What is Security as a Service?

/ Security
Last updated on April 15th, 2020

what is security as a service

Security as a service (SECaaS) is the outsourced management of business security to a third-party contractor. Now, whilst cyber-security on a subscription basis may seem odd to you. It’s really not too much different from paying for your anti-virus license. The difference is that SECaaS is the combination of a lot of security products wrapped up into one more central service.

The range of security services provided is vast and goes down to a granular level. Examples range from simple SPAM filtering for email, all the way through to cloud-hosted anti-virus, remote automated vulnerability scanning, managed backups, cloud-based DR and business continuity systems and cloud-based 2-factor authentication systems.

The services are either delivered directly from the vendor where the reseller takes a commission or they are delivered from specialist firms who have the in-house skills capable of building, integrating and managing specialist security services for their customers.

Just a note here: you may have heard of SaaS (software as a service). This is different to SECaaS.

1. Is SECaaS dangerous?

Putting your security in the hands of another business may seem like a big risk. And if done incorrectly, it’s almost guaranteed to have a less than ideal outcome. But businesses have had success with SECaaS and there’s no reason you can’t either.

The most likely cause for an issue is choosing a supplier based solely on price. A business offering SECaaS that’s been around for a few years and has a range of clients but charges £50 per user per month is going to be very different from the business that offers “cloud-based security” for £10.99 per user per month.

Do not instantly go for the cheapest option when considering SECaaS.

Sure, you might be paying nearly 5 times as much. But if your SECaaS provider has the lowest price on the market they’re skimping on something. And if there’s one thing you don’t want to skimp on, it’s your cyber-security.

2. What are the advantages of SECaaS?


Despite what was just said about avoiding cost-cutting when it comes to cyber-security, one of the main draws of SECaaS is the long term price savings it can have. Because you don’t actually own the infrastructure, you don’t need to pay for its floorspace or for its upkeep (prices which can fluctuate based on external factors). Instead, you only pay a flat rate that is unlikely to change.

Fully managed

Your provider is the person keeping up to date with the changing threat environment, not you. That means that you can focus more on your own business goals instead of diverting time towards understanding the various threats out there and ensuring that your defences deal with them.

Greater expertise

A good SECaaS provider is going to consist of people who know everything there is to know about cyber-security and regularly keep up with trends and changes in that area. As a result, they’ll have a much greater range of expertise which you can utilise to keep your business safe. This also lets you keep your core employee focus on your own sector rather than branching out and getting a dedicated cyber-security expert.

Frees up time from repetitive tasks

Time-consuming admin tasks that need to be done can be performed by your SECaaS provider instead. This can be things like reading system logs or monitoring the overall network status.

3. What are the disadvantages of SECaaS?

Reliant on SECaaS provider acting

This is the main reason that you should be choosing a high-end SECaaS provider.

Because SECaaS providers are the holders of a lot of data, they (and as an extension, you) become lucrative targets for cyber-criminals. If they are breached then you are breached so ensuring they have made big investments into their security is paramount.

To make sure that your chosen provider is continually investing in their security, be sure to keep in regular contact with them. Ask questions about what they are doing to address the latest types of exploit or flaw and dig deep into the specifics of what type of security they have in place on their own systems. Is it minimal or is it high-grade and comprehensive?

Whilst in the decision stage you should also be asking each provider exactly what kind of security they have in place or what is their policy is around topics like staff training. If they can’t prove that they are taking their own security seriously, you can bet that they won’t be taking yours seriously either.

Increases vulnerability to large scale attacks

The uniform security measures SECaaS providers have over multiple clients allow them to keep up a comprehensive level of security. But it also means that if a vulnerability is found for a business who use the same SECaaS provider as you, then that same vulnerability can be used against your security.

Because one vulnerability gives so many potential attacks for a hacker, probing the security of the SECaaS provider is much more rewarding for cyber-criminals, meaning they put in a more concerted effort towards breaching the SECaaS provider’s security. This can inadvertently make you a prime target for cyber-attacks.

Be aware though, as a business (even a 2-10 employee one) you’re already a prime target for cyber-attacks. And if done properly, the actual increased danger coming from choosing SECaaS can be made negligible compared to the increased overall security you would receive from a high-quality SECaaS provider.

3. Why is SECaaS being offered more often?

Security providers are becoming aware that with the rise of small businesses, there’s a growing market for security services that don’t need expensive internal employees or a risky infrastructure investments.

Many growing businesses also don’t have the up-front funds to develop a hardware heavy security system and find a monthly plan to be much more manageable for their finances. For example, implementation of two-factor authentication and disaster recovery may have cost £100K five years ago. With SECaaS, it can now be delivered on a £1,000 budget with no CapEx.

Because of the more flexible nature of SECaaS, many of the decisions that used to float around, carefully being avoided until it was to late, can now be addressed head-on. There is no longer the same level of risk anymore surrounding topics like setting up security infrastructure. Businesses can switch SECaaS providers so much easier and this ‘de-risking’ of cyber-security has made the SECaaS market ideal for businesses who want to avoid making a bad decision.

Finally, with the rise of the cloud and increased internet speeds. Services being offered over the internet have become on par with in-house solutions. This has meant that cyber-security being offered as a service is now very feasible and is genuinely useful.


So, you may now be asking yourself if you should consider SECaaS for your business. Unfortunately, there’s no comprehensive answer. If you aren’t happy with your current security and want to improve it without draining your budget then it’s likely worth looking into. But if you already have a fairly comprehensive security setup in place it may be better to ensure that it actually is as comprehensive as you think it to be and then just sticking with what you have, upgrading it and maintaining it as you already are. Alternatively, you could look into a UTM system for your business if you’re uncomfortable with SECaaS but want to make your security more comprehensive.

Click here to download your 3 essential templates for managing risk

/ Technical
How to create an email retention policy

Email retention policies are all about decreasing the risk to your company. But for a truly successful policy, you need to strike the balance between a retention period which is too long and keeps useless mail around and one which is too short and loses mail that was important. Your policy needs to take into […]

/ Technical
What is the difference between email archiving and email backup?

Corporate emails are important records of business decisions, communications and information; and, just like paper documents, you must secure and store them properly. This is where an email archiving solution can assist, but many companies may believe they already store records correctly – by backing up their mailboxes on a regular basis. There is often […]

/ Strategy
The Optimisation Contradiction: One key thing manufacturers forget when optimising their factory

It is well known that inefficient operations reduce margins and weaken your competitive position in the global market. It is also well known that manufacturers are famous for their dedication to cutting out inefficiencies wherever they can in their operations. But whilst the shop floor has received the benefits of technologies such as robotics, softer […]