As our world becomes more complex and connected, it also seems more vulnerable. So security remains an ever-present layer in companies’ ICT projects and implementations. But this security is also evolving into a highly skilled science, requiring specialist knowledge. Consequently, the call to use external business partners is becoming louder. At this X-change, we had a look at the world of security services, and what’s on offer. First, we heard from experts from Dimension Data and Verizon about the possibilities arising from outsourcing. Then, we turned theory into practice and learned how Baloise Insurance outsourced its security needs.
The presentations from the event are available, along with the link to an additional video from Baloise, exclusively for Beltug members (after login)
Managed Security Services - turning data into knowledge
CISOs (Chief Information Security Officers) all too often have to become ‘fire fighters’, when in fact - they should be allowed to focus on strategy, not on fighting all the ‘fires’ that crop up.
Yet the fires, and threats, are everywhere, as Stefaan Hinderyckx from Dimension Data stated, including the increased difficulties cloud is creating from a security perspective (see slides 7 & 8 for more market trends and challenges).
So you need a solid partner for your security – but, he emphasised, while you can outsource your entire security, never outsource your policy! He then provided a clear overview on how to select your Managed Security Services (MSS) provider and how to measure your needs in relation to the typical services mix. (Slides 11 and 13).
Stefaan gave the example of an average bank, which receives 22 757 261 076 alerts over 90 days. There's no way an off-the-shelf software can filter out the critical incidents - those you have to look at and handle. You need experts so that you, as a company, can focus on your business. Big data analytics is your answer.
He closed with another example where the brand is absolutely critical: the luxury industry (see slides 21 and 22).
Building cyber resilience with Detection and Response-as-a-Service
Next up was Yves Van de Wyer from Verizon, who introduced the domain of Detection and Response-as-a-Service solutions. Whereas the traditional MSS use ‘classic’ detection methods, Detection and Response solutions continuously hunt for threats with a combination of behavioural analysis, anomaly detection, machine learning and AI. (see slide 2 for a comparison of the 2 types of MSS. Whichever partner or MSS solution you choose, he stated, trust is obviously key.
Yves went over the technology trends for Detection and Response solutions:
Vendors still face challenges:
Staffing problems are another challenge for SOCs (Security Operations Center) worldwide: millions of security positions remain unfilled around the globe, especially as the skillset requirements become more complicated and stringent.
Every company has different levels of maturity in incident response. Yves observed that companies with a lower security maturity are more likely to accept a Detection and Response approach. Hybrid models are also an option - combining a remote SOC with on-site consultants.
Outsourcing security services - A CISO’s Perspective
Moving from theory to practice, Jeroen Hulshof, CISO at Baloise Insurance, explained that safety and security are key to Baloise, including and especially towards its customers. This is an important reason the insurance company turned to a partner to secure data and infrastructure. Jeroen stressed it is important to secure all layers of the company:
As an organisation, Baloise decided to move forward on the track of digitisation and wants to do so securely. Yet it faces the ‘usual’ challenges:
Baloise turns to partners to face these challenges in the digital world.
Have a look at the definition of MSS on slide 14. The last part, "… without draining talent resources from the enterprise itself", is the core of Managed Security Services for Jeroen. (See the linked video above to discover the testimonial from SecureLink.)
Over the years, Baloise evolved from a single-sourcing to a multi-sourcing strategy, with plenty of lessons learned, and pros and cons (see slide 15).
Among the main pros:
He noted that 'cost savings' aren't on this list, as they are definitely not a central argument for MSS. On the contrary, security often gets more expensive.
One main 'con' is the loss of control (so you need a good trust in your partners). With a multi-sourcing strategy, it’s critical to maintain a good balance between the right partners and too many partners: in the latter case, managing your partners becomes a big concern and your operational costs increase.
Jeroen provided an overview of sound outsourcing principles (slide 18). A strong governance is essential for managing multiple outsourcing partnerships, while careful preparation and a thorough RFP process help you achieve long-lasting partnerships.
His main takeaway: you can't outsource your accountability!
Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).
Beltug gathers a lot of information. Here you find the advantages of Beltug membership
The Beltug Team
Click here to login