To Outsource or not to Outsource: That is the Network Security Question SilverSky 440 Wheelers Farm Road Suite 202 Milford CT 06461 silversky.com 2013 SilverSky
Contents The Network Security Challenge... 1 The Options... 1 How Do You Decide?... 2 SilverSky Value Proposition... 3 SilverSky s Network Security Solutions... 3 About SilverSky... 3 About SilverSky SilverSky is the expert provider of cloud security solutions. We deliver the industry s only advanced Security-as-a-Service platform from the cloud, dramatically simplifying how growth-minded companies secure their most important information. Forged from our success as a managed services provider, our Security-as-a-Service platform delivers comprehensive network security and email security services that protect critical information simply and cost effectively. As companies struggle with the increasing security requirements placed on their information-intensive businesses, SilverSky s cloud-based security solutions simultaneously reduce cost, manage complexity and master all your compliance requirements from a single powerful platform. Guided by a mission to simplify how our customers secure their most important information, we create solutions that enable you to pursue your business ambitions without security worry.
P.1 The Network Security Challenge Network security today is a massive challenge. Increasingly sophisticated threats, new regulatory compliance requirements, more expensive personnel, and tight budgets all contribute to the complexity of securing the network. There are no easy answers for protecting critical assets. Security is an absolute requirement in a world filled with cyber threats, organized digital crime, and identity thieves. Government, company, or individual assets are at risk from theft. These assets can range from life and death information, mission-critical intellectual property, or personal information such as social security numbers. Digital assets are rapidly becoming some of the most significant assets on a company s balance sheet. IT executives are ultimately responsible for protecting these assets from compromise. Companies both large and small are holding IT leaders personally accountable for FFIEC, HIPAA, GLBA, SOX and PCI compliance. IT leaders are rising to this challenge but are often out gunned in the fight against dedicated, well-armed cyber criminals. This paper discusses how to cost-effectively turn the tables and ultimately win the battle for securing the network. We will discuss different options and the methodology for making critical decisions about how to tackle your network security challenges. The Options Organizations today have two security options insource their network security or outsource it to a managed security service provider (MSSP). A few years ago, most organizations were limited to the do-it-yourself insourcing option. MSSPs weren t sophisticated enough, clients weren t ready to trust third parties with their sensitive data, and the network security problem wasn t as complex. That s changed. Today MSSPs are part of a multi-billion-dollar industry that manages security for some of the world s most sophisticated organizations. There are pros and cons to each option (i.e., insource vs outsource), and certain organizations can dismiss one or the other out of hand. A highly secretive national intelligence organization will simply not outsource network security. Financial institutions, retailers and healthcare organizations subject to compliance requirements may be in a perfect position to outsource network security to a service provider. Wherever you fit along the spectrum, it s critical to thoroughly evaluate your choices and optimize for security, cost-effectiveness, and compliance. The table below presents the high-level pros and cons of each option. Creating a deeper list of positives Insource Pros Perceived control Internal accountability Tailor solution to internal situation Cons Expensive 24x7x365 monitoring and management may be cost prohibitive Likely limited breadth of administrator experience Outsource Focus on core business Cost-effective Leverage security experts Leverage compliance experience Shared control with MSSP Contractual accountability Standardized offerings The high-level tradeoffs of insourcing and outsourcing security
P.2 How do You Decide? Understanding the tradeoffs between insourcing and outsourcing security is straightforward. Unfortunately, the decision making process is not. Deciding which approach is the best for your organization can be subject to a wide range of subjective factors including the whim and politics of individuals. To avoid arbitrary and capricious decisions, a strong methodology for choosing insourced or outsourced security is critical. Such a methodology involves reviewing five key areas. These areas should be prioritized according to their importance within the organization. + Level of risk A key determinant in whether you outsource security or leave it in house is the criticality of the assets being protected. Of course, each organization s digital assets are critical to success; however, from an external viewpoint how great is the risk if information is compromised? Is it a catastrophic event, or a major public relations nightmare? No compromise is good news, however, where you fall on the spectrum will help you decide whether you should insource or outsource. + Regulatory compliance issues Federal, state, and industry regulations can be an immense challenge. Many of these regulations cover personnel (e.g., certifications), processes (e.g., due care with your infrastructure), and policies (e.g., acceptable use) and can be inordinately complex. Are they so complex that specialized in-house expertise or knowledge is necessary? Or, are the regulations standardized where outsourcing for that expertise is more cost-effective? + Level of visibility in the organization Does the board of directors want to know how secure the organization s assets are? Are you regularly in meetings with executives where security is the primary topic? Very few organizations exist to secure information, but there are many where security of information is critical for accomplishing their mission. The obvious examples are easy to name intelligence agencies, defense organizations, and the highend investment banks. Many more are in the category of having critical security needs, but security is not core to their goals. They need to be secure, but internal security expertise is not required. Those organizations are excellent candidates to leverage third-party relationships. + Budget Even in a difficult economy budgets reflect what is important to an organization. What is your organization telling you with the budget you are being handed? Are they prioritizing security in a way that says own it, manage it, control it? Or, are they saying, leverage third-party resources for the biggest bang for the buck? + Resources available and expertise Is security in the hands of IT generalists who can be incredibly valuable for a properly functioning network, or managed by a separate, specialized IT security group? Even with security experts, what is their mission and can they accomplish it while also manning the security console for alerts and attacks? Often, larger organizations may have 24x7 helpdesks or network operation centers. Can these organizations be leveraged to manage the security solutions? Efficiently utilizing the resources available is critical, but do the personnel on hand have the expertise and knowledge to accomplish the task? Being cost effective can become being foolish if the team isn t capable or qualified to do the task at hand. There is no right answer to these questions, but a strong, open methodology for assessing the insource/outsource options will help an organization make a good decision. There will always be some intangibles that need to be included in the decision matrix, but the more defined the process can be with clear and open data, the better the resulting decision
P.3 SilverSky Value Proposition SilverSky s Managed Security Services can help your organization reduce the costs and complexity of network security, improve security posture, and ease the compliance burden. By leveraging SilverSky s security expertise, you can empower your IT department to focus on core business activities without security worry. SilverSky s Network Security Solutions UTM Management - SilverSky s UTM Management solution enables organizations to reduce costs and complexity and drive down security risk. Our security experts manage your UTM devices and monitor your network 24x7, empowering your IT team to focus on core business activities. We also leverage our extensive compliance expertise to reduce the costs and headaches associated with meeting regulatory compliance. SilverSky offers Firewall, IDS/IPS, VPN Remote User Access, Web Content Filtering, Web Application Firewall, and Anti-Virus solutions as part of a multi-layered UTM package or on an a-la-carte basis. Event Monitoring and Response - SilverSky s team of security experts monitors the critical devices on your network 24x7, eliminating the need to staff an internal security team around the clock. Our team utilizes advanced techniques to investigate any suspicious activity and will take immediate action to prevent attacks from occurring. Because SilverSky correlates all security events across our massive customer base, we can identify and respond to emerging threats more quickly we call this the neighborhood watch effect. Network Device Management - Network devices such as routers, switches, and circuits must be managed and monitored carefully to prevent security breaches and maintain compliance. SilverSky will monitor these devices 24x7, handle all configurations and updates, and immediately notify your team of any potential issues. Network Protection Suite - SilverSky s Network Protection Suite is comprised of several software-asa-service (SaaS) products. Our software helps organizations reduce the costs and complexity of network security, reduce security risk, and reduce the compliance burden. By automating processes that are complicated and time-consuming (but necessary to protect your network from malicious attacks), SilverSky s software empowers your IT department to improve productivity and do more with less. Products include log management, vulnerability management, mobile device management (MDM), and brand protection. About SilverSky SilverSky is the expert provider of cloud security solutions. We deliver the industry s only advanced Security-as-a-Service platform from the cloud, dramatically simplifying how growth-minded companies secure their most important information. Forged from our success as a managed services provider, our Security-as-a-Service platform delivers comprehensive network security and email security services that protect critical information simply and cost effectively. As companies struggle with the increasing security requirements placed on their information-intensive businesses, SilverSky s cloud-based security solutions simultaneously reduce cost, manage complexity and master all your compliance requirements from a single powerful platform. Guided by a mission to simplify how our customers secure their most important information, we create solutions that enable you to pursue your business ambitions without security worry.