IS outsourcing, internal security. Where to go to the customer
Let’s make a reservation right away, we collected information about those services that:
A) the contractors themselves call outsourcing;
B) they are not called outsourcing, but in fact they solve some issue that could be solved by a specialist in the state (if any).
In some ideal world, IS tasks, and in particular, protection against insider risks, are solved within the company by full-time specialists. They themselves lay out business processes, prescribe security policies, introduce a trade secret regime, conduct explanations and training courses for employees, and identify and investigate incidents.
In real life, there are reasons why companies have to overcome
Here are the basics
- There is no specialist in the state or he is, but is overloaded, does not specialize in protection against insider risks.
- Shortage of personnel - the company cannot find the information security specialist of the required qualification.
- There is no specialized monitoring software in automatic mode.
- In general, it is not clear how much information security costs, whether the costs of organizing all this work are justified.
If we turn to foreign practice, from which we are generally considered to be 5-10 years behind, there is nothing unusual in protecting against insider risks on outsourcing. According to the latest Deloitte data, 14% of the company's outsourcing budgets in 2019 were spent on protection against internal risks. Another 15% for training cybersecurity personnel.
What to choose from
If we consider the services united by the term “outsourcing of internal information security”, the following are now represented in Russia:
- Audit and analysis of the state of IT infrastructure.
- Development of regulatory documents.
- Forenzika (incident investigation).
- SOC (organization and maintenance of a monitoring center).
- Staff education/training.
- Maintenance of information systems (authentication and authorization systems, DLP, SIEM, IDS/IPS).
If we systematize somehow, we see that there is a proposal to close some one-time need (to consult or solve a point problem) and to replace the functions of an information security specialist in a long one.
Since we are referring to a customer who just faced the issue of protection against data leaks, the request to an external expert is usually the following: look at the settings of network equipment, evaluate incoming/outgoing traffic, estimate the number of external connections to servers; build an access system; decide which software to put on the test, and which not to waste time on, evaluate the test results.
Those. by and large - "just ask."
Offers on the market of such consulting are diverse. You can always find a freelancer to “consult”. But the backbone of the market is the training centers and companies specializing in IS CIBIT, "IB Academy", ACRIBIA, UTSB, AZONE IT and others. (We’ll put the “big advisers” with the “four” auditors at the head - they share the lion's share of the global turnover from IB consulting, but their services are available only to large customers).
The listed players can close one-off tasks when it is necessary to carry out some work for which it is not yet advisable to hire a person in the staff: to train personnel, adapt security policies, and put in order documents for compliance with regulatory requirements. And of course, to investigate a violation or a corporate crime, if suddenly an emergency happened in the company.
At the same time, not only cyber methods are used to investigate information security incidents (here the most famous player is Group IB). “Analog” tools can be added: document analysis, employee surveys, etc. Therefore, strictly speaking, detectives, polygraph examiners, and profilers are also participants in information security outsourcing in their narrow tasks.
There is a proposal on the market for fine-tuning security policies in a DLP system. As it is introduced, the user may have associated questions: what to do with the hardware, how to set up tolerances, what documents to sign with employees. Independent companies provide such services, but in essence it is the work of good implementation departments, engineers and technical support of the vendor itself.
The market is still mottled simply because of its young age. But it has already formed an abundant offer for most of the customer's requests for one-time help of an information security specialist.
If the company needs to solve not one-time tasks, but to protect information in a continuous mode, a DLP system will be required. Otherwise, it is difficult to prevent, detect and investigate internal security incidents. Without a person who will analyze information from it, software is not very effective. But most companies with teams of 100 or more often often cannot answer the question “do we need it?”
Therefore, the next level of outsourcing arises - to give the system management and incident analytics from DLP to the staff. So far, there are units in this market (actually, SearchInform, Softline, and Jet Infosystems). The service is implemented in several formats, depending on the level of access that the customer is ready to give the outsourcer, that is, on trust in him.
What can an outsourcer do?
- Monitor events and transmit incident reports without any further elaboration.
- Do an initial analysis of the incident, analyze the context; respond urgently to critical violations.
- Make full-fledged investigation of the incident, give recommendations for the prevention of relapse.
In the process, relationships can evolve. Conventionally, at first the customer was ready to hand over to the outsourcer only the DLP setup and downloading reports from it with the entire “sheet”. Having seen the effect and the benefit, it may come to the point of giving away and analyzing the contents of the incidents.
Due to the fact that the market is still developing, it is not always easy for the customer to formulate a request, choose a format for working with an outsourcer, and prioritize control. Accordingly, signing an SLA from the start is not always possible.
Nevertheless, an effective interaction format is already taking shape. Here is the approach in which foreign outsourcers (MSSP, Managed Security Services Provider) work:
- A personal information security analyst sets up the system in accordance with the tasks set by the customer.
- The customer is granted maximum authority in the system. The customer discusses the “red lines” and wishes (he says whom he is taking out of the monitoring, clarifies the most urgent tasks, etc.)
- Having discovered the incident, the IB analyst contacts the customer via the agreed communication channel (the task is to convey information as quickly as possible).
- Provides reports on the schedule and for the selected period (once a day/week/month).
- The customer can work in the system together with an information security analyst or independently.
Most likely, within this framework, IB outsourcing will continue to develop, because this format helps to create trust between the participants in the process. But the market will not be fully formed soon, sometime risk insurance will appear on it, which will greatly advance the client/outsourcer relationship. But the process is already ongoing anyway - we see this by the reaction of customers. Therefore, on the way to "you cannot live without it," we are somewhere at the point "there is something in this."