SaaS, Security-as-a-Service, or Software-as-a-Service. Call it what you may, but the vision behind these offerings is largely the same. Create a fancy app that performs some preventative, detective, or administrative security function, provide its output via a slick web-based portal, and charge customers a monthly fee for access to the data. These Security-as-a-Service apps can provide a valuable function, but they also come with untold risks.
In the meantime, build a marketing machine to convince customers that the SaaS product or tool in question provides a solution to most (if not all) of their security problems without ever requiring a conversation. Deliver information security as a product in a blissful vacuum where no interaction between provider and customer is necessary and where software does all the work for you.
The Security-as-a-Service model is certainly a dream for financial backers. Getting recurring revenue for little work never loses its appeal.
It wasn’t supposed to be this way. The people who started the information security profession in the 1990s (our mentors) largely came out of government and banking. They developed the doctrine of “Defense-in-Depth” which required a deep understanding of critical systems vulnerabilities and subsequent layers of security controls to mitigate those risks.
They correctly predicted that, as businesses became more interconnected and commerce became more transactional, the need for security services would vastly increase. However, they would be disturbed to see the Security industry that developed— where vendors are in a race to cash in—would skip the first step of understanding how the systems they protect are actually working.
The ransomware attacks observed over the last few years have exposed the weaknesses of “product-centric” approaches to security, but we have yet to see a broad-based call for getting back to basics. Instead, the security industry has begun to tout Artificial Intelligence (AI) as the missing link between SaaS and effective security. AI will help, particularly as it relates to monitoring uniform and highly repetitive security tasks, but it never allows us to skip the step of understanding the things that we, as security professionals are protecting.
In an era where ransomware attacks are gaining in sophistication and impact, only a person who understands both the environment they are protecting and how the data emitted by their security tools relates to their critical systems will be able to mount a successful defense.
Security-as-a-Service can be a valuable tool for businsses. However, it’s important to understand that the tool alone cannot fully secure a business. Businesses need human expertise to prevent attacks and keep businesses running without interruption or loss.