Inside Track: The service option
9 March 2017 | 0
Staying on top of all the challenges that modern IT security poses is a daunting task. Security is crucial for any networked business, but getting it right can be expensive and time consuming. And like painting the Forth Bridge, it is a job that is never really done.
Security threats change and evolve over time, so the measures taken to protect against them have to keep pace, and that makes keeping up a full-time job. In the face of this challenge, some companies are taking a radical approach — ditching in-house IT security altogether.
The solution, they believe, to the growing complexity of the issue is to outsource the whole problem to a managed service provider. Is this a logical and pragmatic approach to the issue, or a mistake when so much depends on the integrity of company-held data?
“Obviously I have a vested interest in the answer because we are providing such services, but we’re certainly hearing from customers that as soon as they start running the numbers and trying to figure out what it will cost them to run a proper security operation themselves, unless they have very deep pockets, outsourcing is much more attractive,” said Dermot Williams, managing director of Threatscape.
“In terms of infrastructure, people and processes, and raw money, it’s expensive to do this yourself. By contrast, when you outsource it you can end up paying far less and getting far more. To begin with, you get a 24 hour a day service.”
Williams’ argument is that security does not stop when staff clock off at five or six pm. Incursions can happen just as easily at 4am, and a lot of damage can happen by the time staff members arrive at 9am the next day.
“In the early days of IT security, people used to think of it as being something like a rodent problem, where you would set traps and forget about them until they caught something. You could sleep at night knowing that you might wake up in the morning and find a few dead mice caught in the traps, but your house was safe,” he said.
“But dealing with cybersecurity is much more like dealing with a fire safety problem. Just because you do everything you can to prevent a fire breaking out doesn’t mean that you’re going to sleep well at night, because you still want to have something that’s going to alert you 24/7 where there’s a fire.”
Threatscape’s philosophy on IT security is ‘protect, detect, respond’.
“The protect part means you anticipate everything that might go wrong and put in place ongoing monitoring and detection to spot something that you didn’t anticipate. And then when the shit does hit the fan, you respond. It is a constant process,” said Williams.
David Kennefick, a consultant with edgescan, said that when it comes to this issue, the numbers make most of the argument for themselves.
“It comes down to a business decision, plain and simple. Do you want to pay a guy €60,000 a year to look at a scanning engine? And if you want to look at the results from a scanning engine, do you want to pay €5,000 for the scanning engine license? That’s €65,000 a year and that’s going to cover off say a few apps,” he said.
“Outsourcing your security needs isn’t necessarily an all or nothing proposition though. We have clients that have thousands and thousands of IPs and hundreds and hundreds of web apps, and for them it would be impossible to do really in-depth testing on every single part of that, and they’re fully aware of that. To get over that, these companies use edgescan to cover off most of it, then leave their in-house guys to spend more time where it’s critical for them. So really the two approaches can complement each other.”
According to Kennefick, outsourced managed security services are currently a hot topic in the IT industry in Ireland, not just because of potential cost savings, but also because finding talented security staff can be hard.
“Staffing out a security operations centre (SOC) with dedicated people isn’t easy. Not only is it expensive, but the reality is that for much of the time there’s nothing to do. It can be tedious and it’s true that there’s a high level of SOC analyst burnout as a result,” he said.
Managed service providers often find it easier to source such people because they can offer more variety.
“The battlefield is moving away from the traditional style of attack — the classic hack — to more of the social hacking style of attack. We’re seeing a massive increase in that and a lot of distributed denial of service (DDOS) attacks. But many of the most difficult to deal with attacks come in the form of social engineering incursions, especially the likes of CEO fraud and phishing,” said Kennefick.