It is no different to procuring any other high-value as-a-Service capability. Due diligence is vital to getting the right provider and the right shaped service. There’s no one-size-fits-all.
Yahoo is the latest company to confirm that it has suffered a massive data breach, with reports citing circa 500 million records leaked. It’s an unfortunate reality that service providers such as Yahoo will always be a high-value target. This breach will cause concern at board level with Yahoo currently going through a M&A process. It will add complications and considerable delay to integration between Yahoo and Verizon’s infrastructures and ultimately affect operational capability. This only highlights that managing cyber threats and aligning all key stakeholders must be at the top of every board’s agenda.
Recently Voco founding Partner, Michael Foley, attended a Cybersecurity Panel discussion put on by Institute of Directors, in Auckland. A full house and a range of insightfully probing questions to the panel indicated that cyber threats are becoming more top of mind amongst business leaders. However, a common thread was evident amongst participants – “where do I start?”.
Michael Foley asked two cyber security experts to join him and share their perspective on the cyber security landscape in New Zealand, the challenges organisations face when securing their networks, and how an outsourced approach may benefit companies with limited IT security resources and internal capability.
ON TODAY’S PANEL
Michael Wallmannsberger Chief Information Security Officer (CISO) at Wynyard Group and Chair of the Advisory Board overseeing the establishment of the NZ Government’s first CERT
Michael Wigley Principal at Wigley and Company, a law firm focused on cyber security and company/directors’ risk
Michael Foley Voco founding Partner, ICT Market Expert, Commercial and Transformation Programme Advisor
Certainly in our discussions with enterprise clients almost everyone agrees that cybersecurity is now a strategic business issue. It is no longer restricted to standard ICT domains and thinking about security as purely an IT issue is no longer acceptable as technology pervades business operating models.
However, despite continued large scale breaches and increased awareness, it seems many organisations are still struggling to achieve and maintain adequate security. A question I often hear from business stakeholders is, “we know we need to act—but where do we start?” Some of New Zealand’s biggest organisations are increasingly employing CISOs tasked to manage security issues for the enterprise, but what about the others?
The problem of bridging the IT security gap is particularly acute for medium-sized organisations which struggle to justify having dedicated internal people focussed on security. Thinking about different operating models such as procuring Security-as-a-Service may be one way to bridge the gap. More commonly known as Managed Security Services Providers and Security Operations Centres (MSSPs or SOCs), these suppliers can manage specific security initiatives, or in some cases, an organisation’s entire security programme.
In New Zealand the providers of cyber security services are primarily ICT firms augmented by a handful of smaller specialist advisory companies and a scattering of expertise found in consulting firms. The main service players are the scale providers of outsourced ICT capability to the government and large enterprise sectors. These include Spark, IBM, Datacom, Dimension Data and Vodafone.
The outsourcing of your IT security must involve an in-depth discovery process. You need to understand the risk profile associated with your operating model and be able to quantify your exposure in order to make sensible decisions on scope and cost of any potential service. It is not a decision to be solely based on price and cost.
It is no different than procuring any other high-value as-a-Service capability. Due diligence is vital to getting the right provider and the right shaped service. There’s no one-size-fits-all.
Most organisations face the reality that resources are scarce, security goals are ambitious, and tolerance for risk is moderate at most. This leaves CISOs searching to find value in a crowded technology market somewhat prone to hype or, worse, leaves their organisations bearing unknown or unquantified risk.
In larger organisations and markets, managed security service providers (MSSPs) and security operations centres (SOCs) commonly take on the burden of monitoring organisation’s security systems for events that are relevant. These providers are not all created equal. However, an effective security service provider can provide customer organisations with efficient 24/7 access to operational security skills that the organisations would find it difficult to justify retaining in their own right. Mid-size organisations, in particular, stand to benefit from quality MSSP offerings.
A MSSP or SOC provider is not a complete answer to cyber security. Organisations cannot outsource responsibility for their business risk and outcomes. In particular, there are multiple key risks that MSSPs and SOCs generally don’t manage, such as training staff to avoid social engineering attacks such as phishing emails.
A service model is emerging to provide broader advice about cybersecurity issues to businesses as a service, to substitute for or augment in-house expertise (and to function with ICT services such as MSSPs and SOCs). As demand for the experienced practitioners continues to outstrip supply, these services—sometimes called virtual CISO, CISO as a service, or shadow CISO—look set to grow.
Choosing an expert to help with a complex problem is not always easy and, whether it is a MSSP or a virtual CISO that your organisation needs, the usual markers of quality and assurances may not be present in the relatively immature cybersecurity industry. Organisations should undertake careful due diligence on providers to ensure that the provider is well regarded within the industry for integrity, effectiveness, and competence.
Cybersecurity involves multifaceted risks, including reputation, HR, and legal. The legal exposure due to a company being attacked and, say, third party information or money being lost, is mostly based on the need to comply with best practice security. Particular care however is needed as to issues specific to the company, and this should be legally checked along with a broader cybersecurity review.
That standard reflects also directors’ legal obligations: to ensure that management is implementing best practice, yet recent surveys show widespread failure by boards to meet this requirement.
Having an ICT answer alone (the equivalent of an MSSP or SOC, internally or externally sourced), does not usually cover off the areas such as legal and regulatory compliance and reputation management. That’s one reason why consulting services such as virtual CISOs are valuable.
To Sum Up
With the complex, data-rich, technology-enabled environments organisations increasingly run today, there is real exposure to the kind of breach that resulted in Yahoo’s customer data making its way onto the dark web. As we continue to add more technologies to our networks, as attackers become more sophisticated, and as the value of knowledge and intellectual property increases, this risk will increase.
Keeping customers’ data secure should be a top priority for all enterprises. Regardless of size or whether the security capabilities are in-house or with a third party, organisations need to truly understand the perimeter and that it extends beyond the network’s boundary and commit to hardening themselves.
For those looking to outsource IT Security, there is much to consider when evaluating and engaging a MSSP provider – after all, you’re essentially entrusting a third party provider with your company’s reputation and competitive proposition. Following good outsourcing practice, and applying healthy doses of common sense in choosing an MSSP will likely mean you don’t appear on the front page of the paper for all the wrong reasons.