Information security outsourcing, internal security. Where to go to the customer

Today we decided to talk about whether companies are ready to outsource internal security. For many years it was believed not. But the situation is changing. In this post we will not talk about the pros and cons of outsourcing, but we will make an overview of what a customer can count on if he already has a need to somehow solve the problem of information leaks.



Let's make a reservation right away, we collected information about those services that:



A) contractors themselves call outsourcing;

B) they are not called outsourcing, but in fact they solve some issue that could be solved by a specialist in the state (if any).



Go.







In some ideal world, information security tasks, and in particular protection against insider risks, are solved within the company by the efforts of full-time specialists. They lay out business processes themselves, prescribe security policies, introduce a trade secret regime, conduct explanations and training courses for employees, identify and investigate incidents.



In real life, there are reasons why companies have to overcome contempt and resistance and raise the issue of outsourcing some of their internal security responsibilities.

Here are the main

1. There is no specialist on the staff, or he is, but overworked, does not specialize in protection from insider risks.
2. Lack of personnel - the company cannot find an information security specialist of the required qualifications.
3. There is no dedicated software for automatic monitoring.
4. In general, it is not clear how much information security costs, whether the costs of organizing all this work are justified.

If we turn to foreign practice, from which we, as is commonly believed, are 5-10 years behind, there is nothing unusual in outsourcing protection from insider risks. According to the latest data from Deloitte, 14% of the company's outsourcing budgets in 2019 were spent on protection from internal risks. Another 15% - for training cybersecurity personnel.

What to choose from

If we consider the services united by the term "outsourcing of internal information security", the following are now presented in Russia:

1. Audit and analysis of the state of the IT infrastructure.
2. Development of regulatory documents.
3. Forensics (incident investigation).
4. SOC (organization and maintenance of the monitoring center).
5. Personnel training / training.
6. Maintenance of information systems (authentication and authorization systems, DLP, SIEM, IDS / IPS).

If we somehow systematize, we see that there is a proposal to close some one-time need (to consult or solve a point problem) and to replace the functions of an information security specialist for a long time.

Temporary help

Since we mean a customer who has just faced the issue of protecting against data leaks, a request to an external expert here is usually the following: look at the settings of network equipment, estimate incoming / outgoing traffic, estimate the number of external connections to servers; build a system of access; decide which software to put on the test and which not to waste time on, evaluate the test results.



Those. by and large - "just ask."



The offers on the market for such consulting are diverse. You can always find a freelancer for a "consultation". But the backbone of the market is training centers and companies specializing in information security CIBIT, "Academy of Information Security", ACRIBIA, USSB, AZONE IT and others. (Let's take out of the brackets the "big advisors" with the "four" auditors at the head - they share the lion's share of the world turnover from information security consulting, but their services are available only to large customers).



The listed players can also close one-time tasks when it is necessary to carry out some kind of work for which it is not yet advisable to hire a person on the staff: train staff, adapt security policies, put in order documents for compliance with regulatory requirements. And of course, to investigate a violation or corporate crime, if suddenly an emergency happened in the company.



At the same time, not only cyber methods are used to investigate information security incidents (here the most famous player is Group IB). "Analog" tools can also be added: document analysis, employee surveys, etc. Therefore, strictly speaking, detectives, polygraph examiners, profilers are also participants in information security outsourcing in their narrow tasks.



There is a proposal on the market for fine-tuning security policies in a DLP system. As the implementation progresses, the user may have related questions: what to do with the hardware, how to set up tolerances, what documents to sign with employees. Independent companies provide such services, but in fact it is the work of good implementation departments, engineers and technical support of the vendor itself.



The market is still motley simply because of its young age. But it has already formed an abundant offer for most of the customer's requests in one-time assistance of an information security specialist.

Regular monitoring

If a company needs to solve not one-time tasks, but to protect information on a permanent basis, a DLP system will be required. Otherwise, preventing, detecting and dealing with internal security incidents is difficult. Without a person who will analyze information from it, software is not very effective. But most companies with teams of 100 people often simply cannot answer the question "do we need it?"



Therefore, the next level of outsourcing arises - to outsource system management and incident analytics from DLP. So far, only a few work in this market (in fact , SearchInform , Softline, Jet Infosystems). The service is implemented in several formats, depending on the level of access that the customer is ready to give to the outsourcer, that is, on the trust in him.

What can an outsourcer do?

1. - .
2. , ; .
3. , .

Relationships can evolve as you work. Conventionally, at first the customer was ready to transfer to the outsourcer only the DLP configuration and the unloading of the entire “sheet” of reports from it. Seeing the effect and benefit, it may come to handing over and parsing the content of incidents.



Due to the fact that the market is still developing, it is not always easy for a customer to formulate a request, choose a format for working with an outsourcer, and prioritize control. Accordingly, signing an SLA from the start is not always possible.



Nevertheless, an effective format of interaction is already taking shape. Here is the approach in which foreign outsourcers (MSSP, Managed Security Services Provider) work:

1. A personal information security analyst adjusts the system in accordance with the tasks set by the customer.
2. . « » (, - , ..)
3. , - ( – ).
4. ( //).
5. - .

Most likely, information security outsourcing will continue to develop within such a framework, because this format contributes to the creation of trusting relationships between the participants in the process. But the market will not be fully formed yet, someday risk insurance will appear on it, which will greatly advance the client / outsourcer relationship forward. But the process is already underway - we can see it from the reaction of customers. Therefore, on the way to “you cannot live without it” we are somewhere at the point “there is something in this”.