to security-as-a-service because they don’t have the funds to employ IT security staff.
“The problem for companies is that if you want a 24 by 7 incident response team it is really expensive. To have that 24/7, 365 day coverage requires at least four security staff. In Australia, a good IT security person will command a salary of $70,000 to $90,000.”
In contrast, MSPs can offer enterprises a number of benefits. For example, an MSP usually employs staff with specialised skill sets such as email and content security.
However, Lawson says that while it’s easy to outsource security, this doesn’t mean enterprises can outsource their responsibilities if something goes wrong.
“Generally speaking, most MSPs manage the perimeter rather than the internal networks. If you look at the service level agreement [SLA], they may only be managing one part of security. The mother of all stuff ups is sometimes caused by assumption about what [services] the MSP is offering.”
He suggests that enterprises create their own incident response plan where they involve the MSP, cloud email provider and internal security staff member.
In addition, the Australian Privacy Act amendements which come into law on 12 March 2014 will put the onus on companies to be much more careful with customer data.
Under the <i>Privacy Amendment (Enhancing Privacy Protection) Bill 2012</i>, Australian Privacy Commissioner Timothy Pilgrim will be able to seek civil penalties of up to $340,000 for individuals and up to $1.7 million for companies in the case of a serious privacy breach.
“That kind of compliance will drive a percentage of security spending coming out of the boardroom to make sure that all the necessary controls are covered,” Lawson says.
This could also create more opportunities for service providers to offer privacy consulting, he says.
Follow Hamish Barwick on Twitter: @HamishBarwick