Security-Officer-as-a-service - what does it mean and who is it for?

A cyber-skills shortage is leading smaller firms to opt for a part-time CISO, but does it keep them secure, and would it work for larger companies?

The obsession with acronyms has been long-standing in the IT industry, and now, to accompany it, is the fixation on the term "as-a-service". Software-as-a-service (SaaS), platform-as-a-service (PaaS) and infrastructure-as-a-Service (IaaS) are the three staples of this new craze, and they've been followed by the likes of Communications-as-a-service (CaaS) and monitoring-as-a-service (MaaS).

But the fascination does not stop there, it seems, as the latest in the line is SOaaS (Security-Officer-as-a-service).

A salary guide released at the beginning of 2014 indicated that the biggest wage rise of all IT leader roles in the UK would be for chief information security officers (CISOs), an indication that companies across the world were becoming increasingly worried about hacking threats.

Back in May, a Reuters source claimed that the likes of JP Morgan and PepsiCo had already made moves to hire cyber security experts to sit on their boards. But while these large companies are not likely to find it hard to lure CISOs - not only with their brands but their pay packets - smaller companies may be being left behind.

Yet, despite many reports to the contrary, many small and medium enterprises (SMEs) are aware that they need to beef up their cyber defences, and to ensure that this happens, many are hiring a security officer "as a service", or in other words they are outsourcing the role to an individual from a third party.

One of these SMEs is Laya Healthcare, the second largest private healthcare provider in Ireland. Ian Brennan, IT director at the company, explains that the firm uses an external company to provide it with a SOaaS.

"[The role] is tasked with ensuring that our [cyber security product from] FireEye works correctly, putting action into everything the product tells us on the firewall or virus side of things. We're also working towards ISO27001 and he's providing us with a lot of support and guidance in that area," he says.

Laya Healthcare had always used a third party to carry out penetration tests when upgrading its website. And it was the same external company, which Brennan did not name, that Laya Healthcare decided to use for a SOaaS role.

Brennan believes that the SOaaS concept is something that is increasingly being taken up by SMEs, but probably not out of choice.

"Ideally, I'd love to have a full-time security officer," he says.

But Brennan's duties as IT director include handling security issues, and so he maintains that he "doesn't want someone sitting there making work for themselves".

This is perhaps why the role is divided into technical and operational duties and advisory duties.

Justin Buhler, a consulting senior manager at Deloitte's cyber intelligence centre, says that his firm offers the type of SOaaS service that Brennan refers to - but that it would be hard to offer the operational side of security on a part-time basis to a customer.

"The challenge from an information security perspective is to be consistent; if you have security technology that you've invested in - it's not cheap to purchase and not just because of the licensing or the tin cost but the operational cost - you have to be consistent with operations.

"Companies have to be regularly measuring and monitoring threats on an ongoing basis so I don't know whether a part-time role per se would be helpful from an operations perspective as it's event driven. The risk is if you don't have somebody consistently monitoring threats, you will have a bunch of things happening that indicate a bigger problem but there is nobody there to respond to it, until they come back a week or two later, and by then it could be too late," he explains.

[Please turn to next page]

Security-Officer-as-a-service - what does it mean and who is it for?

A cyber-skills shortage is leading smaller firms to opt for a part-time CISO, but does it keep them secure, and would it work for larger companies?

Richard Cassidy, senior solutions architect at security provider Alert Logic, claims that SOaaS isn't something new in the industry and that organisations who offer the service will most likely enter the market at a price-point that many can't afford.

"[Companies] will need to have a great degree of certification and delivery capability themselves to effectively offer such a service," he says.

Greg Day, FireEye's CTO of EMEA, believes that companies will mainly be offering the service from an advisory perspective.

"It will be a service used to give customers advice on their policies and strategies and how it applies to their existing security stack," he says.

This is primarily what the security officer does at Laya Healthcare.

"The security officer shows me the FireEye report from the preceding month, shows me the actions that have been taken and ensures that all of the tickets that have been created have been closed," Brennan explains.

And now that the team knows it will get grilled on all security aspects by the security officer, Brennan states that if the organisation has a big launch on a weekend, the team make sure that everything has been done with security in mind.

"It's like having an external auditor who is very fierce, which I like, and he gives the IT team quite a hard time on security," he says.

But how much trust can be put into someone who doesn't work for your organisation?

According to Brennan, the security officer doesn't actually see a lot of the company's data. And much like when the firm outsources any other part of its IT security, it relies on the NDAs and the integrity of the company it's hired.

"We would think that they would never be at the pub with a pint saying we did this or that with Laya Healthcare - so it's just like us in that we have a brand and reputation that we're trying to protect and that is key," says Brennan.

So will the SOaaS model ever shift towards larger enterprises?

According to Day, this is unlikely.

"The SOaaS model is for smaller organisations, but some larger firms are working in a hybrid model, leveraging human skills and technology skills from their system integrators or telecommunication providers to outsource certain parts of IT security," he states.

And Cassidy maintains that as the CISO role has evolved to become a more important part of large organisations' overall security and information strategy, it can't be something that can be offered on a part-time basis.

"The view that this role can or should be offered on a part-time basis in many respects contradicts the reason the title was created in the first place. Every CISO needs to be intrinsically involved in the business that they are defining the security and information strategy for and working day-to-day to ensure the implementation and effectiveness of that strategy, at all levels in the business," he says.