Why Cybersecurity as a Service Is a Sustainable Approach to Security

Every year, organizations seem to spend more on cybersecurity to fight the latest threats, only to face a new set of threats the following year. It’s a never-ending cycle as hackers adapt their tactics, including finding ways to circumvent whichever security solution an organization has just deployed. It’s easy to see why this approach is unsustainable. 

The reality is that cybersecurity isn’t static. Organizations are fighting intelligent adversaries who constantly move the target. Combating that becomes frustrating and expensive. What’s more, it never ends — organizations simply get better at dealing with it. 

That’s why it’s essential to invest in tools and processes that are appropriate and scalable — that can do more than just address an immediate need. One way to achieve this scalability is to employ Cybersecurity as a Service. CaaS includes managed detection and response (MDR) services, which combine human expertise and sophisticated security tools to provide ongoing monitoring and threat-hunting capabilities. CaaS also includes cloud-based security tools, which can be managed in-house or outsourced to a partner.

Here’s how an organization might think about CaaS as a way to achieve a scalable, adaptable defense.

Organizations often base security strategies on the tools they’ve acquired. Someone learns about a new solution and convinces leaders to invest in it; then, these leaders realize that the tool is difficult to manage or the organization lacks the staff to manage it effectively. This dynamic contributes to the cycle of making ongoing investments that don’t achieve the desired results.  

The cybersecurity conversation should start not with the technology but with the threats the organization is concerned about. For many, that’s ransomware. Others may view insider threats as the biggest worry. The conversation should also include the outcomes the organization wants to avoid, such as business downtime in the wake of a breach. The best strategy is to map out risk tolerance and business objectives and determine the technology investments that best align with these factors.

Much of this conversation comes back to organizational risk management. Organizations have a certain amount of risk they’re willing to accept, and they manage with that in mind. That might mean adjusting their tolerance to risk, or it could mean investing more heavily in security solutions or services.

From an execution standpoint, once an organization has determined its risk tolerance, the next step should be to figure out how to manage risk. Which capabilities and skill sets does the organization already have? Which IT investments are required? What external investments, such as MDR, might be appropriate? How much should the organization invest in cyber liability insurance? These questions can help the organization determine if CaaS is a sensible investment.

Many organizations conclude that it makes sense to outsource security to a partner with the expertise and the ability to adapt, just as attackers do. This strategy can be more cost-effective in the long run than piling on internal defenses. After all, organizations don’t pay MDR providers more for them to track the next emerging threat. Their job is to continue scaling and adapting as threats change. This alone is a significant part of the business case for outsourcing through CaaS.

There is value, of course, in having an internal security capability — people who know and understand your environment. That’s why CaaS often combines in-house and outsourced capabilities. Just as many organizations that hire an outside marketing agency will still maintain their own marketing team, the same holds for security. The best outcomes often arise when an external partner can augment what an internal team does on its own.

In the future, I believe CaaS is the model that more organizations will rely on, simply because it stops the cycle of investing for the latest threat, only to find a new threat pop up tomorrow. CaaS is scalable and adaptable — precisely what organizations need to chase that moving target.

Story by Eric Kokonas, the global head of analyst relations at Sophos.