Taking The Pragmatic Approach to Compliance-Related Security for SaaS Providers – Pt. 1

Scott DeGuilo Security Leave a Comment

You probably know this even if you have never vocalized it; cyber threats to businesses and individuals will continue to evolve and adapt to whatever defensive measures we employ and therefore there is no achievable end-game approach for your security and compliance program. For large businesses with mature security and IT departments the allocation of funds and time to protect their resources is a given. For small to medium businesses (SMBs) it’s just not as simple. When SMBs try to address their security and compliance needs, they are often diverting much-needed resources from their core business objectives, and that’s a risk not only to their business goals but it also raises questions regarding their ability to manage ALL aspects of their security and compliance obligations. Some SMBs will manage these efforts better than others, but they should also take time to consider the value of developing an in-house practice versus leveraging a service provider who already has a mature offering. The recommended scorecard for such a comparison is to measure the amount of coverage combined with the level of maturity on a 10-point scale divided by the dollars invested. There is usually a direct relationship between the dollars invested and the level of maturity and so the net result leans heavily in favor of managed service providers. This is augmented when you add in the value of the time you spend building your security and compliance practices versus spending that time focused on your core business. SMBs should take care to avoid underestimating the cost of lost opportunities when developing their own in-house security and compliance programs.

Sometimes SMB’s struggle to delineate the value of a managed service provider and so here are some considerations for how to explain the value proposition. Firstly, subject matter expertise is a combination of rudimentary book knowledge and real life experience. While SMB’s may provide training to the staff responsible for their security and compliance practice, there is usually a lack of real life experience to make that knowledge valuable. Consequently, when a real crisis occurs the staff are often unprepared to put their book knowledge into practice. Secondly, SMB’s should compare the value of having their staff working on tasks related to building their business versus the value of the time spent learning and practicing security and compliance skills. If there is more value in having the staff working on making the business better then that’s a clear indication that a managed service provider is justified. Lastly, the costs related to managed services are often treated unfairly because they are usually viewed as a net new cost. Instead, the SMB should list the costs of the in-house staff for time and effort related to them working on security and compliance and then list the lost-opportunity costs of the same staff not working on business-building tasks and finally they should list the revenue at risk when a breach occurs and then compare the total of those costs to the manage service provider’s fees. The value of a managed security service provider is very subtle because if it’s working well there’s not a lot of background noise, however the value of a service provider can be seen when the service is adding to the business viability with security and compliance credentials. In the next post we will explore how a managed security service provider can help build business value to downstream customers.

Scott DeGuilo on Linkedin
Scott DeGuilo
Scott DeGuilo
Scott DeGuilo is a seasoned IT leader who brings 22 years of experience together to help enable his business partners to achieve the outcomes they desire. Having served international firms in a variety of industries he has gained a broad perspective on what IT should really do for business. Technology Enablement is his key philosophy for making IT work for business and because of this he has been drawn into business operations initiatives where his expertise in business process management and compliance have helped his constituents thrive and grow.