Opting to outsource security? Adrian Lowe, cloud solutions architect at Node4, tells us what you need to ask any potential Security-as-a-Service provider before signing on the dotted line.
IT infrastructure is becoming ever more decentralised, increasingly cloud-based and is subject to frequent change as businesses seek to optimise performance and spend.
Add to that the increasing range of security threats faced by every organisation and it’s a lot for busy IT teams to prioritise and deal with.
Security can be a particular challenge, as the stakes are so high. Time given over to protecting data and systems is rarely wasted, but it can distract from other IT priorities.
But just as cloud is contributing to this complexity, it could also offer a solution in the form of Security-as-a-Service (SECaaS).
By outsourcing to a specialist third party, organisations can – potentially – put themselves in a win-win situation: affordably improving their IT defences and allowing their internal teams to focus on more strategic work.
The big questions
If you’re considering SECaaS, you need to decide what you are going to protect. From securing mobile endpoints, protecting against malware and phishing to guarding vital cloud applications from zero-day threats and ransomware, the options are diverse.
The challenge is – what’s the best method of choosing a provider? What questions should you ask to test their suitability and separate real expertise from sales spin?
Having full confidence in your provider is key. And one of the biggest factors that can make or break your belief in the company looking after your security is the quality of their service.
Many businesses will understand that the real limits on the service levels from some tech providers only become apparent when there is a problem that needs to be fixed. For something as critical as security, you have to be sure that proactive service is part of their standard approach to customers from day one.There are several reasons for doing this. The first is so you can understand how much proactive and reactive protection you get for your money, because you need both. The second is to make sure there are no nasty billing surprises if something happens outside the norm.
So, where do their services begin and end? Most providers will offer a Service Level Agreement (SLA), but they can vary in their level of detail. It’s really important – from the outset – to understand the parameters.
Asking what is not included is just as important as asking what is. Can the provider talk you through the most common security scenarios and explain what their standard service includes, for example?
And on a day-to-day basis, how does their support operation work? How long does it take them to respond after a customer raises a ticket? What guarantees can they provide on responsiveness and what level of resource will they dedicate to solving any security problem you encounter? Will your account be managed by specific individuals whose names you will know, or will you need to start from scratch every time you contact support?
Here are three key considerations:
1. Security accreditations, from large vendors or independent third-party organisations, provide a good indication of how seriously a provider takes its responsibilities. Ask providers to detail their corporate and individual accreditations to ensure they focus on the areas that are most important to your security strategy.
This will help you understand how tuned-in they are to existing and emerging security threats. You need to see evidence that their experts are genuinely at the cutting edge of a job where expertise can be out of date very quickly.
2. Are they using ‘best of breed’ technologies? It’s a cliched phrase, but it’s important that your provider can demonstrate it adapts its services to the most effective technologies out there. No single security vendor can claim to have the perfect solution for every challenge, so your service provider should be able to explain how they have cherry-picked the right technologies for your needs.
3. What is their track record? Can they give examples of where their security services have been particularly effective? Do they have experience in your industry? This can be particularly important if you work in a regulated market, or if you have a particular requirement that is unusual.
Asking for customer references about security can be more challenging than other areas of IT because of confidentiality concerns, but service providers should be able to offer proof about their overall levels of service and effectiveness.
It’s worth taking the time to be thorough. Once you’ve made a commitment to a provider, you need the relationship to work.
In the security context, the consequences of failure can be extremely severe. A breach will lead to serious questions being asked, not only of the service provider, but of those who made the choice of supplier.
On the other hand, a good choice can be transformative – not just in ensuring your business stays secure, but in liberating the time and focus of your valuable internal IT teams to work on tech strategy that supports your long-term goals.
