You always hear about the five-nines. The typical amount of time laid out in a service-level agreement that a network should be online. Can that same premise pertain to security?
Vendors said no.
"It would be extremely difficult to set specific service levels relating to security. I can't think of the parameters that you would apply," said Danny Allan, vice president of Cloud & Alliance Strategy at Veeam.
Despite that sentiment, lets play a game of what-if. What if a parameter could be placed on a third party for security? What would it look like?
What's the issue first of all. According to a Veeam-sponsored report written by Enterprise Strategy Group, four out of five organisations recognise that they have an "Availability Gap. In this year's research, 82 percent of respondents recognised the inadequacies of their recovery capabilities when compared with SLA expectations of their business units.
If a network were to go down for security issues, the report showed that the average financial cost of availability to an enterprise is $21.8 million. Almost two-thirds of respondents said digital transformation initiatives are being held back by unplanned downtime.
Jason Buffington, principal analyst for data protection at the Enterprise Strategy Group, said even large, international enterprises, continue to struggle with fundamental backup/recovery capabilities, which along with affecting productivity and profitability are also hindering strategic initiatives like Digital Transformation. In considering the startling Availability and Protection gaps that are prevalent today, IT is failing to meet the needs of their business units, which should gravely concern IT leaders and those who answer to the Board."
The report goes on to say that six out of seven organisations lack a high level of confidence in their ability to reliably protect/recover data within their virtual environments. Seventy-two percent of respondents this year are unable to protect their data frequently enough to ensure that their business units' expectations against data loss are met.
Peter McKay, President and COO of Veeam Software, said "our report states such ubiquitous access is merely a pipedream for many organisations, suggesting new questions need to be asked of transformation plans and a different conversation started about existing infrastructure. Enterprises are facing a major crisis from competitors that are able to offer this uptime and combine that with user experience."
So with that picture set, what could a security SLA do?
Alton Kizziah, vice president, global managed services, Kudelski Security, admits there is no 100 percent effective security control, process or technology. "Even air-gapped systems have recently been shown vulnerable to certain types of attacks. As such, it's impossible and disingenuous for a MSSP to guarantee 100 percent security. Whether in a SLA, or marketing material, it just isn't a good practice to believe that security measures are infallible," he said.
Sign up for CIO Asia eNewsletters.