We hear a lot these days about everything as a Service and certainly, some of it makes sense. With services such Amazon Web Services and Microsoft’s Azure platform available it’s so cheap and easy to create a server that provides Public Applications, why would you bother hosting them in-house yourself?
But what about Security, surely this is something you need or want to have control of and there’s no real model for buying this as a Service is there?
That all depends on who you are of course, if we look the largest companies that span the globe they deliver many different types of services to their users, but they tend to provide it as a Service to them. If the business as a whole invests in setting up a Security Operations Centre (SOC), employing staff to run it and purchasing software and tools for them to use, then they don’t just swallow this cost. Different business units are often charged for using these services making them “as a Service”. It’s a good business model to recoup the millions of pounds that you’ve just spent on building the service and the SOC.
The big difference here though is that these business units don’t get a choice about how they buy these services, they are mandated and added automatically to their budgets.
Not really a fair market for them but you start to see how they consume everything as a service.
Once we move down the ladder a little and get to the mid-size businesses it starts to get a little more interesting. There’s not quite so much money available here, go to the MD or CEO and ask for £1,000,000 to build a SOC and there’s a predictable answer. Why would you go to the effort of building all of this when big providers have already done it? Why not use your OpEx budget to buy Security as a Service?
For some there are problems with compliance, data not being able to leave region or territory can make it difficult to find a provider who can accommodate all of your needs; if you’re big enough, you can generally find a provider who will put some effort into winning your business and investing in their infrastructure in order to accommodate you.
So, the big guys have it easy. If they want this, then they can get it but that also means that everything we have seen so far is all about providing Security as a Service for those that can pay a premium for it.
We are now left with those businesses with say, less than 350 employees, this includes everyone from sole traders up to that though. What should they do? Well that clearly varies with size so let’s pick a sweet spot and focus on a business with 150 employees. It’s a good size business, revenue is likely to be in the high millions at this point and you’d hope that net profit is good too as this is the bit we are going to start eating into when we look at new services.
I hear your groans, asking for money that comes out of profit at this size company is never easy and we’ve all been there before. Something has to give before you get increased budget so let’s have a think at what we are going to need.
Top of the list is a product or set of products to tell us when something bad is happening. At 150 licenses nobody is going to do us a good deal so let’s say we need 3 products to deploy to give us the ability to detect threats and breaches. Let’s now pick an average price for a product and settle on £75.00 per seat per year, that quickly becomes £225.00 per seat per year because we have 3 products remember. We also have 150 users so now we’re up to £45,000.00 just for the products and we aren’t being extravagant here.
Next, we need Security Analysts, not only are they not cheap but they are getting harder and harder to find. Again, let’s make some assumptions, a good Analyst is going to command a £50,000.00 salary, don’t forget NI to go with that and we are now at £56,900.00 and it’s fair to say we should add a bit more for all those costs of employing that nobody knows about until they employ staff, so we’ll call it a £60,000.00 salary. How many do we need though? At a very minimum it has to be 2 and this is the absolute minimum and won’t give us coverage or response outside of our normal working hours. If we want 24×7 we need to look at 6 Analysts but we’re trying to do this on cheap aren’t we and this means we stick with 2. So, we are at £120,000.00 for our Analysts, plus the products brings us to £165,000.00 per year and that’s a number that is going to keep rising, we also have to retain staff and with the cyber security recruitment market the way it is currently that’s never going to be easy.
It’s also not going to be that cheap either, there’s so much we haven’t included in our budget, training, monitoring software and associated consultancy etc. etc. We are also now committed to products, if they aren’t as good as we were led to believe then we are stuck with them, no chance of more budget so we now have increased costs associated with responding to threats and alerts. Our staff may now start to get a bit annoyed and look to see if the grass is greener elsewhere.
You start to see the bigger picture here, securing yourself against the ever-changing threat landscape is becoming harder and harder to do, it’s taking more and more tools and the talent pool we can choose from to “drive” our tools is effectively becoming smaller.
Providing effective Cyber Security in-house is fast becoming a unicorn.
The time has come not only for solutions providers to provide Security as a Service at a price that businesses can afford and not only that, it is time for them to become flexible. Rather than getting fat off the growing demand why don’t we all work towards a common goal, build services that are easy to consume and drive good Customer Service by making it easy for people to change provider.
Bad business model I hear you shout. You’d be right too but isn’t it more important to carry out your business with integrity and give customers the choice.
This thinking drove AVR International to partner with SentinelOne to launch Custodian360 last year to deliver a Managed Endpoint Protection platform to the masses. Custodian360 is aimed at the SMB market and businesses using this service no longer need to employ security analysts to manage systems and respond to alerts as our SOC team proactively monitor, analyse and respond to every alert we receive.