Many companies have to tighten the proverbial security belt these days. However, the needs do not shrink proportionally. Now is not the time to be cutting back on log management, threat management or malware detection. So how does a company do more with a static budget? The answer may surprise you - outsource it. I know that many managers are reluctant to outsource security management; I am one of those people. I think that you have to be smart about it and use security outsourcing to free up your people to do the high-level work that, at times, there somehow just isn't enough time to do such as analysis, security architecture and strategic planning. You know, those things that you should be doing.
Security as a service is not a panacea. Security is only as strong as your weakest link. If you outsource it, it's only as strong as the provider's weakest link, which you probably won't even know. Earlier this week, I wrote a post about requiring your cloud vendor to produce a SAS 70 type II certification. I think that this would be another example where I would require my security outsourcer to produce the same certification as well.
Many security vendors offer cost-effective options. Quest, a California-based service provider, recently teamed up with Intellitactics to market an event management appliance that helps organizations meet most compliance requirements such as HIPAA, Sarbanes-Oxley and GLB, without a huge cost overhead.
Have a Web site that needs monitoring? Dasient, a Web anti-malware company, will monitor your site should it appear on a blacklist, alert you instantly if there is malware activity on your site, and automatically quarantine a malware infection discovered by its monitoring service.
Security as a service is a tool. Like any other tool, it's only as good as the person, or the organization, that uses it. Smart companies should use security as a service to supplement their existing staff while freeing them to do the things that probably are not getting done.