arrow9 Comments
  1. Dan
    Mar 10 - 11:14 pm

    Brian Krebs is an A-List IT legend. His security work often (unfortunately) places him on the receiving end of some quite shocking retaliatory antics.

    But on the topic of the article, IT security as a service is not really a replacement for having someone who knows WTF should be happening within your (network) borders so they can isolate irregularities when something does go awry. Some of those cloud services are pretty much just relaying or blocking some major breach from one ‘customer’ and making sure it doesn’t affect any others; a bit whack-a-mole if you will IMO.

  2. Beano
    Mar 10 - 11:37 pm

    Meh, I don’t think competent in-house staff have much to worry about as long as there are ‘Security as a Service’ vendors with staff who don’t understand CIDR notation, the basics of XSS attacks, or even how to identify the false positive their systems generate.

    The linked article seems to be a rehash of a Gartner press release, which really only mertis a ‘lol, Gartner report’ response. Their target market is pretty much exclusively PHBs

  3. Ed
    Mar 11 - 12:35 pm

    I work for a business that provides this service, and it’s not intended to remove IT security expertise. Much of what business call “IT Security” is really just operating the basic technology stack. Firewalls, AV, IPS, etc.

    Every business should have an owner of Information Security who dictates how it is done. Subsequently giving the upkeep of technical controls to a service provider makes perfect sense here, as it allows the in-house personnel to focus on the right stuff – managing risk and analysing security metrics.

    You can also outsource some of the risk work too; you just can’t outsource the responsibility.

    • BruceH
      Mar 12 - 2:17 pm


      Been doing IT Security, information risk management for a while now and agree that some security services may work from the cloud but you can’t outsource risk accountability and you can’t push it to the cloud.

      A lot of organisations that can’t tell the difference will get really burnt here

    • gordon451
      Mar 12 - 7:44 pm


      Security is all about covering the ass. As kid at boarding school so long ago I still remember covering my ass… against a (well-deserved) caning. The magazines were uncomfortable, and if you used too many of them the House Master would inevitably discover them… Nothing has changed!

      I do wonder how many CEOs would react if I asked them how they know their business has not already been penetrated? I certainly know how IT managers react, and it’s sobering.

  4. Steve Hodgkinson
    Mar 12 - 1:29 pm

    This is an interesting pick-up Renai. The challenge is that the results of Verizon’s 2013 Data Breach Investigations Report were pretty sobering reading in this regard. The percentage of breaches that remain undiscovered for months or more has risen steadily since 2010 … and discovery is likely to be a challenge for most organisations as APTs become more sophisticated and targeted. The goal is often to compromise a system and then remain undiscovered until a way to monetise the breach emerges.

    If your organisation can afford to invest in in-house IT security staff and sophisticated protection and monitoring software then great. If not, however, then you are probably better off buying a security-as-a-service offering to complement whatever in-house capabilities you can afford and sustain. The advantage that the leading security services have is their ability to analyze large volumes of data to detect anomalous patterns that reveal suspicious activity that is invisible when only looking at one organization’s data. That, at least, is the theory …

    • Hmm
      Mar 15 - 10:49 pm

      “as APTs become more sophisticated and targeted.”
      I think you will find that by definition, an APT is already sophisticated and targeted.

      “The goal is often to compromise a system and then remain undiscovered until a way to monetise the breach emerges.”

      I think you will find, that the goal is not to remain undiscovered (though this is of benefit), you do not just sit on the system for months/years waiting. You extract everything you can, and expand your compromise. If you can’t expand, you already have the data. Then you have the information and can sell it at any point in the future you desire, regardless if you still retain access to the environment.

  5. Andy Blevins
    Mar 14 - 4:30 pm

    Its very difficult to hire and retain the kind of IT Security staff that are going to make a real difference. The sophistication of security attacks and the patience of the attackers has really grown in the last decade. Internal IT Security personnel i think are better to focus on their knowledge of their organization, while leveraging an external provider for the grey-hat security muscle.

    SecureWorks is a US org I’m very familiar with originally headed up by Tony Prince. Great model, solid success. Other US-based breaches need to be analyzed for the applicability. I’m not sure Security as a Service is to blame.

  6. Motionwave Technologies
    May 09 - 5:41 pm

    Well, a great study Renai! But for my part I don’t see a shortage of qualified IT security staff as a major threat. No doubt that with the advancing security services it’s now easier to keep the business protected, but it never diminishes the threat of a serious privacy breach. As the traditional security services develop it no more complex security offering, several brains will be stumbling for access to it and thus will require the need of an IT security staff.

Mobile Theme