Information security is more integral to business growth than ever, and robust, verifiable security can be a point of differentiation. For smaller organizations, security-as-a-service can be a useful option, but many organizations don’t know how or when the time is right to make the move.

Lean on me

“SMBs never seem to have opportunity, funding, margin, focus, bandwidth, or the supply of unicorns that other enterprises appear to have so readily available at their fingertips.” As a security and privacy advisor to many small and medium businesses (SMBs), Darrin Reynolds continually sees security teams struggling to keep pace with the business. Information security is more integral to business growth than ever, and robust, verifiable security can be a point of differentiation, especially in the SMB market where stiff competition from the Amazons and IBMs of the world abounds. For smaller organizations, security-as-a-service (SECaaS) can be a useful option, but many organizations don’t know how or when the time is right to make the move.

Smaller companies generally operate with more limited resources than larger companies, and most security teams (even larger ones) aren’t particularly well-resourced to begin with. SMB security teams operate with fewer staff who are each wearing multiple hats. More often than not, security staff at SMB companies end up playing a generalist role—because each individual has to know a little about a lot—and as a result, optimal security always feels like it’s just out of reach. There’s never enough time in the day/week/month to get one step ahead; without dedicated analysts and engineers or the most up-to-date products and processes, security staff paddles valiantly to keep their heads above water. When this is occurring at your organization, it’s time to consider partnering with a managed security service provider (MSSP). Though adding vendor evaluations to your list may sound like a daunting task when security is already running at 60 mph, the long-term implications of hiring a dedicated and skilled team are well worth it.

Sometimes in our lives we all have pain, we all have sorrow

 “When is the right time,” asks Joshua Marpet, SVP of Compliance and Managed Services at CyberGRC, “to consider SECaaS?” Essentially, “when you are servicing customers who need security for their data, or you are handling sensitive data,” he answers. Because every company handles at least some sensitive data—be it employee PII, financial data, or customer data—when internal resources are limited, great gains can be achieved by contracting knowledgeable and proficient external staff and leveraging their managed, off-premises tools. SECaaS providers are offsite security specialists who can contribute to SMBs’ security success. These providers bring with them a broad base of expertise earned by working with a variety of organizations which all have distinct security needs and problems. In a sense, they’ve been there, done that when it comes to securing a client’s data and networks. Some organizations might argue that an outside provider doesn’t have the deep understanding of a business’s goals to adequately know where to focus, but the tradeoff is a more holistic view and, needless to say, the time to do it.

Says Reynolds, “SMBs always have 10 things to buy with $9.00, so tackling any type of project outside the core competency always feels like a dilemma or Hobson's choice.” Without the right resources, SMBs chance inability to react to environmental changes or imminent threats, which leads to breaches, data loss, non-compliance, or introduces unnecessary risk to the business. With a SECaas, Reynolds advises, “project undertakings are manageable and palatable.” Marpet adds that hiring a service provider helps security teams achieve goals and needs and “only pay for the portion they’re using!”

But if we are wise, we know that there’s always tomorrow

Of course, SMBs’ challenges aren’t limited to bodies and time in the day; budget is also a major concern, and so Marpet’s point is a poignant one. How does a security team make the argument for budget when it hasn’t been approved to hire even one additional internal staff member? It’s all about ROI. The most senior security staff in the organization needs to clearly demonstrate what can be gained (i.e., not what is at stake—that’s FUD and security should stay away from spreading FUD whenever possible) by adding SECaaS. The focus should be on growth, maturity, and capacity to quickly respond when an alert is triggered or an incident is declared.

I’ll be your friend; I’ll help you carry on

Certain junctures in the security lifecycle naturally lend themselves to opening up a conversation about hiring an MSSP, offers Reynolds. These windows of opportunity include:

  • Existing on-premises equipment needs upgrading or replacement;
  • >New client demands exceed the company’s ability to support or meet client needs;
  • Funding for business growth is supplied by investors.

“Planning for that security,” says Marpet, “has to happen earlier,” but no CEO or CFO is going to start signing checks if conversations aren’t happening well ahead of time and if the money holders don’t understand the cost-benefit of using SECaaS.

Call on me, brother, when you need a hand

The move to cloud was an easy one for many business executives; security teams can piggyback on early cloud conversations (in reverse) about cost savings, uptime, and efficiency to promote security-as-a-service. The value proposition of SECaas is strong, and taxed SMBs have a lot to gain by beginning a partnership. Don’t wait until you’re under water, or worse, after your company has been a victim of an embarrassing or destructive cyber attack, to start thinking about enhancing security capabilities. Plan now (including an evaluation of providers), estimate and present a return on investment that the business can use, then use opportunities like those mentioned above to supplement security capabilities when all the stars align.