Intelligent CISO Issue 16 | Page 50

FEATURE possibly threat intelligence and analytics. Using automation where possible can create new efficiencies, and new ways to improve efficacy of cybercapabilities. For example, we’re seeing increased use of AI to automate threat detection and response and in automating some or all of the steps needed for response and remediation to significantly reduce security analyst workload and shrink the time it takes to remediate. This can make the difference between a contained incident or full-blown breach. Automation doesn’t replace humans though, it augments them. as natural candidates to outsource; based on cost, complexity, availability of staff and time to value. Vectra: Organisational learning and contextual knowledge cannot be outsourced. But what you can outsource is much of the heavy lifting of security operations with which you can integrate your people and processes. Many organisations, even large enterprises, are hybrid in their security operations, blending in-house specialists with outsourced operations. For example, a service provider can deliver continuous monitoring of end points and networks, Are there differences in how SMEs and enterprises should approach maximising the efficiency of their security? SecureLink: It is important to assess maturity in relative terms. An SME is unlikely to have the resources of a larger organisation, but neither do they have the same level of active targeting. That being said, with the trend of cybercriminals looking at third party suppliers of large enterprises as easier targets, SMEs cannot afford to underestimate their cybersecurity responsibilities. Having an ongoing picture of security maturity across the organisation – covering people, processes and technology and ensuring a balanced set of capabilities to prevent, detect and respond to threats – is key. In that sense, the approach is not different but the benchmarks that the organisation sets and validates with experts, should be realistic and achievable. Does outsourcing reduce the cost of security operations? How should organisations evaluate whether to manage their own security or outsource it? SecureLink: The most common way is to assess the current operating state, develop a target operating model and then analyse where the gaps are. This can then be developed into a programme that identifies what existing staff, processes and technology are in place or can be adapted to fit the future state. However, it is also important to analyse any opportunities to outsource a particular function or set of functions (for example, managed detection and response). In doing this, a detailed cost and effort analysis can be done against all gaps and, more often than not, there will be functions that present themselves 50 You cannot fully outsource security responsibility, but you can outsource functions and that’s where cost-savings can be made. quarantining of infected hosts and remediation, while the organisation maintains and operates its defensive and access controls. SecureLink: It often does, but this depends on mapping the end-to-end operating model – particularly with managed detection and response. You cannot fully outsource security responsibility, but you can outsource functions and that’s where cost- savings can be made. However, these savings are only realised when the whole process and operating model is mapped out, understood and committed to. A common problem we see is that customers will buy the service then never react to it or use the information provided. So, committing to realising the value is vital and is where you sort out the good MSSPs from the bad. A good MSSP will drive that value and will have an onboarding process that supports this, rather than some of the basic approaches we’ve seen such as ‘send us all your logs’ or ‘send us your network traffic’ and then there is misaligned expectations on all sides. An outsourced service lives or dies on how it is integrated into existing operations. u Issue 16 | www.intelligentciso.com