Catch Pekka Usva, VP, Corporate Security Business, F-Secure in a conversation with Sanchit Vir Gogia, Chief Analyst & Group CEO,Greyhound Research on Greyhound Research’s knowledge sharing series ONTrigger.
BTW, if you like what you read below, just click the twitter birdy (in text, in blue) to tweet 😉
Sanchit Vir Gogia: What I sometimes worry about is that lots of CIOs out there actually look at security only once in a year. You know you’ve installed a solution, the job’s done then you move on. Shouldn’t that change because you know you’re having attacks 24/7 nowadays? Shouldn’t that thinking evolve?
Pekka Usva: I think this is tricky because the threat landscape gets more and more complex and I would say even without the IT security, it is getting more complex with a new plethora of devices and what not. So the question that goes back to even the larger organization’s IT Head or the C-Level guy is whether we are able to deal with the IT management or IT security management or core pieces? And maybe that kind of explains what we see or are witnessing which is that the security as a service transformation goal continuing and I would say gaining speed. We see the managed service partners of different size, depending on the end customer are actually able to provide a better quality of service, better access to the service, better expertise when it comes to the security.
SVG: That’s a bold statement you said that managed security services and SaaS is actually better. Now I speak to a lot of CIOs again who are my customers, who are subscribers and you know they worry sometimes. As we speak to them, sometimes they tell us that they don’t pretty much agree on SaaS being better for them. When I say SaaS, I mean security as a service. What would be your perspective on that?
PU: I think at the end of the day the customer makes the decision as to which way he actually wants to buy, as a standout licence or software as a service. There’s no right or wrong answer in perspective. It’s how you want to consume the security but we see clearly that because things are getting more complex, they are getting more hectic, people and the companies are thinking, is this really part of our core or can somebody do it for us with a better ease or a better quality of service so we can focus and concentrate on what’s essential in our business. I think that’s a fair common sense, option wise that if somebody can make do with a better bang for the buck and you feel the quality of service is better, why you would then, not go that way. You can always go back and say that we need to go back and lets run up our own IT infrastructure and IT admin and IT security infrastructure but it’s not necessary anymore.
SVG: So you’re essentially saying Total Cost of Ownership (TCO) becomes important which means that business case becomes important all of a sudden, right?
PU: And you have to really put perspective over longer time period as you said it’s kind of a continuous strategy you have to be updating at all points and the service mind-set to me, at least more genuinely or more naturally or intuitively kind of brings in the fact that it’s an on-going process rather than something that gets reviewed, gets agreed on, gets invested on, acquired once for 36 months to go rather than on monthly subscription basis.
SVG: Are there specific use cases where security as a service, managed services fits better?
PU: Let’s put it this way that maybe where it doesn’t fit well is then of course the certain verticals where for example the legislation might give you some restrictions like how to run or how to have it on your side or at your site even and you have to have the expertise for it. I would say I don’t understand why it is any different from renting office space, electricity, water from the tap, magazines. It is the same type. You consume it as you go and you are free to choose and go to another vendor or go back to where you came from.
SVG: So you are saying it’s a mind-set change?
PU: I think it’s a bit of mind-set that from the CAPEX to OPEX, pay as you go. It’s always the right size, your business growing, you will be increasing your IT spending, you’ll have to decrease your business for a moment and it’s always the right size. You are free to leave next month if it doesn’t work for you.
SVG: That’s the big thing, right? Is it really that you can leave next month because we have seen the worst of the cloud contracts where you get in and getting out is another task in its own, really. Change management is so difficult.
PU: It is. But anyways, getting back to SaaS, of course it has per say nothing to do with cloud or cloud security. Basically it’s a business model change rather than a technology or product decision change and I think that is important to understand that it is and it should be in the business from the beginning rather than a technology or product choice.
SVG: I think you’ve made a very interesting point about the changing mind-set. It’s like we are now using ATMs. Now if a decade ago we were to use ATMs we really wouldn’t be secure because the mind-set would say, is my money really coming out or if I lose my money what happens? So I think you’re absolutely right. It’s a mind-set change but now shifting gears very quickly in the interest of time, we’re here in Asia and the typical nature of Asia is small and medium businesses, the mid-market is very huge.
Even other emerging markets like Middle East Africa and Latin America, the SME base really goes for the economy very well. Now, how do you think SMEs should look at security differently compared to large organisations because a lot of these organisations by the way are born in the cloud so the way they think of security, the way they consume the applications, probably there are organisations like ourselves who’ve got absolutely zero footprint of an on premise infrastructure. So how do you think that SMEs should actually approach security as a topic?
PU: If you kind of externalize security or think of it as a subject or concept then it’s getting to the wrong direction. I’m just thinking going back to the business continuity and again regardless of whether you are so much into cloud or not, if you think it from your business perspective then I think okay, how much it will take for me to get my business down for a day or two days or a week. Is it any more there after two weeks so then the security is suddenly again back into the core and you then think what the relevant means to implement the security are. So there are twists or flavours in the so called enterprise set up or so. But I think of course, the SMEs and the smaller ones while are more consumer bound in their thinking which is good I believe, also the bigger ones will be soon if not already today, find out that actually consumer create usability, ease of use, simplicity, is something they also should expect from the security and not the old way of building enterprise security, then try to heavily force it to scale down.
SVG: Absolutely. SMEs like us have no dedicated IT support. So for us ease of use and keeping it less complex is very important. So self-service, cloud delivered, pay as you go is absolutely fundamental for SMEs.