We recently had Anthony Morrone, DuPont’s Chief Information Security Officer (CISO), speak about the challenges he faces preparing for the merger of his company and Dow Chemical. The union of the two chemical giants, and subsequent creation of three independent technology and innovation-based science companies, will be one for the history books. Preparing for this event is no small endeavor.
According to Morrone, who will be responsible for the security of two of the three independent spin-offs, the typical approach to support a new company is to clone your existing structure. But for DuPont, which has 17 different domains, cloning the security structure and systems poses some sizable challenges and a significant capital expense Morrone wants to avoid. His plan? Integrate a cyber security as a service (CSaaS) model into his security design. (Watch the on-demand broadcast for the full case study.)
Why Cyber Security as a Service Models Are Growing More Popular
Like DuPont, many companies, both large and small, are gravitating toward an outsourced model for security and day-to-day operations. In fact, according to a recent PWC survey of more than 10,000 business and IT executives, 62 percent of respondents said their organizations are using cyber security as a service providers to address threats and create value for their organizations.
Government agencies have long relied on contractors, like Leidos, to manage or support their Security Operations Centers (SOCs). Now commercial customers are accessing that same expertise on a pay-as-you-go basis for some of the same reasons.
Reduce Capital ExpensesFor Morrone, the ability to “buy by the drink” means he can ramp up service when he needs it without having to buy hardware his team will have to support, update, and maintain. All of that is taken care of by the service provider and made available in an OPEX model. This allows an organization to reduce both its CAPEX costs (no equipment to buy) and total OPEX cost of ownership (no in-house support team to fund).
Eliminate Staffing ChallengesAt a time when there are too few cybersecurity professionals available—a talent shortage expected to increase to 1.5 million professionals by 2019—staffing a new team can be a near Herculean task. And, as Morrone notes, even if you do find enough people to hire you still have to train them and ensure they stay. For small and midsize organizations, whose resources are already stretched thin and may be struggling to adequately perform security functions, outsourcing is highly appealing.
For organizations that want to maintain an in-house security team, they can utilize a CSaaS provider to handle tedious and routine security needs while their internal staff focuses on the truly critical projects.
Increase CoverageUsing cyber security as a service can enable companies to expand their security to 24/7, 365-days-a-year coverage. This level of attention is often unachievable for small teams who are frequently tasked with all types of IT issues, security included.
Access to Security ExpertiseThe increase in malicious hackers and proliferation of enterprise security products are a sign of the times. Staying on top of a continually shifting landscape can be extremely challenging for internal security teams who are all too often under staffed and over tasked. By using a CSaaS provider, organizations have access to specialists solely focused on helping organizations meet their security challenges, including managing security devices, monitoring networks for malicious events, and responding to attacks.
For this reason, CISOs like Morrone are eagerly tapping into experts such as security analyst teams who are available remotely or onsite to perform various security functions that are difficult to fill and maintain internally due to the cyber talent shortage or a limited budget.
In addition, by utilizing a service provider to monitor their enterprise network, companies take advantage of detective capabilities architected from knowledge gained from having visibility across many different customers and verticals. Information about an attack targeting one customer is used to create and implement a detective control across the entire customer base enabling all customers to benefit from the information learned.
With budgets tightening across the board and competition for a limited pool of security talent growing more fierce, utilizing CSaaS providers has become an optimal solution for many companies. Knowing they can count on their partners to focus on certain vectors, internal security teams are able to concentrate on their core missions. This could be high priority or critical items within security or something totally outside of security. The flexibility of CSaaS allows the services utilized to change over time and be periodically realigned to ensure the customer’s business needs are being met.