Automating Security AssessmentsBy Michael Vizard | Posted 2009-04-30 Email Print
Enterprises to small businesses are trying to get a better understanding of their security posture. That means solution providers have an opportunity to perform security assessments. Service provider Qualys may have the model to follow.
One of things that most solution providers routinely offer potential new customers is a security assessment. The basic idea is that it’s a great way to get your foot in the door so you can discover what the customer actually needs versus just blindly trying to sell products. And best of all, after the assessment the solution provider usually has some hard data in hand to help make the case for the product sale.
The only problem with security assessments is that they are time consuming in that the solution provider has to dedicate a person to perform the assessment. The assumption is that the solution provider will more than make up the time and labor put into the assessment once the sale is made.
But what if the whole assessment process could be automated? That’s the thinking behind a new appliance that is linked back to a service run by a company called Qualys. The idea is that appliance has enough local intelligence to scan the customer’s IT environment. Once that data is captured, it’s compared against the database of security best practices that Qualys has essentially turned into a policy management service.
On an ongoing basis, customers can use the Qualys service to help enforce policies by using the appliance to constantly audit the IT environment for misconfigured systems outright policy violations.
For solution providers, the Qualys approach offers an opportunity to take the cost out of security assessments in a way that could drop a lot of extra profit to the bottom line. The Qualys offering also makes it a lot easier to develop a security practice because a lot of the specialized knowledge required to get started is now essentially available as a service.
Longer term, as security continues to be a core concern associated with every IT project, every solution provider is going to have to establish some core competency in security. That ultimately may lead to the end of the security specialist as a distinct type of solution provider given the fact that everybody in the channel needs to be able to handle their customer’s security issues. Whatever happens, it’s pretty clear that a new wave of automation is coming to security in response to customer demands for a more cost-effective approach to managing security.
The only real question is just how quickly will the channel adapt to these rapidly changing circumstances?