Transcript Benefits and Pitfalls of Outsourcing Security Stan Kiyota, CISSP & CISM Senior Information Security Manager Booz Allen Hamilton, Inc.

Benefits and Pitfalls of
Outsourcing Security
Stan Kiyota, CISSP & CISM
Senior Information Security Manager
Booz Allen Hamilton, Inc.
 Outsourcing
•
•
•
•
•
•
Agenda
Definition
Responsibility
Keys for success
Why?
Who?
What?
 Managed security service provider (MSSP)
•
•
•
•
Definition
Market trends, players
Pros and cons of using an MSSP
What to look for in an MSSP
 Key elements for managing outsourced security services
 Tips for successfully outsourcing security services
Defining “outsourcing”
• Outsourcing: arrangement in which one
company provides services for another
company.
• These services are ones that usually can be
provided in-house but for one reason or
another are not.
Audience Response
Raise your hand if you outsource some form of
your IT services today.
Audience Response
Raise your hand if you outsource some form of
your information security services today.
Outsourcing means you are still
responsible
You are responsible and held accountable; if
something happens, responsibility rests with
you.
The outsourcing vendor should demand that
you have an active role in management
oversight.
These elements must come together for a
successful outsource to occur
Your
MSSP
Why outsource?
• Cannot afford full-time info sec staff
• Cannot retain competent information security staff
due to wages and market competition
• Have already outsourced other IT functions, why
not information security services?
• Have already figured out that someone else can do
it better, cheaper, faster than we can
• All of the above and more…
Who outsources?
• Businesses where IT security is not considered
a core function of the business
• Commercial businesses up to $US1B in
revenues; however, there are some multibillion-dollar companies which have outsourced
their entire IT functions to the likes of EDS and
IBM
• Governments (Federal, State, Local)
What services should I consider outsourcing?
 Complete a business requirements analysis and determine the
gaps between needs and capabilities.
 Determine what the business can support and what the labor
market can bear.
 Ensure that your info sec architecture is complementary to the
developing business plan for outsourcing.
 Document all services to be outsourced and policies, technologies,
processes to support.
 Present a comprehensive business (not IT) plan for implementing
managed security services.
What are “Managed Security Services” (MSS)?
 Managed Security Services (MSS) offer onsite and remote
monitoring and management of security services with 24x7 realtime monitoring, protection, escalation and response processes.
 Many of the managed services offered include:
•
•
•
•
•
•
Firewalls
intrusion detection systems (IDS)
virtual private networks (VPNs)
Routers
antivirus/content checking
periodic vulnerability or penetration studies/testing
Source: IDC
What is the market for Managed Security
Services Providers (MSSP)?
• Yankee, Forrester, Gartner, etc. have varied
estimates of a $2B to $5B market for managed
security services by 2005, to as much as $8B
by 2008.
• Everyone is trying to play, but the vendor
market is consolidating.
• MSSPs with 5 people are competing with
companies with 50,000 employees.
Who are the players in the MSSP space?
TruSecure
LURHQ
In 2003, only two firms were identified as
leaders in Gartner’s North American MSSP Magic
Quadrant™
Source: The Gartner Group
Audience Response
Raise your hand if you use or have used one of
those companies listed today.
Why should my company consider
using managed security services?
Strengths
Weaknesses
Opportunities
FOCUS - frees
internal IT staff from
operational tasks
GENERIC - Lack of
Allows customers to
focus on core business
while dedicated
security professionals
manage security
elements
SKILLS –The MSSP is
responsible for
providing the needed
skills
EFFICIENCY – MSSP
is more efficient then
you are at providing
the services
STABLE COSTS –
consistent costs for
product provided
customization to
your needs
POLICIES – MSSP
still needs you to
maintain IT &
security policies
COMPLACENCY Can give endusers false sense
of security
Ability to keep up with
security and
technology changes
without slowing
business
End-users can promote
stronger brand value
by publicizing their
efforts to be ’secure’
Threats
Perceived
increase in
vulnerability
because of
outside
provider
handling
security
elements
Source: Unisys UK & IDC
What are the downsides of using
managed security services?
• Someone else has responsibilities you may not have direct
control over.
• You don’t build internal expertise and knowledge.
• Legal liabilities and ramifications if something happens may
be limited.
• What happens if the provider goes out of business…
suddenly… such as Salinas Group, Pilot Networks, Covad,
Nettel, LMGT and others?
• What about Arthur Andersen?
What should I look for in an MSSP?
• Sound, written confidentiality agreements (SLAs)
• Willingness to negotiate flexible contracts and terms
• One who provides resumes or qualifications of those
actually doing the work
• One with expertise in the area you may outsource
• Flexibility to meet your business and IT needs
• Size and geography to meet your needs
• Financial viability of the company
Other crucial considerations in an MSSP
• Do they have the size to do the job?
• Do they use sound technology & processes?
• White hat or black hat?
• Are they a business partner today?
• SOC: More than one backup?
• Do they cover your security products?
Finally, are they truly qualified to
do the job?
• Are they ISO17799 or
BS7799 compliant &
certified?
• CISSPs? CISMs? CISAs?
SSCPs? GIAC?
• CERT, IETF, FDIC, FFIEC,
OCC, HIPAA experienced?
Identifying the key elements of managing
outsourced security services
• How much should your vendor manage?
• Ownership, location, management over security devices and
type
• What can you afford to do, and what can you not?
• What’s the role of policies and legal requirements?
• Outsourcing means you are still responsible.
How much should your vendor
manage?
You -- not the vendor -- should decide the
level of the vendor’s involvement.
You need to retain overall management
responsibility of the effort.
Size does matter… the larger the outsourcing
effort, the more management effort you will
need to put in.
How much can you afford? What can you
afford not to do?
You must retain control over strategies and policies.
Managed services are most successful when
outsourcers have control over entire segments ―
e.g. firewalls, intrusion detection, etc.
Do not let the provider’s technology expertise sway
your technology direction and requirements.
What’s the role of security policies and
legal requirements?
 First and foremost, you must have a complete set of
IT and information security policies in place
•
SLA: scope of activity and when; uptime; response time;
activities after virus, hack, breach, incident, etc.
•
A good vendor will not take a contract with you without these.
 Your business should have corporate policies on how
outsourcing agreements are executed legally within
your company.
Outsource only when…
 You retain control.
 You have properly negotiated legal and financial agreements.
 You have business, IT and information security policies.
 You always retain the right-of-refusal for staff servicing your
account.
 The vendor says they can do what you need, rather than saying
they can do it all.
 You have SLAs that can be measured and rewarded (or penalized).
 You make sure the vendor will be there for you.
Key outsourcing points
Remember: There is no one right provider… IDC.
Leverage relationships, but don’t relinquish
responsibilities.
Bottom Line: Outsourcing information security
requires you to have explicit trust in your vendor
and the faith that they will always do the right
thing on your behalf.
Thank you.
Questions, comments?