Mind the Gaps: Leveraging “Security as a

Service” to Gain Cyber Advantage

4.14.2016 | Data Connectors, San Diego

srobb(at)controlscan(dot)com | 800.825.3301

Steve Robb, SVP Marketing & Product Strategy

© ControlScan 2016 2

Technology continues to open up new frontiers

“Internet of Things” connected sensors and

monitors

Cloud storage and infrastructure

Mobile access

“Shadow IT” implementation of SaaS

business applications

More points of vulnerability, more surface

area for attacks, global accessibility

ePHI

EHR

An expanding perimeter with more points of vulnerability, more surface area for

attacks, offering global accessibility

© ControlScan 2016 3

We’re creating gaps in our ability to protect data

Technology adoption is outpacing security and

compliance

Attackers are evolving and innovating as fast or

faster

We struggle to keep up with the basics

Gaps are forming between what’s truly required

to maintain security and…

What is typically in place

What can realistically be maintained

These gaps are further manifested in survey after survey…

© ControlScan 2016 4

“The Current State of Security Threat Management”

Lack of internal resources and insufficient budget are preventing IT teams from

creating a strong security posture for their organizations

52% of in-house IT teams do not include an information security professional

One-third have the same security budget this year that they had in 2015 – and

2014

62% feel their organization's security-related investments are not sufficient for their

business's level of risk

What does this mean?

52% are attempting to monitor security logs in-house (without in-house security

expertise) and 29% aren’t monitoring their logs at all

48% are trying to conduct their own security risk assessments

“Just not enough technology or knowledge”

Q4 2015 Survey Conducted by ControlScan

© ControlScan 2016 5

Spotting the gaps before you’re tripped by them…

Eyes on Security: incorporating security into “business as usual”

Access to Expertise: on-the-spot experience and knowledge

Best Practices, Proven Processes: consistent, predictable execution

Defense in Depth: belts and suspenders for your infrastructure security

Adaptability: rapid response in the face of new threats and internal changes

Financial Flexibility: flexibility in executing a security & compliance strategy

© ControlScan 2016 6

The results of gap inaction and indecision…

Breaches of sensitive data

Disruption/distraction within operational areas

Unbudgeted costs to remediate/recover

Fines levied for contractual/compliance violations

Complex efforts to recover

Ongoing, closer scrutiny

Erosion of brand name and customer confidence

Security

Compliance

© ControlScan 2016 7

Leveraging “Security as a Service”

Identify the gapsRisk Assessment

Fill the gaps; add layersManaged Security Services

Prove complianceGap Analyses, Assessments

Maintain Security, ComplianceOngoing monitoring, management

© ControlScan 2016 8

Eyes on security

Continuous security monitoring

Time to discovery and response

Leveraged insight across multiple environments

© ControlScan 2016 9

Access to expertise

Security hiring challenges continue to grow

Opportunities for experts-on-demand

Requirements for ongoing training and development

© ControlScan 2016 10

Best practices; proven processes

Best practices surfaced across industries and frameworks

Predictable deployments

Consistent operations

SLA-backed reporting

© ControlScan 2016 11

Defense in depth

Multi-layered defenses

More challenging for the attacker; contingency when a layer fails

Layers as “services” often easier to add or shift

MSSP Sec Ops

SIEM

© ControlScan 2016 12

Adaptability

Leveraging best-of-breed solutions

Expansion and refinement of in-place solutions

Taking advantage of latest features/functions in solution upgrades

Overall elasticity of solution to manage environmental growth and

change

© ControlScan 2016 13

Financial flexibility

Procured Internally Year 1 Year 2 Year 3 Total

Hardware purchase $1,995 $1,995

Software license $1,333 $1,333 $1,333 $3,999

Annual maintenance

Staff ($120k, 2%) $2,400 $2,400 $2,400 $7,200

Training $300 $300 $300 $900

Total: $14,094

MSSP Year 1 Year 2 Year 3 Total

Installation & setup $250 $250

Service subscription fee $2,400 $2,400 $2,400 $7,200

Total: $7,450

© ControlScan 2016 14

So what’s the downside?

Cost perceptions

Trust issues (parallels with cloud computing)

Loss of control

Potential loss of internal SME/competency over time

Hard to bring back in house

MSSP understanding of internal culture/dynamics

More limited choices in technology

© ControlScan 2016 15

Consider this when selecting a partner…

Competence in Security + Compliance – they should be considered in tandem

Certifications – proof points for ongoing investment in education & development

Flexibility – willingness to adapt solutions to your business vs. one size fits all

Holistic – lifecycle support from “Identify” to “Recover”

Balanced – solutions supporting both “Protect” and “Detect”

© ControlScan 2016 16

Learn more:

2016 State of Security Threat Management Report:

https://www.controlscan.com/security-threat-management-research-report/

ControlScan Blog: https://www.controlscan.com/blog

PCI Compliance Guide Blog: https://www.pcicomplianceguide.org

www.ControlScan.com

Thank You