IT security as a service explodes in Australia



blog Ah, remember the old days? When every day journalists wrote about the latest minor patch upgrade to the handful of mega-IT security suites? When “IT security” meant deploying a monolithic anti-virus solution by hand on desktop PC after desktop PC and suffering the huge slowdown effect as it scanned every file in existence constantly? When IT security types were the black magicians of the IT industry? Well, things are certainly changing. A very interesting article on Techworld last week highlights the fact that IT security as a service is currently exploding in Australia, with smarter, sleeker, cloud-based alternatives to the old models coming to the fold. The site reports (we recommend you click here for the full story):

“According to the analyst firm, security-as-a-service has removed the issue of contractors and lowered maintenance overheads, by placing responsibility for delivery and maintenance of the security offering on the cloud services provider.”

I highlight this issue because it represents a fundamental shift in the way things are being done. To my mind this situation is both predictable as well as slightly concerning. What we’re seeing here is the commoditisation of IT security services, especially as this kind of technology has become much better understood, and as the delivery of patches and updates can be systematised. Many organisations will no longer have a need for dedicated IT security staff; or at the very least, those staff can move onto higher order projects.

However, it’s also a little concerning … without this kind of dedicated IT security staff, when things go wrong, they will often go much more wrong — and much more quickly, because outsourcing and systematising this kind of skills inherently slows down specialist knowledge about the organisation. And in the US, we are certainly seeing huge hacks on major organisations that we might not have seen in years past. I recommend you read the excellent Krebs on Security blog for regular examples of what’s really going on. It’s a double-edged sword. In any case, it’s an interesting situation.


  1. Brian Krebs is an A-List IT legend. His security work often (unfortunately) places him on the receiving end of some quite shocking retaliatory antics.

    But on the topic of the article, IT security as a service is not really a replacement for having someone who knows WTF should be happening within your (network) borders so they can isolate irregularities when something does go awry. Some of those cloud services are pretty much just relaying or blocking some major breach from one ‘customer’ and making sure it doesn’t affect any others; a bit whack-a-mole if you will IMO.

  2. Meh, I don’t think competent in-house staff have much to worry about as long as there are ‘Security as a Service’ vendors with staff who don’t understand CIDR notation, the basics of XSS attacks, or even how to identify the false positive their systems generate.

    The linked article seems to be a rehash of a Gartner press release, which really only mertis a ‘lol, Gartner report’ response. Their target market is pretty much exclusively PHBs

  3. I work for a business that provides this service, and it’s not intended to remove IT security expertise. Much of what business call “IT Security” is really just operating the basic technology stack. Firewalls, AV, IPS, etc.

    Every business should have an owner of Information Security who dictates how it is done. Subsequently giving the upkeep of technical controls to a service provider makes perfect sense here, as it allows the in-house personnel to focus on the right stuff – managing risk and analysing security metrics.

    You can also outsource some of the risk work too; you just can’t outsource the responsibility.

    • +1.

      Been doing IT Security, information risk management for a while now and agree that some security services may work from the cloud but you can’t outsource risk accountability and you can’t push it to the cloud.

      A lot of organisations that can’t tell the difference will get really burnt here

    • +1

      Security is all about covering the ass. As kid at boarding school so long ago I still remember covering my ass… against a (well-deserved) caning. The magazines were uncomfortable, and if you used too many of them the House Master would inevitably discover them… Nothing has changed!

      I do wonder how many CEOs would react if I asked them how they know their business has not already been penetrated? I certainly know how IT managers react, and it’s sobering.

  4. This is an interesting pick-up Renai. The challenge is that the results of Verizon’s 2013 Data Breach Investigations Report were pretty sobering reading in this regard. The percentage of breaches that remain undiscovered for months or more has risen steadily since 2010 … and discovery is likely to be a challenge for most organisations as APTs become more sophisticated and targeted. The goal is often to compromise a system and then remain undiscovered until a way to monetise the breach emerges.

    If your organisation can afford to invest in in-house IT security staff and sophisticated protection and monitoring software then great. If not, however, then you are probably better off buying a security-as-a-service offering to complement whatever in-house capabilities you can afford and sustain. The advantage that the leading security services have is their ability to analyze large volumes of data to detect anomalous patterns that reveal suspicious activity that is invisible when only looking at one organization’s data. That, at least, is the theory …

    • “as APTs become more sophisticated and targeted.”
      I think you will find that by definition, an APT is already sophisticated and targeted.

      “The goal is often to compromise a system and then remain undiscovered until a way to monetise the breach emerges.”

      I think you will find, that the goal is not to remain undiscovered (though this is of benefit), you do not just sit on the system for months/years waiting. You extract everything you can, and expand your compromise. If you can’t expand, you already have the data. Then you have the information and can sell it at any point in the future you desire, regardless if you still retain access to the environment.

  5. Its very difficult to hire and retain the kind of IT Security staff that are going to make a real difference. The sophistication of security attacks and the patience of the attackers has really grown in the last decade. Internal IT Security personnel i think are better to focus on their knowledge of their organization, while leveraging an external provider for the grey-hat security muscle.

    SecureWorks is a US org I’m very familiar with originally headed up by Tony Prince. Great model, solid success. Other US-based breaches need to be analyzed for the applicability. I’m not sure Security as a Service is to blame.

  6. Well, a great study Renai! But for my part I don’t see a shortage of qualified IT security staff as a major threat. No doubt that with the advancing security services it’s now easier to keep the business protected, but it never diminishes the threat of a serious privacy breach. As the traditional security services develop it no more complex security offering, several brains will be stumbling for access to it and thus will require the need of an IT security staff.

Comments are closed.