Updated: Jul 1
November 25, 2019 | Matthew Evetts
One individual or even your whole IT team can’t provide the level of cybersecurity needed in today’s rapidly changing threat landscape. Even organisations with robust internal risk functions, comprehensive training, and IT capability are unlikely to have the required expertise or capacity to address the range of cybersecurity risks facing today’s businesses, government agencies, and NGOs.
A well designed cybersecurity-as-a-service (CSaaS) offering is something every organisation can benefit from, whether to augment what they’re already doing or to provide complete coverage.
What is it? When we talk about CSaaS we’re not talking about a product. It’s not something you can turn on and walk away from. Various solutions and product offerings will be part of the whole picture, but the ‘solution’ shouldn’t be the focus. When you partner for cyber services your supplier should be asking you about the whole picture to identify where the gaps are. They should be working with you to identify what aspects of security you’d like them to be responsible for versus what your organisation will handle. They should work with you to identify your risks and prioritise and plan the mitigation for each risk. Your service provider complements your existing expertise and builds off the deep knowledge you hold about your organisation and what is valuable to you.
A CSaaS offering can include one or more of the following functions, or components within these functions: risk assessment; risk management (ESRM); governance and advisory; training and awareness; endpoint protection; email security; cloud security management; access management (physical and/or digital); firewall and networking; data encryption; SIEM as a service, managed detection and response (MDR); active threat intelligence; incident response; penetration testing; and more.
Incident response included! It is impossible to be fully protected, so your cybersecurity approach must include a response aspect, whether you outsource this or not. Response is often where organisations need the most help, because it can be unfamiliar ground. However, the aim of any CSaaS offering should be to do everything possible to prevent a situation where a response is needed. That being said, your CSaaS provider, or another partner you’re working with, needs to be ‘on-call’ to help you with a response if necessary; and most organisations needs help preparing a response plan too.
What is ‘good’ CSaaS? We believe good CSaaS offerings are where providers are true partners. This means the service offering is provided by a supplier who is fully engaged with their customer – this is not a set and forget service relationship, but a partnership that enables the customer to make good governance and management decisions that mitigate risks, address vulnerabilities, and respond to incidents. Show me the money! The number one most cited reason for moving to CSaaS is money – it’s about reducing cost. I would argue that for many organisations their number one reason should be because they can’t do the whole job internally, but often the discussion comes back to money. Doing cyber security properly just for one organisation is expensive and becoming more expensive every day as threats become more sophisticated and compliance requirements ramp up. There are a few key considerations when making a cost case for cyber and CSaaS. Firstly, the cost of NOT doing cyber right can be catastrophic. If you’re reading this article then you probably already realise that some organisations don’t survive a major cyber breach. For those that do survive it is painful and extremely costly. Beyond the actual cost of remediating a cyber breach, damage to reputation and loss of customers often has a massive impact. On top of all that, people nearly always lose jobs (e.g. CEOs and CIOs), or at the very least, suffer major personal reputation damage; particularly as organisations work out who to blame... Secondly, the safety and security of people, property and intellectual property is usually impacted. People’s personal details can be used to extort them or worse, physical machinery and sites can be damaged, and valuable data stolen. Thirdly, consider scale. For cyber security to be done effectively there is a ‘minimum’ of people, tools, and processes that need to be in place. This minimum tends to grow with your organisation too. Internal teams often only have enough scale to attend to business-as-usual matters (and maybe a little more); particularly when cyber is only a part of their responsibilities. The cost of trying to meet the ‘minimum’ internally is often infeasible. Fourthly, having a team across multiple organisations instead of one is just cheaper. It follows the basic rule of scaling in a specialist area – bigger is better (if done right). For instance, training staff in a toolset that’s used across multiple organisations is more efficient than training only a few staff with return on investment from only one organisation.
The power of team A whole team of people is critical to providing the breadth and depth needed by any organisation taking their cyber security seriously. That team will also need a comprehensive toolset, processes, and documentation for them to be effective. Just software licensing alone is a large investment. It’s also not just the salary cost of a team, but the overhead in hiring and supporting them.
Another big constraint of hiring people internally, particularly in any organisation that is not already hiring thousands of staff, is staff availability. If you hire three security analysts and one goes on leave you might get by with two, but what if either of the remaining two falls sick or someone has to run home for a family emergency!? You’re quickly in a precarious security position and this is just normal everyday stuff. If your organisation is a 24x7 organisation or globally distributed, security staff availability becomes exponentially more difficult. The cost of running a 24x7 SOC is around $1m year (7+ qualified staff with shifts, leave, training etc). Team experience is another challenge for cybersecurity. Many teams, whether internal or external to your organisation, will only have experience in a particular industry vertical or on specific technologies. Because of this, and often through no fault of their own, they can be blind to some of the anomalies occurring in your particular environment. Ideally a team of people can provide a wide breadth and depth of experience that can be applied in addition to powerful toolsets. They will also have a range of skills for getting the most out of the toolset they’re using. We advise that team members work across multiple environments and customers on an ongoing basis so that they can ‘cross-pollinate’ their learnings. CSaaS is the easiest way to ensure this happens.
Can you be proactive, really? Being truly proactive is a critical part of cybersecurity protection. Just waiting for something to happen and then reacting is like sleeping with a baseball bat beside your bed and the front door open. You’ll wake up in the morning to find your TV is gone and you didn’t hear a thing. Once you see something there’s a good chance the damage has already been done, or you may not even notice the damage until weeks or months after it has occurred. Many SOC offerings also include active threat intelligence. This means that specialist teams have a continually changing view of what threat actors are doing in the world and how it applies to your specific environment and organisation. For instance, if you’re a legal firm and they see legal firms are being actively targeted, they can look at what weaknesses are being exploited in those attacks or what attack vectors are being used and provide specific advice.
Being proactive also means continually and actively looking for weaknesses in your organisation and environment and providing advice, and where required, assistance, on remediating those weaknesses. One of the biggest advantages of a good cybersecurity service is that it is ongoing. This is particularly relevant when talking about proactivity, as something that was not a weakness in January, can be in July. Taking a point-in-time approach to identifying risks and issues is dangerous! In short, a good team backing a comprehensive service should know what you’re looking for and not just be waiting for alerts. This puts your organisation in a significantly stronger position.
But what about privacy? When considering CSaaS you should absolutely be concerned about privacy. However, not any more than you should be for an internal team (in my opinion). An external service provider, particularly one that provides a quality service and is busy building their company and brand, has a lot to lose if they drop the ball. Although a person within your organisation may be under your ‘control’, this is often not how it works out. The controls and mitigations required to cover data, data management, access, and staff activity don’t change whether a team is internal or a service provider is providing a service. We often find that internal controls and mitigations are not up to scratch in handling large volumes of monitoring data and access to systems.
Your service provider should supply advice on how they will protect your data when providing their service. It’s not all up to you. If they can’t provide that advice then they’re not up to the job. Any access by your provider should be logged and logs must be immutable. If you don’t start out that way then you should work towards it quickly. They must be able to demonstrate how they store and manage data too, particularly how that data is protected and accessed.
Small beginnings Even some of the simpler aspects of cybersecurity are often much more logically delivered as a service. For instance, endpoint protection, commonly referred to as AV or anti-malware, can be deployed, managed, maintained, and monitored by a service provider for a small cost. The service provider will normally license the product too, so there is literally nothing for you to do. This may seem like a small thing, but we have seen numerous instances where endpoint protection is not properly configured, not deployed to all endpoints, not patched regularly enough, and even where AV signatures aren’t being updated or licensing has expired. Closely related to endpoint protection is email protection – another service that can be simply and easily rolled out and managed by your service provider for a small cost. Even though these as-a-service offerings can seem insignificant on the surface; they can be the difference between a crippling breach and no breach at all. Afterall, doing the basics really well is often what makes the biggest difference! Don’t lose sight of what we discussed above though – ensure you’re working with your partner of choice to properly understand your risks and how you’re going to address them. Often the most burning risk is that staff have never received cyber awareness training! Our own Training, Awareness and Compliance platform includes a testing component too, an essential ‘next step’ for security awareness and risk mitigation. About the author Matthew Evetts is the GM of Optic Digital, a division of the Optic Security Group. Optic Digital are an IT and Cyber services company that provide IT services across a broad range of domains, including networking, engineering, management, architecture, analysis, cloud, and cyber. They deliver value through consulting, providing professional resources on the ground, and by delivering IT and cyber projects and services. Their own cybersecurity-as-a-service offering is a modular service that allows customers to choose what cyber services are most appropriate for them. They can provide any part of a cyber solution or a completely outsourced approach. The Optic Security Group specialise in providing converged security services, taking a risk-based organisation-wide approach to security that covers people, process, and technology aspects of both physical and digital security.