Is cybersecurity as a service (CSaaS) a good solution for enterprise or is it more suited to a startup or SME?
Sort by:
It's impossible to manage. I see it. When we started RiskSense as a service, you always looked at cost economics. And the reason we were given was that it's pure cost. The technology might be what you get a break on but when it comes to the real work, it's down to cost economics. We all know that but nobody's willing to transfer the risk.
When you sign a contract, you don't have the option to say, “I'll only allow you to take on a 10 million dollar risk.” But in contractual negotiation the question is, how much risk am I willing to take? Nobody's going to take on unlimited risk. That means that you haven't transferred your risk by default, you just transferred the work. And even then, you're at the mercy of the vendor.
And in this case, you can't really transfer the risk. You might be able to transfer the financial implications of the risk but if your data is stolen or if you’re ransomed, it's not like it’s their problem. They might write a check under some limited liability perhaps but that’s it.
One small comment Malcolm Harkins: imo, we do not not transfer risks, we barely (try to) share them with a third party, because, as you rightly mention that in your additional comment below, accountability is never transferred, only execution might be.
You can outsource the task and responsibility, but you can't outsource accountability for the result. Too frequently people confuse that, whether it be cybersecurity, or outsourcing of app development, etc. I was on a Slack channel with 100+ peers recently and outsourcing came up. A lot of people said, “I've done it but they don't respond as fast as internal resources do,” or “I've done it and I'm not really happy.”
So even if you outsource it, you're still going to end up co-sourcing things because of the complexity of what is occurring in your environment. Unless they're a dedicated team—like a true contract worker that's completely under contract with you—they're in this stew of all the other things that they're doing. They may have some pods but they're a shared resource across other clients.
The different models that we're seeing through my network are interesting, particularly here in NZ. I guess it's just a scale thing for us. For the clients I'm working with, it's often not feasible for them to manage their own security environment internally, so outsourcing makes perfect sense. Most of the managed service providers (MSPs) that I've come across or that I've been involved with have some form of security offering. Whether it be the basic level, malware and threat detection or whether it goes right up. We've started to see more companies and providers emerge in the market that are offering it.
Cybersecurity as a Service (CSaaS) can be a valuable solution for both enterprises and startups/SMEs, with benefits and considerations varying based on the organization's size and needs.
For Enterprises:
Focus on Core Business: By outsourcing cybersecurity, enterprises can concentrate more on their core business activities while ensuring their security posture is managed by experts.
Scalability and Expertise: Enterprises often have complex security requirements and can benefit from the scalability and specialized expertise that CSaaS providers offer. Hiring staff usually takes more time and may not align with business timelines.
Cost Efficiency: While enterprises might have the budget to build in-house security teams, CSaaS can still be cost-effective by reducing the need for continuous training and the overhead associated with maintaining a large security staff.
For Startups and SMEs:
Access to Expertise: Startups and SMEs often lack the resources to hire full-time security experts. CSaaS provides access to high-level security expertise and technologies that might otherwise be out of reach.
Affordability: CSaaS can be more affordable for smaller businesses as it eliminates the need for significant upfront investment in security infrastructure and personnel.
Flexibility: The pay-as-you-go model of CSaaS allows startups and SMEs to scale their security services as they grow, ensuring they only pay for what they need.
Ultimately, the decision to use CSaaS should be based on an organization's specific needs, budget, and existing security capabilities. It's a flexible solution that can be tailored to fit a wide range of requirements and what business knowledge is the organization is willing to share with external partners