Outsourcing is a powerful option that allows an enterprise to focus on its core competencies and not become distracted by both information technology and security functions, which can be more efficiently provided by mission-focused companies. But, in making the strategic decision, a company needs to understand the natural tension between an information technology (IT) company and a cybersecurity company.
IT is a highly mature discipline that is primarily concerned with availability (uptime), provisioning, or project implementation. Most things are planned, scheduled, and follow tight process. They generally must be more right than wrong and single details can be overlooked without interruption to business needs. IT tools are tuned to report on company success. The workforce has skillsets that are meant to operate a large program supporting business needs. This is in stark contrast to the skills needed for a cybersecurity program.
Cybersecurity is focused on ensuring that systems designed by the IT organization to support the business needs provide confidentiality, integrity, and availability. It is a much newer discipline that requires detailed operations which must defend the enterprise against every attack and has to be right 100% of the time, or risk exposing the entire enterprise. It has much smaller budgets than the IT organization, but must defend the entire ecosystem, including devices that are being used from home and on the road. Its devices alert humans as to where to spend their limited time and which events represent the most pressing security issues. Defining the risk, their handling, and their consequences all have specialized security best practices.
Both IT and Cybersecurity have unique roles with different motivating factors. In a balanced approach, they will check and balance one another. All modern operations need to balance customer wants of efficient system operations through IT and maintained confidentiality, integrity, and availability through cybersecurity.
The outsource market is highly specialized and highly competitive. Companies will find vendors that offer managed IT services, managed security services, and both a hybrid of both services. This makes it very difficult for companies to understand coverages (or seams) and how said coverage either hinders or helps their core business.
Here at Think Security, we will address some focus areas companies should consider.
Managed IT doesn’t mean Managed Security:
As was shown above, IT and cybersecurity are complementary and require specialized tools, techniques, procedures, and personnel. They are not the same and need to be performed by groups that have the time and skills to perform their missions.
We have seen and worked with managed IT companies who believe they provide security because they know how to configure and install a security device. They convince their customers that they can save money using their IT expertise and get the same level of security assurance. Just because a company can configure a security appliance it doesn’t make them a Managed Security company. It also does not and cannot provide the level of security a modern client demands. Simply configuring a security appliance is not security. Security appliances triage for human intervention. Can an IT provider focused on configuring and responding to customer software needs dedicate time and specialized resources to both missions? That depends; ideally, security devices are monitored, managed, updated, and tuned on a regular basis by a skilled workforce that is continually training on defending against dynamic adversaries.
Outsourcing security is done through the use of a managed security service provider (MSSP). The MSSP provides a level of security that companies need as it provides personnel and services that understand, live, breathe and continually adapt to newfound attacks and countermeasures. It provides the skills to understand the enterprise, its risks, its handling of that risk, and counter measures. If the enterprise is thinking of or has moved to the cloud, the risks have now been magnified.
A managed security provider will start by defining the security architecture based on corporate risk, ensure the correct devices are in place to build the sensor grid, and respond to alerts, as well as seeking out threats to ensure business can operate their systems as intended without interruption. As the sensors alert on potential issues, the MSSP has highly-skilled security professionals on staff that have the understanding of how to respond to the standard typical and targeted attacks.
Highly-skilled personnel provide your first line of defense. We have found that the best defenders are those who understand how an attacker thinks, acts and reacts. There is a misconception that all hackers are bad, which is not true. You want a hacker on your team to understand the art of the possible when drafting your defense. But, it is sophomoric to think that anyone can prevent all breaches. Security professionals are constantly at odds with a living, breathing adversary, who is working just as hard to find new ways to exploit systems as the defender is to keep the bad guys out. Every update to an application or operating system presents new opportunities for an exploit to occur. The best defenders understand how their adversaries approach the challenge of exploiting vulnerabilities.
There are two type of companies: those who have been breached and know it or those who have been breached and do not. What any good firm will tell you is the that time between breach and removal, called the dwell time, is the measure of effectiveness. Can you operate under attack and perform your core operations? Can you minimize the dwell time and reduce impact? High-quality personnel can ensure the impact is minimized.
When selecting an MSSP company with which to partner, check to see if their security personnel are trained and certified. We have seen many companies compromised because they have selected a managed IT company that knows how to setup and maintain IT, but not security. Make sure to ask if their staff are the following:
SANS – Certified security professional
CEH – Certified ethical hacker
OSCP – Offensive Security Certified Professional
CISSP – Certified Information System Professional
When selecting a partner, make sure that they will provide the right support, the right security, and the right synergy with your company. Here at Think Security, we strive to be a trusted IT and Security partner that can work closely with your IT and/or Security department(s), providing a deeper level of expertise to your organic personnel. If you don’t have IT or Cybersecurity personnel, we would love to be your trusted IT and Security partner. We invite you to have us review your current Managed IT and Security providers to identify any deficiencies in the way they are doing business.