Art Gilliland on the need for security as a service

Our main Discover Performance site just wrapped up a two-part interview with HP Enterprise Security Products SVP Art Gilliland (which you’d know if you were signed up for our e-newsletter), and the new installment covers a lot of provocative thoughts, including the idea of protecting less data, better.

 

In the excerpt below, Gilliland discusses security as a service.  As cloud and software as a service move into corporate IT departments, two security questions have been, first, how to secure those services, and second, whether it makes sense to buy security services from a cloud provider. HP jumped into that arena with Fortify on Demand, and here, Gilliland discusses why (and when) a SaaS model for security makes sense.

 

Art_Gilliland.jpgQ: We know that many enterprises, especially small ones, have come to rely on the as-a-service models. Is security as a service wise, and what’s the overall market outlook?

AG: It is wise, and here’s why: security as a service allows us to buy expertise that we could never afford or couldn’t find. If I’m a small company in rural Indiana, and I am going to compete against companies in other parts of the country for talent, I am going to have to hire and train security expertise in rural Indiana. Some of the best local candidates will drive to Chicago to earn the highest wage. Others will decide to work for the government, because they want the most interesting and complicated problems.

 

It is very difficult for that company in Indiana to maintain the level of skill they need over the long term. However, the as-a-service model can often deliver more evolved security capabilities and a higher level of process maturity than an individual company can afford on its own.

 

A specific example of this is HP’s Fortify on Demand solution for testing applications. Organizations care about application security, but often don’t have the resources and expertise to triage all of the information they get back about the vulnerabilities in their applications. Buying this expertise as a service is a great way to let your people focus on what they know how to do best, which is building the products and services your customers want.

 

Q: Is the market more of a one-service-at-a-time model, or are there companies that outsource the whole security function?

AG: I think you could do either. It really depends on your individual risk posture and where your company wants to focus its resources. Some of the largest organizations—the most secure organizations in the world—use outsourcing very effectively to augment their skills to deliver the capabilities they need.

 

For example, in the oil and gas industry it’s not uncommon to outsource IT completely, and security is often a part of that. They do this so they can focus on drilling, finding, producing, and refining oil, because that’s what they’re good at.

 

There isn’t one right answer, but for a lot of companies, outsourcing gives you access to better skills, better process.

 

Read Art Gilliland’s full take on the security landscape in 2014: part one covers why—and how—security leaders need to talk to the business, and part two looks at the pitfalls of perimeter defenses, how to focus on the user, and what you really need to protect.

 

--Brian McDonough, Discover Performance managing editor

Labels: Security Ops
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
This account is for guest bloggers. The blog post will identify the blogger.


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation