Recently, the IBM Center for Applied Insights conducted in-depth interviews with 138 security leaders to gain insight into how security leaders are tackling their greatest challenges today.
As you’d expect, cloud security was top of mind.
In our study, we found that 86 percent of security leaders surveyed have adopted or are planning to adopt cloud initiatives. Seventy-five percent expect their cloud security budgets “to increase or increase dramatically.”
But interestingly, our conversations also highlighted an increasing focus on a related topic: Security as a Service (SECaaS) – using the cloud to deliver security services.
- Encryption/key management as a service (48 percent)
- Security monitoring as a service (46 percent)
- Application security scanning as a service (42 percent)
- Cloud security gateway as a service (41 percent)
- Identity as a service (31 percent)
What’s more, we found that those organizations that have a Chief Information Security Officer and a more mature approach to information security are more likely to adopt security as a service from the cloud.
Clearly, as security leaders become more comfortable with security in the cloud, they are becoming more likely to consume security from the cloud.
Why adopt SECaaS
Security leaders can often feel a lot like Sisyphus these days – the figure in Greek mythology sentenced to repeatedly pushing the same boulder up the same hill each day. Each security measure they take, cybercriminals counter. And on today’s battleground, more than half of the security leaders we interviewed felt that attackers were “outstripping the sophistication of their organization’s defenses.”
Security professionals need all the help they can get in their work to defeat the cybercriminals and SECaaS offers one avenue to enable more robust security within the realities of budget and talent constraints.
Like other cloud deployment models, SECaaS can offer significant savings over traditional on-premise deployments—savings that can then be reinvested to help leaders stay one step ahead in this continually shifting landscape.
But as with any cloud service, success with SECaaS will require a well-defined plan, and not all security solutions lend themselves to a SECaaS deployment model. What should security leaders consider as they prepare for this move?
- What is your main objective in choosing this deployment approach – shoring up skills gaps, freeing up time and money, simplifying operations, or staying at leading edge of security technology and practices?
- Who’s going to lead this effort?
- What is your biggest concern about transitioning to SECaaS? Is it an IT issue? Is business leadership skeptical? How will you address it?
- What capability will you start with – one particular area, like application scanning, or multiple areas?
- How will your SECaaS approach fit with your overall cloud strategy? If you use a managed security services vendor, how will they fit in?
SECaaS is still in early days – but organizations with more advanced approaches to security are already getting comfortable in this space. The question is no longer whether it’s viable to deliver security as a service; it’s when will SECaaS become the preferred model.
To learn more about what security leaders expect to face in the coming years, read the IBM Center for Applied Insights study, Fortifying for the future: Insights from the 2014 IBM Chief Information Security Officer Assessment.