• Great articles on other sites
  • RSS Great articles on other sites

  • Blog, Enterprise IT, Security - Written by on Monday, March 10, 2014 14:44 - 9 Comments

    IT security as a service explodes in Australia


    blog Ah, remember the old days? When every day journalists wrote about the latest minor patch upgrade to the handful of mega-IT security suites? When “IT security” meant deploying a monolithic anti-virus solution by hand on desktop PC after desktop PC and suffering the huge slowdown effect as it scanned every file in existence constantly? When IT security types were the black magicians of the IT industry? Well, things are certainly changing. A very interesting article on Techworld last week highlights the fact that IT security as a service is currently exploding in Australia, with smarter, sleeker, cloud-based alternatives to the old models coming to the fold. The site reports (we recommend you click here for the full story):

    “According to the analyst firm, security-as-a-service has removed the issue of contractors and lowered maintenance overheads, by placing responsibility for delivery and maintenance of the security offering on the cloud services provider.”

    I highlight this issue because it represents a fundamental shift in the way things are being done. To my mind this situation is both predictable as well as slightly concerning. What we’re seeing here is the commoditisation of IT security services, especially as this kind of technology has become much better understood, and as the delivery of patches and updates can be systematised. Many organisations will no longer have a need for dedicated IT security staff; or at the very least, those staff can move onto higher order projects.

    However, it’s also a little concerning … without this kind of dedicated IT security staff, when things go wrong, they will often go much more wrong — and much more quickly, because outsourcing and systematising this kind of skills inherently slows down specialist knowledge about the organisation. And in the US, we are certainly seeing huge hacks on major organisations that we might not have seen in years past. I recommend you read the excellent Krebs on Security blog for regular examples of what’s really going on. It’s a double-edged sword. In any case, it’s an interesting situation.

    submit to reddit


    You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

    1. Dan
      Posted 10/03/2014 at 11:14 pm | Permalink | Reply

      Brian Krebs is an A-List IT legend. His security work often (unfortunately) places him on the receiving end of some quite shocking retaliatory antics.

      But on the topic of the article, IT security as a service is not really a replacement for having someone who knows WTF should be happening within your (network) borders so they can isolate irregularities when something does go awry. Some of those cloud services are pretty much just relaying or blocking some major breach from one ‘customer’ and making sure it doesn’t affect any others; a bit whack-a-mole if you will IMO.

    2. Beano
      Posted 10/03/2014 at 11:37 pm | Permalink | Reply

      Meh, I don’t think competent in-house staff have much to worry about as long as there are ‘Security as a Service’ vendors with staff who don’t understand CIDR notation, the basics of XSS attacks, or even how to identify the false positive their systems generate.

      The linked article seems to be a rehash of a Gartner press release, which really only mertis a ‘lol, Gartner report’ response. Their target market is pretty much exclusively PHBs

    3. Ed
      Posted 11/03/2014 at 12:35 pm | Permalink | Reply

      I work for a business that provides this service, and it’s not intended to remove IT security expertise. Much of what business call “IT Security” is really just operating the basic technology stack. Firewalls, AV, IPS, etc.

      Every business should have an owner of Information Security who dictates how it is done. Subsequently giving the upkeep of technical controls to a service provider makes perfect sense here, as it allows the in-house personnel to focus on the right stuff – managing risk and analysing security metrics.

      You can also outsource some of the risk work too; you just can’t outsource the responsibility.

      • BruceH
        Posted 12/03/2014 at 2:17 pm | Permalink | Reply


        Been doing IT Security, information risk management for a while now and agree that some security services may work from the cloud but you can’t outsource risk accountability and you can’t push it to the cloud.

        A lot of organisations that can’t tell the difference will get really burnt here

      • gordon451
        Posted 12/03/2014 at 7:44 pm | Permalink | Reply


        Security is all about covering the ass. As kid at boarding school so long ago I still remember covering my ass… against a (well-deserved) caning. The magazines were uncomfortable, and if you used too many of them the House Master would inevitably discover them… Nothing has changed!

        I do wonder how many CEOs would react if I asked them how they know their business has not already been penetrated? I certainly know how IT managers react, and it’s sobering.

    4. Steve Hodgkinson
      Posted 12/03/2014 at 1:29 pm | Permalink | Reply

      This is an interesting pick-up Renai. The challenge is that the results of Verizon’s 2013 Data Breach Investigations Report were pretty sobering reading in this regard. The percentage of breaches that remain undiscovered for months or more has risen steadily since 2010 … and discovery is likely to be a challenge for most organisations as APTs become more sophisticated and targeted. The goal is often to compromise a system and then remain undiscovered until a way to monetise the breach emerges.

      If your organisation can afford to invest in in-house IT security staff and sophisticated protection and monitoring software then great. If not, however, then you are probably better off buying a security-as-a-service offering to complement whatever in-house capabilities you can afford and sustain. The advantage that the leading security services have is their ability to analyze large volumes of data to detect anomalous patterns that reveal suspicious activity that is invisible when only looking at one organization’s data. That, at least, is the theory …

      • Hmm
        Posted 15/03/2014 at 10:49 pm | Permalink | Reply

        “as APTs become more sophisticated and targeted.”
        I think you will find that by definition, an APT is already sophisticated and targeted.

        “The goal is often to compromise a system and then remain undiscovered until a way to monetise the breach emerges.”

        I think you will find, that the goal is not to remain undiscovered (though this is of benefit), you do not just sit on the system for months/years waiting. You extract everything you can, and expand your compromise. If you can’t expand, you already have the data. Then you have the information and can sell it at any point in the future you desire, regardless if you still retain access to the environment.

    5. Posted 14/03/2014 at 4:30 pm | Permalink | Reply

      Its very difficult to hire and retain the kind of IT Security staff that are going to make a real difference. The sophistication of security attacks and the patience of the attackers has really grown in the last decade. Internal IT Security personnel i think are better to focus on their knowledge of their organization, while leveraging an external provider for the grey-hat security muscle.

      SecureWorks is a US org I’m very familiar with originally headed up by Tony Prince. Great model, solid success. Other US-based breaches need to be analyzed for the applicability. I’m not sure Security as a Service is to blame.

    6. Posted 09/05/2014 at 5:41 pm | Permalink | Reply

      Well, a great study Renai! But for my part I don’t see a shortage of qualified IT security staff as a major threat. No doubt that with the advancing security services it’s now easier to keep the business protected, but it never diminishes the threat of a serious privacy breach. As the traditional security services develop it no more complex security offering, several brains will be stumbling for access to it and thus will require the need of an IT security staff.

    Leave a Comment


  • Get our 'Best of the Week' newsletter on Fridays

    Just the most important stories, one email a week.

    Email address:

    Follow us on social media

    Use your RSS reader to subscribe to our articles feed or to our comments feed.

  • Most Popular Content

  • Enterprise IT stories

    • Super funds close to dumping $250m IT revamp facepalm2

      If you have even a skin deep awareness of the structure of Australia’s superannuation industry, you’ll be aware that much of the underlying infrastructure used by many of the nation’s major funds is provided by a centralised group, Superpartners. One of the group’s main projects in recent years has been to dramatically update and modernise its IT platform — its version of a core banking platform overhaul. Unfortunately, the $250 million project has not precisely been going well.

    • Qld’s Grant joins analyst firm IBRS peter-grant

      This week it emerged that Peter Grant, the two-time former Queensland Whole of Government CIO (pictured), has joined well-regarded analyst firm Intelligent Business Research Services (IBRS). We’ve long had a high regard for IBRS, and so it’s fantastic to see such an experienced executive join its ranks.

    • Westpac dumps desk phones for Samsung Android mobiles samsung-galaxy-ace-3

      The era of troublesome desk phones tied to physical locations is gradually coming to an end in many workplaces, with mobile phones becoming increasingly popular as organisations’ main method of voice telecommunications. But some groups are more advanced than others when it comes to adoption of the trend. One of those is Westpac.

    • Ministers’ cloud approval lasted just a year reverse

      Remember how twelve months ago, the Federal Government released a new cloud computing security and privacy directive which required departments and agencies to explicitly acquire the approval of the Attorney-General and the relevant portfolio minister before government data containing private information could be stored in offshore facilities? Remember how the policy was strongly criticised by Microsoft, Government CIOs and Delimiter? Well, it looks like the policy is about to be reversed.

    • WA Govt can’t fund school IT upgrades oops key

      In news from The Department of Disturbing Facts, iTNews revealed late last week that Western Australia’s Department of Education has run out of money halfway through the deployment of new fundamental IT infrastructure to the state’s schools.

    • Turnbull outlines Govt ICT vision turnbull-5

      Communications Minister Malcolm Turnbull has published an extensive article arguing that the Federal Government needed to do a better job of connecting with Australians via digital channels and that public sector IT projects needn’t cost the huge amounts that some have in the past.

    • NZ Govt pushes hard into cloud zealand

      New Zealand’s national Government announced a whole of government contract this morning for what it terms ‘Office Productivity as a Service’ services. This includes email and calendaring services, as well as file-sharing, mobility, instant messaging and collaboration services. The contract complements two existing contracts — Desktop as a Service and Enterprise Content Management as a Service.

    • CommBank reveals Harte’s replacement whiteing

      The Commonwealth Bank of Australia has promoted an internal executive who joined the bank in September after a lengthy career at petroleum giant VP and IT services group Accenture to replace its outgoing chief information officer Michael Harte, who announced in early May that he would leave the bank.

    • Jeff Smith quits Suncorp for IBM jeffsmith4

      Second-tier Australian bank and financial services group Suncorp today announced that its long-serving top technology executive Jeff Smith would leave to take up a senior role with IBM in the United States, in an announcement which marks the end of an era for the nation’s banking IT sector.

    • Small business missing the mobile, social, cloud revolution iphone-stock

      Most companies that live and breathe the online revolution are not tech startups, but smart smaller firms that use online tools to run their core business better: to cut costs, reach customers and suppliers, innovate and get more control. Many others, however, are falling behind, according to a new Grattan Institute discussion paper.

  • Blog, Enterprise IT - Jul 5, 2014 13:53 - 0 Comments

    Super funds close to dumping $250m IT revamp

    More In Enterprise IT

    Blog, Telecommunications - Jul 5, 2014 12:12 - 0 Comments

    What should the ACCC’s role be in guiding infrastructure spending?

    More In Telecommunications

    Analysis, Industry, Internet - Jun 23, 2014 10:33 - 0 Comments

    ‘Google Schmoogle’ – how Yellow Pages got it so wrong

    More In Industry

    Blog, Digital Rights - Jun 30, 2014 22:24 - 0 Comments

    Will Netflix launch in Australia, or not?

    More In Digital Rights