Many organizations want to build comprehensive security capabilities in house. When they discover that they simply cannot, they occasionally decide to use a vendor, which is often construed as outsourcing. This appears to create a ‘build versus buy’ decision, but as the scope of the security problem increases and experts and expert providers become harder to find, enlightened organizations do not view the decision in such binary terms. Instead, they approach this problem as they would a logistics or financial challenge – supplementing internal experts (who deeply understand their business) with help from the commoditized low-end and specialized high-end.
Core security-as-a-service offerings should include a wide range of security practitioners such as forward-deployed threat intelligence analysts, experienced incident responders, security operations analysts and risk managers. "On-demand" availability means that organizations should be able to access specific expertise exactly when needed, within the context of their current situation. Examples of where organizations may need help include getting answers to questions about alerts, analyzing malware, or being able to delegate and access the capabilities of a security operations center.
With experienced staff becoming a dwindling resource, hiring more personnel to manage siloed security products seems as though it would be the right solution. However, not only is such a strategy beyond most budgets, it is also improbable since the industry has a skills deficit.
The lack of skilled resources is one of the biggest challenges plaguing the security industry. Reports indicate that more than 209,000 U.S.- based cyber security jobs are unfilled. This extraordinary number has been steadily growing for the past five years and is expected to grow by another 53 percent by 2018.
An organization cannot always expect to find a security analyst or incident responder who has front-line experience with attacks from nation-state adversaries or major cyber-crime syndicates. And if they do find such a professional, they have no assurance that they can retain that expert when demand is so high. What's worse is that many specialized security resources are often only needed for short bursts of time, making it even more difficult to justify their cost.
The reality is that most organizations are not security companies. They are governments, financial institutions or consumer goods companies, and cyber security is not their area of expertise. The security services and expertise that these organizations need consumes resources that could otherwise be invested in their core interests. Turning to a security as a service solution that has experts on demand is where these organizations stand to benefit most.