The Organization's Responsibility for its Own Protection
By Michael Wallmannsberger, Chief Information Security Officer, Wynyard Group
A CISO’s job is to enable his or her organisation to execute the CEO’s strategy, within the CFO’s budget and the board’s appetite for risk. A high tolerance for risk, a large budget, and modest strategic goals make for light work.
However, most organisations face a different reality. Resources are scarce, goals are ambitious, and tolerance for risk is moderate at most. This leaves CISOs searching to find value in a crowded technology market somewhat prone to hype or, worse, leaves their organisations bearing unknown or unquantified risk.
In larger organisations and markets, managed security service providers (MSSPs) and security operations centres (SOCs) commonly take on the burden of monitoring organisations’ security systems for events that are relevant. These providers are not all created equal. However, an effective security service provider can provide customer organisations with efficient 24x7 access to operational security skills that the organisations would find it difficult to justify retaining in their own right. Mid-size organisations, in particular, stand to benefit from quality MSSP offerings.
There are a wide range of security services being offered by MSSPs today, from full outsourcing of security programmes to specialised services that focus on specific components of the enterprise’s security (such as threat monitoring, data protection, management of network security tools, regulatory compliance, or incident response and penetration testing). By outsourcing security, enterprises are often able to realise cost savings by eliminating the need to maintain a fully staffed, full-time, on-site IT security department. Many organisations also turn to MSSPs for faster deployment times and improved time-to-value on security investments.
“Organisations turn to MSSPs for faster deployment times and improved time-to-value on security investments”
Much has been said about cybersecurity since it became a popular topic. The one thing that almost everyone seems to agree is that cybersecurity is now a strategic business issue. Thinking about security as purely an IT issue is quite wrong. In the same way, a MSSP or SOC provider is not a complete answer to cybersecurity. Organisations cannot outsource responsibility for their business risk and outcomes. However, a service model is also emerging to provide advice about cybersecurity issues to businesses as a service, to substitute for or augment inhouse expertise. As demand for the experienced practitioners continues to outstrip supply, these services— sometimes called virtual CISO, CISO as a service, or shadow CISO—look set to grow.
The outsourcing of IT security must involve an in-depth discovery process. Organizations’ need to understand the risk profile associated with their operating model and be able to quantify their exposure in order to make sensible decisions on scope and cost of any potential service. It is not a decision to be solely based on price and cost.
Choosing an expert to help with a complex problem is not always easy and, whether it is a MSSP or a virtual CISO that your organisation needs, the usual makers of quality and assurances may not be present in the relatively immature cybersecurity industry.
Organisations should undertake careful due diligence on security-asa-service providers to ensure that the provider is well regarded within the industry for integrity, effectiveness, and competence.
Formed in 2012, Wynyard Group deals with high consequence crime fighting and security software, It is headquartered in NSW, Australia.