I was in an interview the other day for a position that our company was hiring for on another team but who I would be interacting with on a semi-regular basis. When it got to the point in the interview where I let the candidate ask me questions, they asked me if it was necessary to be deeply passionate about cloud security or security-as-a-service to be happy and successful at work. I immediately smiled, just as I smile every day at work. I answered that I didn't think there were many people who were standing at career day when they were little saying they wanted to grow up and work in cloud security (hell, the cloud wasn't even invented yet and you connected to the internet through phone lines that sounded like robots dying in the night). And I said that for most people there are many technical aspects of the industry that will be boring, dry, and never incite the levels of passion that you'd hope you would experience in your dream job. However, despite those things I conveyed that I was extremely passionate about my job and more importantly, each and every day I get to smile at work. And no it is not just because my team is awesome and the culture makes it enjoyable to come to work; I'll talk more about why organizational culture is indispensable to a company's success in other posts on this blog. But, I smile each and every day at work because I work for a cloud security-as-a-service company and the industry, even though I'm not enthralled by every problem it presents (I'm enthralled by many of them), itself gives me something to smile about . That interview question led me to reflect on exactly what it was about my industry in 2019 that makes me smile and keeps me passionate about my work, even if the work can be technical, hard, and boring at times.
Before we dive into that reflection, I wanted to pause and define security-as-a-service for those playing at home that may not be aware: Security as a service is a business model in which a service provider integrates their security services into a corporate infrastructure on a subscription basis more cost effectively than most individuals or corporations can provide on their own, when total cost of ownership is considered (people, tools, process, regulatory issues, etc.). We'll get back to this definition more later but for now back to the post.
The first thing that makes me smile about the cybersecurity industry as a whole and almost every segment of cybersecurity, including Armor's security-as-a-service segment, is the growth happening in the industry and the ever-evolving market landscape and technological approaches to solving the problems our world faces when it comes to keeping applications and data safe in the cloud. Just take a look at the cybersecurity market landscape according to Momentum.
Each of the smaller boxes in this market landscape represents a unique approach to securing and protecting a piece or pieces of the digital landscape and fabric that underpins so much of modern day society. And within each category, each vendor has their own competitive way of solving the problems associated with the area they're tackling. And the problems each of these companies has to tackle, changes every year or two as the evolutionary forces of cloud computing and economies of scale wreak havoc on legacy business models within these industries. All of this means that the cyber landscape is an opportunity gold mine both in its sheer breadth and in the ability for companies to introduce innovative and new technologies. As Gartner said in its latest Forecast: Information Security and Risk Management Worldwide the diversity of these approaches is leading to unprecedented growth in the industry in the global markets, "End-user spending for the information security and risk management market is estimated to grow at a compound annual growth rate of 9.1% from 2017 through 2022 to reach $175.5 billion in constant currency." And it is that opportunity within the industry that makes me smile when I think about my life working at a security-as-a-service company.
In addition to the sheer size of the industry and the multitude of approaches presented by the technologies in the security landscape, I smile because I get to help my team solve problems that real businesses feel the impact of day in, day out. 4 out of 5 businesses expect to fall victim to a cybersecurity attack next year and the average cost of a cybersecurity breach to a business in the US is $7.35 million. Regardless of how businesses decide to approach solving the challenges of the cybersecurity landscape today, they all continue to face a few foundational problems across the industry.
- Businesses are resource constrained - Palo Alto Networks was able to quantify this cybersecurity resource gap when they wrote, "“More than half (51%) of organizations face a cybersecurity skills shortage, and the demand has reached a fever pitch. Globally, the projected demand will increase exponentially, with 3.5 million cybersecurity jobs needing to be filled by 2021.” And even if they do have a team, those team members aren't always pure security professionals and have additional responsibilities, according to TechRepublic. “Additionally, less than half of organizations (45%) have a security team solely dedicated to cloud functions, some 35% of organizations actually turn to either DevOps or DevSecOps teams for security, said the report.”
- Security stacks are bloated and the industry is experiencing tool fatigue - CSO Online gives insight into security tool fatigue when they write, "When it comes to layered defense and security tools, less is often more just as more can sometimes be less. The average enterprise uses 75 security products to secure their network. That's a lot of noise and a lot of monitoring and testing for security practitioners.”
- Alert fatigue is hurting ability to act on real issues - Skyhigh Networks writes on the problem of alert fatigue, “40.4% of IT professionals claim that the alerts they receive lack actionable insight they need to investigate, while 27.7% of respondents stated they experience incidents which don’t generate alerts at all. Alarmingly, 31.9% said they ignore alerts due to the high frequency of false positives. The cloud further exacerbates the situation. The average enterprise generates 2 billion cloud-related events a month, which could result in many unnecessary alerts.”
As you can see, cybersecurity and the ability to combat it is a real issue within the industry currently. The financial and reputation impacts to an organization and its brand are serious if an organization does get breached, and even if it does implement a cybersecurity solution, the industry often creates more problems of its own such as talent shortages, alert and tool fatigue, and an inability to analyze how to truly prioritize your efforts for most impact. All of this makes me smile because not only does my work get to solve real problems for businesses but it gets to course correct places where the industry has strayed over the years through the application of the software-as-a-service (SaaS) business model to the security industry. As we learned earlier in the definition of the term, one of the many advantages SaaS provides the security industry is a single subscription point for all the tools, people, and processes that a business would usually have to build out in a piecemeal nature themselves (the portfolio of 75 tools, a security team that may or may not be dedicated, rule prioritization so you can focus on the right alerts, etc.). This leads to huge Return on Investment for businesses that have adopted using a security-as-a-service provider to plug gaps in their cybersecurity teams and infrastructure. Forrester reported that Armor, in particular, resulted in a 286% ROI for its clients. Therefore, I smile each day at work because we're helping businesses protect their consumers data, their organization's financial stability, and because we are able to simplify the security for our clients to abstract all the hard parts of dealing with security into an easy to use platform for their consumption.
Beyond the amazing financial analysis above, I'll end this post with one last shameless plug for my company, Armor, and why businesses around the world turn to us for their security-as-a-service. Security-as-a-service involves organizations leveraging Armor Anywhere to monitor the security of their infrastructure, whether that be in the public cloud, on-prem, a private cloud, or somewhere in between with a hybrid infrastructure. Whether it is the need for log management, threat detection, security controls and tools (IDS, malware protection, vulnerability scanning, etc.), or compliance, many are choosing to outsource versus building the capability internally. Additionally, they can get all of these from Armor Anywhere in a low-cost, monthly software subscription. Cost savings and overcoming staffing and skills gaps are motivating factors for outsourcing day-to-day security functions. “Factors driving adoption for managed security services, a few were already explained in my first prediction, include the growing complexity of enterprise IT infrastructure, IoT, cloud and multi-cloud, the shortage of security talent, continuously evolving cyberthreats, and the opex benefit.”
Armor Anywhere’s Security-as-a-Service Solution provides clients with:
· Vulnerability Scanning
· Threat Detection and Response
· Log Management and Monitoring
· Malware Protection
· Intrusion Detection
· 24/7/365 SOC Services
· Audit-ready Compliance
· …and much more
Comment below about what you think of the cloud security and security-as-a-service markets. What makes you smile about your job and how do you remain passionate about your industry?