Retiring Security Risk Using SOC-as-a-Service

Not a week passes where I am not struck dumb by the perception held by some business executives that technology should just run itself. On the mental level that acknowledges technology does what we tell it to do, I can accept that this is correct.

But what I cannot accept is the premise that technology is not a “business” and therefore should not be monitored or managed even if someone else is responsible for the underlying infrastructure or technology

For example, while a driver-less train, or pilot-less drone are all incredible advances in technology, what governing body or management team in their right mind would suggest these are set and forget”” investments that no longer require a level of oversight, monitoring and at times, corrective action.

From a budgetary perspective there may be operational headcount savings in these models but resources are still needed to ensure the services and systems are delivering the business outcomes (whether that is goods and services or an ordinance payload that is being delivered). This concept, for all intents and purposes, is services and systems management, and it is the crux of cloud computing success.

For the savvy business executive there are fewer faster growth areas than Security-as-a-Service.

The first myth about big “S” Security is that it is more technology than business. This is incorrect. Along the Business-Information-Data-Technology continuum it sits firmly in between business and information as a strategic imperative.

Physical security on the other hand (the stuff that most execs try to avoid understanding), resides predominantly within the technology layer.

Therefore while your organisation may own a lot of security technology such as Firewalls, Proxy Servers. Identity Management services and Unified Threat Management software, governing access to the corporate network this is only half the story. These technologies need constant monitoring, management and updating. And not for the heck of it either.

Many organisations today are reaching an inflection point in realising that their Security services are under-developed or incomplete. This is resulting in the adoption of the security equivalent of the  driver-less train. Called Security Operations Center (SOC)-as-a-Service, this solutions is a mixture of cloud and managed services.

But to continue the analogy, adopting a managed security service (or going to some flavour of cloud service) means you are in fact outsourcing the trains, and in some cases the drivers. Now here’s the “but”. BUT you are ultimately retaining responsibility for the goods on that train, how your customers, constituents, and suppliers experience those goods at either end of the service, and every stop in between.

That means someone needs to monitor things according to your own business rules.

Now consider the effect of adding more driver-less trains to the network. Perhaps they are from different companies (such as in hybrid cloud computing environments). Under these models the different train companies will take responsibility for their equipment and service but not the services of the other company. Why would they? Therefore the requirement for monitoring your good and services across the entire network only increases not decreases.

This is an increasing challenge for Australian mid-sized companies that is exacerbated either by constrained costs or the availability of adequately skilled resources to stay on a par, if not ahead, of the continually evolving and shifting security landscape.

And it is not just cloud computing. Bring Your Own Device policies, Mobility, Open Data, eServices, public wifi networks, and even information management practices are directly influencing the low and slow penetration of corporate networks.

For all these reasons, security as a service and more specifically security operations centre (SOC) as a service is one of the fastest growth areas of cloud computing today.

Finally, the ability of your organisation to leverage the benefits of this growth area (and it is worth noting that it’s not growing because CEOs and CFOs are easily relinquishing funds for IT) is dependent on your own security architecture being worthy or capable of monitoring. Cheap and cheerful is unlikely to do the job.

The opportunities to assess these necessary offerings are concurrent with the development of cloud strategies, updates to security information policies, or even annual network service provider reviews (SOCs are not NOCs). The time to be doing it is now.