The obsession with acronyms has been long-standing in the IT industry, and now, to accompany it, is the fixation on the term “as-a-service”. Software-as-a-service (SaaS), Platform-as-a-service (PaaS) and Infrastructure-as-a-Service (IaaS) are the three staples of this new craze, and they’ve been followed by the likes of Communications-As-a-Service (CaaS) and monitoring-as-a-service (MaaS).
But the fascination does not stop there, it seems, as the latest in the line is SOaaS (Security-Officer-as-a-service).
A salary guide released at the beginning of 2014 indicated that the biggest wage rise of all IT leader roles in the UK would be for Chief Information Security Officers (CISOs), an indication that companies across the world were becoming increasingly worried about hacking threats.
Back in May, a Reuters source claimed that the likes of JP Morgan and PepsiCo had already made moves to hire cyber security experts to sit on their boards. But while these large companies are not likely to find it hard to lure in CISOs – not only with their brands but their pay packets, smaller companies may be being left behind.
Yet, despite many reports to the contrary, many small and medium enterprises (SMEs) are aware that they need to beef up their cyber defences, and to ensure that this happens, many are hiring a security officer “as a service”, or in other words they are outsourcing the role to an individual from a third party.
One of these SMEs is Laya Healthcare, the second largest private healthcare provider in Ireland. Ian Brennan, IT director at the company, explains that the firm uses an external company to provide it with a SOaaS.
“[The role] is tasked with ensuring that our [cyber security product from] FireEye works correctly, putting action into everything the product tells us on the firewall or virus side of things. We’re also working towards ISO27001 and he’s providing us with a lot of support and guidance in that area,” he says.
Laya Healthcare had always used a third party to carry out penetration tests when the organisation upgraded its website. And it was the same external company, which Brennan did not name, that Laya Healthcare decided to use for a SOaaS role.
Brennan believes that the SOaaS concept is something that is increasingly being taken up at SMEs, but probably not out of choice.
“Ideally, I’d love to have a full-time security officer,” he says.
But Brennan’s duties as IT director involve a large part of handling the security for Laya Healthcare, and so he maintains that he “doesn’t want someone sitting there making work for themselves”.
This is perhaps why the role is separated by its technical and operational duties and advisory duties.
Justin Buhler, a consulting senior manager at Deloitte’s cyber intelligence centre, says that his firm offers the type of SOaaS service that Brennan refers to – but that it would be hard to offer the operational side of security on a part-time basis to a customer.
“The challenge from an information security perspective is to be consistent; if you have security technology that you’ve invested in – it’s not cheap to purchase and not just because of the licensing or the tin cost but the operational cost – you have to be consistent with operations.
“Companies have to be regularly measuring and monitoring threats on an ongoing basis so I don’t know whether a part-time role per se would be helpful from an operations perspective as its event driven. The risk is if you don’t have somebody consistently monitoring threats, you will have a bunch of things happening that indicate a bigger problem but there is nobody there to respond to it, until they come back a week or two later, and by then it could be too late,” he explains.
[Please turn to next page]