Essential security operations and outsourcing it
EITN: What are essential security operations in an organisation, and under which department does it usually fall under? It is interesting that your pitch mentions issues facing IT teams instead of cybersecurity teams.
Aaron: Every organisation is different and, as such, the essential security operations will vary across the board however typical operations will include a combination of activities aimed at protecting the organisation’s digital assets and minimising cybersecurity risks. These operations can include:
- Implementing and managing security tools including firewalls, intrusion detection systems and antivirus software
- Conducting regular vulnerability assessments and penetration testing
- Monitoring and analysing security events and incidents
- Responding to and mitigating security incidents
- Managing user access and privileges
- Establishing and enforcing security policies and procedures.
- Reporting on cyber threats, incidents and compliance
- Understanding, calculating and educating on cyber risks
The responsibility for these security operations can fall under different departments depending on the organisation’s structure and size. In larger organisations, it is managed by a dedicated cybersecurity team, which may be a part of the IT department or a cyber focused third party however in many smaller organisations the responsibility can fall to a general IT person or even office admin, which is not ideal as these people don’t often have the capacity or training to deal with cybersecurity.
EITN: What are the strategic issues that IT teams are faced with? What are the other projects that IT teams are usually working on as well?
Aaron: Just as no two organisations’ security functions are the same, IT teams face their own unique strategic challenges based on the nature of their business. This means that organisations risk profile will vary as well. A financial institution may have less of a risk appetite than a small business. This can be driven by the need to comply to certain standards or the business impact if a cyber breach were to occur. Also, some organisations will also be limited either by budget or resources to dedicate to cyber security.
However, like cybersecurity, there are several IT functions that are common amongst most businesses – whether these functions are managed in house or via a managed service provider. These include:
- Managing and optimising IT infrastructure to support the needs of the organisation
- Balancing the implementation of new technologies and older systems upkeep
- Addressing cybersecurity risks and protecting sensitive data
- Enhancing data privacy and regulatory compliance
- Working with other departments to establish and achieve their technological needs.
IT teams also typically work on projects such as system upgrades, software development and deployment, network infrastructure enhancements, cloud adoption, data management, user support, and IT service management.
EITN: Why can’t IT teams take a fully outsourced approach? What other operational issues do they find they still need to manage and what are the barriers they face when they want to outsource?
Aaron: Outsourcing IT services can be a practical way for businesses of all sizes to increase productivity and reduce expenses. Adopting cybersecurity as a service is a particularly viable option for many organisations to acquire 24×7 monitoring and response protection as it is difficult for internal teams to manage this level of coverage on their own. Outsourcing helps to add to the capacity and capability of IT teams. Typically, organisations still require internal resources as the have critical intimate knowledge of the business. Tasks that tend to remain internal include running the IT business, managing business expectations, and providing the strategic input that outsourcing is not designed for. For example, a service delivery manager or relationship manager is often allocated to help ensure the success of the relationship with the service provider.
While outsourcing may seem an attractive option, there are barriers to organisations. It is very tempting for organisations to simply say ‘we will just outsource it” however unless organisations are clear on what tasks they are outsourcing. Where internal teams remain, there needs to be clarity on roles and responsibilities as both service duplication and gaps can appear. Similarly, if organisations are not clear on the quality of service they want, there can be misaligned expectations on the service delivered.
EITN: How can teams apply defensive controls and take a more strategic and coordinated stance when faced with cybersecurity risks and attacks?
Aaron: Ultimately, the risk of a cyber attack remains with the business. While organisations may outsource some of the tasks, they cannot outsource the risk. This means that organisations should maintain a strategic security plan. This plan should identify critical data sets, personnel, infrastructure and services. It should also outline an incident response plan and how the organisation will respond during and after a cybersecurity event. Responding to a critical cyber incident can be an incredibly stressful and intense time and preparation is to key limiting the overall impacts. While nothing can fully alleviate the pressure of dealing with an attack, here are some tips to help you should your business fall victim to a cyber attack:
- Follow your plan
If organisations should create an incident response plan and then stick to it. During a cyber attack, there are often many voices who can influence the response. Executive and senior business management will need to be kept informed, but they are not necessarily the best people to manage the incident. We recommend sharing the incident response plan across the organisation and, if possible, practice some scenarios with key stakeholders so everyone knows their role in advance.
- React as quickly as possible
When under attack, time is of the essence. Teams must understand the severity of the situation and act with a sense of urgency. Attacks often occur at inconvenient times, leading to delayed responses. Overwhelmed teams may suffer from alert fatigue, causing crucial signals to be missed. By planning for incidents in advance, teams are better equipped to react swiftly.
- Don’t declare “mission accomplished” too soon
Merely treating the symptoms of an attack is not enough. Incident response should address the root cause and ensure the attacker’s complete removal from the environment. Sometimes initial detections serve as test runs for attackers, and if they still have access, they will likely strike again. Thorough investigations by experienced incident response teams can reveal deeper attacker footholds and neutralise them accordingly.
- Learn the lessons
Once the incident has concluded and the “all clear” given. It is very easy for organisations to move on and address the risk or vulnerability. Organisations should look at root causes and make the necessary changes whether be a technical upgrade, process change or training to ensure that the initial risk has been mitigated to an acceptable level.
- It’s okay to ask for help
The lack of skilled resources to handle incident response is a significant challenge for organisations. Cybersecurity as a service, such as Sophos Managed Detection and Response (MDR), offers a solution. MDR services provide outsourced security operations delivered by a team of specialists who work as an extension of the customer’s IT or security team. These services combine human-led investigations, threat hunting, real-time monitoring, and incident response with advanced technology to gather and analyse threat intelligence.
According to Gartner, the adoption of MDR services is on the rise, with 50% of organisations projected to use them by 2025 signalling a trend that organisations are realising they will need help to run a complete security operations and incident response program.
Even organisations with skilled security analysts can benefit from collaborating with an incident response service like Sophos MDR. Such services help bridge gaps in coverage, provide specialised roles, and offer support during critical times, including nights, weekends and holidays.
EITN: Which phase of a cybersecurity attack do Sophos solutions address?
Aaron: Sophos is a worldwide leader and innovator of advanced cybersecurity solutions, including Managed Detection and Response (MDR) and incident response services and a broad portfolio of endpoint, network, email, and cloud security technologies that help organisations defeat cyberattacks. As one of the largest pure-play cybersecurity providers, Sophos helps organisations defend themselves from active adversaries, ransomware, phishing, malware, and more.