The economic downturn could give the software as a service (SaaS) model an edge over traditional security software provision, Webroot believes.

In Sydney this week to speak at Gartner’s IT Security Summit, Webroot CTO Gerhard Eschelbeck highlighted the difficulty of managing an evolving threat landscape amid staff shortages and tightening budgets.

While e-mail security has dominated the spotlight previously, Webroot research indicates that the Web has been a greater source of threats in recent times.

The research also found that more than half of Web security decision makers feel that keeping security products up-to-date is challenging, and almost 40 percent believe their companies devote insufficient resources to Web security.

“Nowadays, the threat landscape is changing in so far that the variants of malware is exploding compared to five years ago,” Eschelbeck said, noting that malware variants in circulation today are five times as numerous as those five years ago.

“It is clear that the traditional applications are reaching some of their physical limits,” he told iTnews.

Compared to traditional, on-premise security applications, Webroot’s SaaS offerings provide businesses with the ability to outsource the burden of security.

Companies’ e-mail and Web traffic is filtered through Webroot’s data centres in Australia to detect and remove any malware.

Webroot has invested approximately $1m in its Australian operations, including a newly-launched data centre in Sydney and eight support staff across Sydney and Melbourne.

According to Charles Heunemann, Webroot’s Managing Director of Asia Pacific Operations, the company has provisioned for ‘significant growth’ in the region.

The Sydney data centre currently is used to only a ‘single digit percentage’ of its capabilities, he said.

“What we’ve got is a situation where we’ve come from an early adaptor stage to a wider use of SaaS,” Heunemann said of the growing market for in-the-cloud security applications.

The rise of SaaS was said to be a result of economic pressure to deliver more value through IT and a trend towards outsourcing ‘non-core’ applications.

In the Asia-Pacific region, the market for SaaS is experiencing a Compound Annual Growth Rate (CAGR) of 44 percent, Heunemann said, compared to a CAGR of 13 percent for on-premise software.

Webroot estimates in-the-cloud security applications currently to have a market penetration of 8 percent in Australia, 4 percent in Asia and 25 percent in the U.K.

“The genesis of security technology tends to be in the U.K.,” Eschelbeck said, expecting Australian adoption to reach similar figures ‘before long’.

In terms of Eschelbeck’s research into the ‘Laws of Vulnerabilities’, the SaaS model could reduce the threat posed by current Web-based malware by narrowing organisations’ window of exposure.

“The Laws of Vulnerabilities is to do with how quickly organisations are patching their systems,” he explained. “There is a physical limit to how quickly companies can patch, so there is always a window of exposure of five to nine days.”

“The huge advantage that it [SaaS] brings is moving the responsibility [of patching] from the organisation to the provider,” he said.

Heunemann noted that through providing a specialised security service to multiple organisations, service providers such as Webroot also have access to economies of scale and greater visibility of the overall threat landscape.

Webroot also is able to provide its customers with some level of insurance, through guaranteeing a minimum malware capture and detection rate.

“Compared to the traditional model where you’re looking at deploying an on-site application to protect against malware, the SaaS model essentially is a pay-as-you-go option that scales very well linearly, as you grow,” Eschelbeck said.

“Typically, IT departments are not overstaffed -- I’ve never heard of overstaffing as an being an issue for these departments -- so the advantage [of SaaS] is taking the burden [of security] away from end users,” he said.