Security-as-a-Service: Providing Lower Risk at Optimal CostBy Alexis Langagne Fasén | Fri, 04/16/2021 - 13:00
The notion of “integrated solutions” is about building comprehensive enterprise security capabilities that combine people, technology, and processes in a tightly integrated manner, in a way that allows organizations (corporations or public entities) to minimize their risk and do it at an optimal — usually lower — total cost of ownership. “Security-as-a-Service” is then offering — and consuming — those integrated solutions in flexible and adaptable ways, such that organizations can “consume” more or less security according to their changing and specific needs. This is the way I anticipate Enterprise Security will evolve in the “new normal” (post-pandemic era) that we are beginning to face.
After spending almost 30 years in the information technology (IT) industry, I saw enterprise IT evolving from an in-house operational model to an outsourcing model and then eventually to an “All-as-a-Service” model (the cloud) — where you consume IT based on your specific needs and pay a regular fee based on the overall service you get — without thinking that much about what hardware, software and services are behind it; the only thing that matters at the end of the day is that an SLA (Service Level Agreement) is met.
With a little over-simplification, I see the same phenomenon starting to happen in the enterprise security arena. On the one hand, spending on enterprise security tends to be fragmented in organizations, which usually means it is not optimized. On the other hand, the impact of not mitigating risks, whether they are physical or logical, is increasing. Contracting fragmented solutions tends to be highly complex, costly, hard to manage, and with that, the risk tends to increase. Based on this, I do see companies moving more and more to a “Security-as-a-Service” model that lowers the risk of the organization and the overall cost as well, looking at the TCO (“Total Cost of Ownership”) that comprises the costs of the technology, its maintenance, operators, training, real estate, insurance, utilities, and of course, guards, supervisors, and even the cost of acquiring best practices on a regular basis; all this throughout a specific period of time.
As we move to these new normal environments, one key aspect of these integrated enterprise security solutions is that they will need to ensure that working environments are both secure and safe. This was also true in the past, but now the level and quantity of safety requirements have increased (safety for employees, clients, suppliers, and partners), and the good news is that there are many innovative technologies that help address some of those security and safety requirements.
Let’s look at how the three components of these integrated enterprise security solutions (people, technology, and processes) provide the fundamental building blocks of the security solutions for the new era:
- People: such as highly trained security officers (on-site guards, mobile guards, remote guards, monitoring agents, security operations center operators, supervisors), security technology specialists (technical architects, maintenance and support specialists, data analysts, cybersecurity experts, supervisors).
- Technology: the so-called electronic security systems (access control systems, thermal CCTV, drones), enterprise security software (applications to monitor and report incidents, remote video storage, remote detection of safety conditions), software integration (to connect access control data to human resources applications), new AI-based capabilities (from face recognition to anticipating incidents based on data analytics), the Security Operations Center (SOC), and with everything now moving more and more to the cloud (usually public or hybrid).
- Processes: based on company policies, local regulations, and best practices, with an end-to-end approach. Processes need to ensure that the overall operation is not fragmented. For example, guards need to have two-way communications with the SOC, so an AI-based analytics engine may trigger a mobile guard to take preventive action based on the likelihood of an incident.
As is evident from the descriptions above, an integrated enterprise security solution is not about technology taking over human roles, it is all about enhancing the capabilities of what people, technology and processes can accomplish in a comprehensive and tightly-coupled approach.
Ideally, organizations should perform an in-depth risk analysis to identify all current vulnerabilities and their associated criticality based on the cost of security being compromised. The analysis will provide a complete map of risk factors and its associated prioritization. This analysis should be the basis to design a comprehensive integrated solution, incorporating the specific people, technology, and processes to address the very specific needs of any organization.
The post-pandemic new normal requires organizations to have enterprise security solutions that are comprehensive, flexible, and optimized for a specific risk mitigation level and lowest Total Cost of Ownership. The transition to a “Security-as-a-Service” model won’t be automatic, it will be a multiple step journey, but from my perspective, that is where the industry is definitively going.