By Serigo Galindo, General Manager at GFI Software

CIOs have good reason to be worried about the damage associated with lack of information security. It’s a necessity rather than an option these days with high profile cyber attacks and data breaches being reported on an almost daily basis.

With such high demand for security protection, the market is saturated with IT solutions and services. Implementing a bespoke security system is a luxury that many SMBs cannot afford, partly due to resources but also limited expertise and experience.

As such, we have seen a rise in specialist firms and independent consultants offering Security as a Service. Although many of these offers may be tempting, SMBs should think carefully before deciding which option is best suited for their business needs keeping in mind not only today’s climate but also scalability for future needs.

First, there are no quick fixes, or easy way out here. Security is a mindset, a way of life, and must be pervasive throughout all information systems, from log-ons to drive encryption to application hardening and remote access and more. If a company is looking to ensure its information technology infrastructure is secure, it needs to make sure that the consultant or firm it chooses has practical experience with all of its systems. Two companies with the same number of employees, the same annual revenues, and the same number of systems will not have the same needs.

Security is best when it is layered, and security assessments have to peel back the layers to truly understand what is going on. Until it gets three layers down, a company won’t know what to expect at the fourth layer, so it has to plan for this to figure out what it costs.

Consultants may choose to showcase their expertise to meet this rising demand, and although they may be relatively new working for themselves, they should have years of industry experience working for companies as security experts in order to be truly qualified to help their clients meet those needs.

As the person doing the hiring/engaging it is imperative to ask questions, look at resumes, and be sure that the professionals providing the services truly are qualified. There are lots of security certifications on the market, and many are truly challenging to obtain and maintain, but just because someone can pass a test, doesn’t mean they are a security expert. It is important to ask for references, from previous customers or co-workers, and take the time to check out the references before selecting a provider. Unless a company truly is their first customer, they should have previous customers willing to take a few minutes to talk about their experiences.

Security assessments, vulnerability scanning, penetration testing, system hardening…these are perpetual needs any information technology infrastructure will have forever. It is important not to look at a security assessment engagement as a one-time thing. In between those annual full checkups, it is worth considering a monthly vulnerability assessment just to help make sure patching and system configurations are up to date.

Companies could contract with a Security as a Service provider to provide regular security services, or they could have them help their own IT team to deploy in-house systems for vulnerability assessments and patch management. If the in-house IT team has the capacity to take on the additional work needed for security, they need the right tools and training.

Companies should get an annual audit to be sure, and again, consider an external monthly vulnerability scan to make sure nothing was missed. But if one individual is the IT team, he or she probably already works 25 hours a day, and may need to rely upon the pros going forward. Companies should do what makes sense for their business and budget, but remember that a single security incident can put a company out of business, so this shouldn’t be left to chance!

Information security is critical for any business with any IT at all, even if an entire business is run from a phone. For any business with any presence online, ensuring systems are secure and remain so is critical to ensuring they stay in business. There will be many independent consultants and security firms offering to help companies do just that, for the right price of course. If companies can ensure they get the right service for their needs that is going to help keep their business going strong, staying secure, and remaining trusted by customers. ‘SaaS’ can help.