This page contains a Flash digital edition of a book.
MANAGED SERVICES cloud


#dcsukarticle http://www.dcsuk.info/n/cjaw


Managed security services: dipping a toe in the water


For any organisation large or small, public or private, the consequences of a security breach in terms of reputation damage, regulatory fines and lost business can be astronomical. It is not just the big brands or global companies that offer a target for cyber criminals. Small businesses are often more vulnerable to cyber security attacks than their larger counterparts with criminals often targeting smaller companies as a way to infiltrate their larger partners and affiliate organisations. So, by addressing its own security, a small business is also protecting its commercial relationships as well. By David Ellis, director of technology and services, Computerlinks.


HOWEVER, THE VAST MAJORITY OF UK businesses are still struggling with IT security. According to PWC’s 2014 Global State of Information Security survey, the number of security incidents detected in the UK in the past 12 months increased by 69 per cent. Worryingly, over 16 per cent of UK businesses do not know how many security incidents they had last year. The data suggests that beaches are increasing while rising IT security spend is failing to counter the threat. In response, should organisations start thinking about shifting IT security into a managed service?


The case for outsourcing IT security is a moving target that requires organisations to keep highly paid information security professionals sharp with continual training. IT security monitoring needs to be constant as attacks can happen at any time of any day. Having 24 x 7 x 365 coverage, complete with a rapid response team on standby, is not cost-effective for anybody other than the largest of organisations.


The financial burden of hiring, training and keeping security expertise up-to- date is substantial. If the cost of people is already high, add in the expense of buying


44 www.dcsuk.info I May 2014


and maintaining the physical IT security hardware, software and processes that help to protect organisations and it becomes hard to justify the bulk of IT security remaining in-house. Although many organisations are increasingly outsourcing elements like email and payment processing, IT security has still tended to remain an in-house activity. Concern over allowing third party access to sensitive data or systems is often the primary issue.


The reality is that employees themselves pose a far greater risk than external organisations that are dedicated to information security. Other fears, such as IT managers outsourcing themselves out of a job and cultural issues around loss of control, may initially play a part in resisting a move to managed IT security services. In reality, the IT manager’s time is now freed up to concentrate on more business-critical elements rather than high-maintenance, time- consuming ‘housekeeping’ chores.


Initial fears of outsourcing or managed security services, though, are quickly outweighed by the benefits of cost-reduction and service enhancements, once they are fully understood.


Standards and audited ability However, picking a managed security service provider is not like choosing an electricity supplier; the selections criteria and evaluation process is far more complex. Aside from cost and list of features, the most pertinent differentiator for service providers is adherence to external standards and audited ability.


Probably the most impressive is the ISO 27001, which is an Information Security Management System standard that evolved from the British Standard BS7799 for managing information security. ISO 27001 is used in conjunction with other standards from the ISO 27000 family, such as the ISO 27002 that contains additional audit guidelines. ISO 27001 is often seen as comparable to SAS 70, which is an auditing standard run by the American Institute of Certified Public Accountants.


Another major standard is the Payment Card Industry Data Security Standard (PCI DSS), which was created by credit card companies, including VISA and MasterCard, to ensure that data is secure when handling credit cards. Even though it is the merchant payment service provider that needs to be


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56