BUSINESS CRIME & PROTECTION Security management as a service By Kevin Else (pictured), Director, Cyber Security Partnership

The trouble with ‘security management as a service’ is that it means different things to different organisations. Is it physical security, technical security, threat intelligence or risk management? So let’s make this clear. What I am talking about is

management of the information security approach of your organisations. When you have thousands of employees you have room for an information security function to manage the policies and procedures that make up your information security management system. If you are a micro company, you are often reliant on your service provider, but for the thousands of companies in between there is a gaping hole. How do you fill the hole? There is a shortage of

information security skills, so all the reports tell us, and when you do find it it’s expensive. Security management as a service provides that middle

tier with the information security knowledge that is out of reach of most organisations. That knowledge can be very technical knowledge, so a service would take copies of your audit trails and firewall logs to look for suspicious activity. This often means that your logs are sent to a Security

Operations Centre (SOC). This type of service allows you to take advantage of the cyber security experience of the supplier, while gaining from the benefits of scale as the supplier will be providing the same service to multiple organisations. The supplier can then invest in expensive tools to analyse the logs and provide details of trends across their customer base. Scurity management as a service provides you with the

expertise directly to your organisation, without you having the full-time cost and the expense of keeping that knowledge up to date. Suppliers provide expertise at both a technical and policy level on a retainer basis, allowing you to bring in highly experienced information security specialists for specific tasks or projects.

Even existing customers may start requiring their

suppliers to hold some form of information security certification such as Cyber Essentials or ISO 27001. These standards are based on understanding the risks to

your information and/or business. But the art of risk assessing is not just about the

technology - many of the controls within both these standards talk cover people and processes. Understanding that and having an independent view of those risks is a precursor to being able to address them and prove to your customer that you are not a risk to them. This is another area that these services can provide. That

risk assessment can also help you choose the right products to meet your requirements, and at a technical level the right response to threats, whether through additional controls or the right patches. Consider the panic that there was around the ransomware attacks of last year. Some organisations panicked and either patched or turned off older systems due to the possible threat without considering if there were adequate mitigating controls already in place. The standards mentioned previously and legislative

requirements, such as GDPR, also define what is known as “toxic roles”. In a non-IT environment this would be that someone in procurement can’t set up a new supplier and authorise the payments to that supplier. In IT you can’t be a data protection officer if you are also IT Manager, Chief Technical Officer, Chief Information Security Officer or Marketing Manager. If your back office staff count is in the tens rather than the hundreds, you may not have the capacity to segregate these roles enough to meet the requirement of these standards. That’s where having security management as a service can help by providing that segregation and a high level of expertise.

‘If you are a micro company, you are often reliant on your service provider, but for the thousands of companies in between there is a gaping hole’

42 business network June 2018

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72