leveraging security as a service to gain cyber advantage | controlscan
TRANSCRIPT
Mind the Gaps: Leveraging “Security as a
Service” to Gain Cyber Advantage
4.14.2016 | Data Connectors, San Diego
srobb(at)controlscan(dot)com | 800.825.3301
Steve Robb, SVP Marketing & Product Strategy
© ControlScan 2016 2
Technology continues to open up new frontiers
“Internet of Things” connected sensors and
monitors
Cloud storage and infrastructure
Mobile access
“Shadow IT” implementation of SaaS
business applications
More points of vulnerability, more surface
area for attacks, global accessibility
ePHI
EHR
An expanding perimeter with more points of vulnerability, more surface area for
attacks, offering global accessibility
© ControlScan 2016 3
We’re creating gaps in our ability to protect data
Technology adoption is outpacing security and
compliance
Attackers are evolving and innovating as fast or
faster
We struggle to keep up with the basics
Gaps are forming between what’s truly required
to maintain security and…
What is typically in place
What can realistically be maintained
These gaps are further manifested in survey after survey…
© ControlScan 2016 4
“The Current State of Security Threat Management”
Lack of internal resources and insufficient budget are preventing IT teams from
creating a strong security posture for their organizations
52% of in-house IT teams do not include an information security professional
One-third have the same security budget this year that they had in 2015 – and
2014
62% feel their organization's security-related investments are not sufficient for their
business's level of risk
What does this mean?
52% are attempting to monitor security logs in-house (without in-house security
expertise) and 29% aren’t monitoring their logs at all
48% are trying to conduct their own security risk assessments
“Just not enough technology or knowledge”
Q4 2015 Survey Conducted by ControlScan
© ControlScan 2016 5
Spotting the gaps before you’re tripped by them…
Eyes on Security: incorporating security into “business as usual”
Access to Expertise: on-the-spot experience and knowledge
Best Practices, Proven Processes: consistent, predictable execution
Defense in Depth: belts and suspenders for your infrastructure security
Adaptability: rapid response in the face of new threats and internal changes
Financial Flexibility: flexibility in executing a security & compliance strategy
© ControlScan 2016 6
The results of gap inaction and indecision…
Breaches of sensitive data
Disruption/distraction within operational areas
Unbudgeted costs to remediate/recover
Fines levied for contractual/compliance violations
Complex efforts to recover
Ongoing, closer scrutiny
Erosion of brand name and customer confidence
Security
Compliance
© ControlScan 2016 7
Leveraging “Security as a Service”
Identify the gapsRisk Assessment
Fill the gaps; add layersManaged Security Services
Prove complianceGap Analyses, Assessments
Maintain Security, ComplianceOngoing monitoring, management
© ControlScan 2016 8
Eyes on security
Continuous security monitoring
Time to discovery and response
Leveraged insight across multiple environments
© ControlScan 2016 9
Access to expertise
Security hiring challenges continue to grow
Opportunities for experts-on-demand
Requirements for ongoing training and development
© ControlScan 2016 10
Best practices; proven processes
Best practices surfaced across industries and frameworks
Predictable deployments
Consistent operations
SLA-backed reporting
© ControlScan 2016 11
Defense in depth
Multi-layered defenses
More challenging for the attacker; contingency when a layer fails
Layers as “services” often easier to add or shift
MSSP Sec Ops
SIEM
© ControlScan 2016 12
Adaptability
Leveraging best-of-breed solutions
Expansion and refinement of in-place solutions
Taking advantage of latest features/functions in solution upgrades
Overall elasticity of solution to manage environmental growth and
change
© ControlScan 2016 13
Financial flexibility
Procured Internally Year 1 Year 2 Year 3 Total
Hardware purchase $1,995 $1,995
Software license $1,333 $1,333 $1,333 $3,999
Annual maintenance
Staff ($120k, 2%) $2,400 $2,400 $2,400 $7,200
Training $300 $300 $300 $900
Total: $14,094
MSSP Year 1 Year 2 Year 3 Total
Installation & setup $250 $250
Service subscription fee $2,400 $2,400 $2,400 $7,200
Total: $7,450
© ControlScan 2016 14
So what’s the downside?
Cost perceptions
Trust issues (parallels with cloud computing)
Loss of control
Potential loss of internal SME/competency over time
Hard to bring back in house
MSSP understanding of internal culture/dynamics
More limited choices in technology
© ControlScan 2016 15
Consider this when selecting a partner…
Competence in Security + Compliance – they should be considered in tandem
Certifications – proof points for ongoing investment in education & development
Flexibility – willingness to adapt solutions to your business vs. one size fits all
Holistic – lifecycle support from “Identify” to “Recover”
Balanced – solutions supporting both “Protect” and “Detect”
© ControlScan 2016 16
Learn more:
2016 State of Security Threat Management Report:
https://www.controlscan.com/security-threat-management-research-report/
ControlScan Blog: https://www.controlscan.com/blog
PCI Compliance Guide Blog: https://www.pcicomplianceguide.org
www.ControlScan.com
Thank You