Security operations is changing, driven by a wave of diverse data types, analytics tools, and new operational requirements. These changes are initiating an evolution from monolithic security technologies to a more comprehensive event-driven software architecture (along the lines of SOA 2.0) where disparate security technologies connect via enterprise-class middleware for things like data exchange, message queueing, and risk-driven trigger conditions. ESG refers to this as a Security Operations and Analytics platform architecture or SOAPA.
When speaking, or writing about SOAPA, I often compare this evolution to an analogous IT trend in the 1990s. Way back then, large organizations abandoned standalone departmental applications in favor of a more integrated software architecture, ERP. This transition resulted in a new generation of business applications acting as a foundation for greater automation, efficiency, and profitability.
I got to thinking about the rise of ERP and remembered one other detail. While BAAN, Oracle, and SAP did quite well selling ERP software, the big winners were service providers like Andersen Consulting (Accenture), E&Y, and PWC. Firms like these added a tremendous amount of value throughout ERP projects with assessment, planning, business process reengineering, training, deployment, and integration services throughout the 1990s.
I believe we are about to see a similar cybersecurity services boom around SOAPA. I anticipate large services opportunities in comparable areas like:
- SOAPA assessment services. Before purchasing software and pulling wires, CISOs will want to identify their biggest security operations challenges, evaluate their security operations skills, and figure out where to begin SOAPA projects. Service firms will become specialists here.
- Security process reengineering. SOAPA can unleash a new era of security automation and orchestration but only if CISOs understand what they should automate and orchestrate. The dirty little secret in cybersecurity is that many organizations have no idea how to start these processes. Armed with their experiences with leading edge organizations, service providers can package their knowledge and help organizations figure out how to bolster security efficacy, operational efficiency, and staff productivity through modern SOAPA-enabled processes.
- SOAPA training. SOAPA is designed to collect, process, analyze, and act on a growing avalanche of security events and threat intelligence. Of course, this assumes that organizations actually know what they want to do with this data. In truth, many organizations have only a vague idea about what the data is telling them and how to use it. Take threat intelligence, for example. Many organizations use threat intelligence to harvest IoCs, and never take the next step to monitor threat actors, track their tactics, techniques, and procedures (TTPs), and use this intelligence to communicate and mitigate business risk. Once SOAPA takes hold, many of the technical barriers disappear, opening a huge market for advanced security operations and analytics training.
- SOAPA project management. Enterprise SOAPA won’t happen overnight, rather it will take several years to integrate today’s tactical point tools into an end-to-end event-driven architecture. CISOs will need help creating phased SOAPA projects that continue to add value over time as more technologies are glued together.
- SOAPA deployment services. At the end of the day, someone will make money on implementing software and pulling wires. Leading service providers will add value by customizing software, orchestrating processes, and automating remediation tasks.
- SOAPA managed services. As an architecture, some SOAPA functions like EDR, log management, or SIEM may be SaaS-based but still be part of an overall architecture. This opens the SOAPA market to MSSPs provided they build their services for integration. It’s also likely that massive amounts of historical SOAPA data will find its way to the cloud for retrospective analytics or simple spinning disc services.
While SOAPA will make cybersecurity staff more productive over the long-term, new security analytics and operations needs will also increase demand for skilled cybersecurity professionals. Given the global cybersecurity skills shortage, however, many CISOs will turn to their friendly neighborhood services firm to rent bodies for staff augmentation.
Which vendors stand to capitalize on the SOAPA services opportunities? The old ERP crowd (i.e., Accenture, E&Y, PWC, etc.) should do well again but traditional government integrators like BAE Systems, Boeing, Booz Allen Hamilton, Lockheed, and Raytheon could also leverage their intelligence/law enforcement/military experience to make a private sector play. Large IT and security service specialists like Cisco, HP, IBM, RSA (Dell), Symantec, and Unisys are also well positioned.
SOAPA services won’t be as big as ERP, but smart focused services firms should find ample opportunities over the next 3 years. Don’t be surprised if one or several service providers soon market themselves as SOAPA specialists.