When do managed security services make sense?
FYI, this story is more than a year old
Yahoo is the latest company to confirm that it has suffered a massive data breach, with reports citing circa 500 million records leaked. It’s an unfortunate reality that service providers such as Yahoo will always be a high-value target. This breach will cause concern at board level with Yahoo currently going through a M&A process. It will add complications and considerable delay to integration between Yahoo and Verizon’s infrastructures and ultimately affect operational capability.
This only highlights that managing cyber threats and aligning all key stakeholders must be at the top of every board’s agenda.
Certainly in our discussions with enterprise clients almost everyone agrees that cybersecurity is now a strategic business issue. It is no longer restricted to standard ICT domains and thinking about security as purely an IT issue is no longer acceptable as technology pervades business operating models.
However, despite continued large scale breaches and increased awareness, it seems many organisations are still struggling to achieve and maintain adequate security. A question I often hear from business stakeholders is, “we know we need to act—but don’t know where to start.”
Some of New Zealand’s biggest organisations are increasingly employing CISOs tasked to manage security issues for the enterprise, but what about the others?
The problem of bridging the IT security gap is particularly acute for medium-sized organisations which struggle to justify having dedicated internal people focussed on security. Thinking about different operating models such as procuring Security-as-a-Service may be one way to bridge the gap. More commonly known as Managed Security Services Providers and Security Operations Centres (MSSPs or SOCs), these suppliers can manage specific security initiatives, or in some cases, an organisation’s entire security programme.
In New Zealand we have a relatively immature cybersecurity industry where the providers of cyber security services are primarily ICT firms augmented by a handful of smaller specialist advisory companies and a scattering of expertise found in consulting firms. The main service players are the scale providers of outsourced ICT capability to the government and large enterprise sectors. These include Spark, IBM, Datacom, Dimension Data and Vodafone.
In larger organisations and markets, MSSPs and SOCs commonly take on the burden of monitoring organisation’s security systems for events that are relevant. These providers are not all created equal. However, an effective security service provider can provide customer organisations with efficient 24x7 access to operational security skills that the organisations would find it difficult to justify retaining in their own right. Mid-size organisations, in particular, stand to benefit from quality MSSP offerings.
The outsourcing of IT security must involve an in-depth discovery process. Organisations need to understand the risk profile associated with their operating model and be able to quantify their exposure in order to make sensible decisions on scope and cost of any potential service. It is not a decision to be solely based on price and cost. It is no different than procuring any other high-value as-a-Service capability. Due diligence is vital to getting the right provider and the right shaped service. There’s no one-size-fits-all.
A MSSP or SOC provider is not a complete answer to cyber security. There’s still the HR, reputational and legal aspects to consider. Organisations also still need to understand what their provider is doing, how effective they are and if anything changes. Even though IT security is consumed as a service, that doesn’t mean MSSPs are responsible for risk. If the vendor doesn’t do a good job it is still a customer’s business that suffers.
With the complex, data-rich, technology-enabled environments organisations increasingly run today, there is real exposure to the kind of breach that resulted in Yahoo’s customer data making its way onto the dark web. As we continue to add more technologies to our networks, as attackers become more sophisticated and as the value of knowledge and intellectual property increases, this risk is only set to increase.
Keeping customers’ data secure should be a top priority for all enterprises. Regardless of size or whether the security capabilities are in-house or with a third party, organisations need to understand the value of their data, where it is located and commit to hardening themselves.
For those looking to outsource IT Security, there is much to consider when evaluating and engaging a MSSP provider – after all, you're essentially entrusting a third party provider with your company's reputation and competitive proposition. Following good outsourcing practice, and applying healthy doses of common sense in choosing an MSSP will likely mean you’re not on the front page of the paper for all the wrong reasons.
Article by Michael Foley, Voco founding partner.