Having the clear results of a neutral RFP grading process "helped convey the value and strengths of the outsource vendor," in this case Veracode, Munsterman says. "We included them in the consideration only to be thorough, with no expectation that an outsource option would win us over. It did."
Gaining acceptance of the cloud-based offering began with "solid contract language" and ended with forming a strong partnership, Munsterman says. "Knowing the people providing the service made everyone more comfortable," he says. "There was a lot of work done by our internal champions to convince folks to give the chosen route a chance. Those most fervently opposed were won over after the first year's performance. Results are hard to deny."
Those results included the speed and thoroughness with which the company was able to roll out its application security program. "Our champions were internal folks who worked with all the parties the program touched, to provide hands-on training and to handle feedback quickly and fairly," Munsterman says. "Within the development teams a few security-minded leaders stepped forward to help us present the program and position the partnership between development and security, rather than allow it to appear as a security mandate."
Getting people to buy in on the concept of security-as-a-service is not the only challenge.
"The potential for data breach can be the most ominous potential downfall of using an external service, since it centralizes security data," Gartner's Pingree says. Cloud customers remain concerned about security-related data being hosted in cloud service environments, he says.
"Encryption is essential for storage of data externally from an organization, and in order to protect your data," Pingree says. "Ideally, the keys used to encrypt must be owned and controlled by the organization and not accessible by the cloud provider's employees."
In addition, Pingree says, the centralization of critical services into clouds increases the risk that a single potential outage can have more dramatic cascading affects across customers and cause damage.
If your cloud vendor goes down, "you too end up down," Pingree says. "Some providers may have planned properly to avoid outages and data breaches, others may not. Customers need to be cautious [that] they are selecting a security service provider that protects itself properly."
Organizations concerned with cloud outages "should ask how a provider is able to provide system continuity as part of their contracted services and consider a backup cloud provider that they can use as a hot-standby in the event of outage," Pingree says.
While the likelihood of a service outage is relatively low because service providers have provisions in place to prevent that, Sirva's Diab says, there is a small risk that a critical business application such as email could be lost for an extended period time. "It has become a matter of managing risk vs. reward," he says.
Sign up for CIO Asia eNewsletters.