Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security Service Provider (MSSP) Journey

1,055 views

Published on

Kevin Watkins, Enterprise Security Architect at BAT, presented at CIO Event in October 2014

  • Be the first to comment

Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security Service Provider (MSSP) Journey

  1. 1. BAT’s Managed Security Service Provider (MSSP) Journey
  2. 2. Who are BAT? World’s second largest tobacco company founded over 100 years ago. Operates in approximately 186 countries. •A number of them being in the more interesting areas of the globe. •Has 250 brands. •Approximately 95,000 employees (45,000 ‘knowledge workers’) •Gross turn over £40bn per year – (£26bn taxes). Currently undertaking a major re-alignment of business practices from a federated model to a centralised business model. Looking for consolidation of business practices and supporting IT systems. Whilst the underlying business is the same, there is a drive for more shared services. A heavy focus on consolidation to leverage capabilities and reduce costs through - -Standardisation -Enterprise class solutions -Increased governance
  3. 3. BAT Security journey •2010 - Establish a base foundation - Security organisation and capability •Now - Optimise the foundation (enhanced) •Right-sized cyber-security (advanced) We are here Security – The journey Security – The toolset
  4. 4. Why outsource ? Challenges of running security with internal team •Multi-technology, multi-discipline – staff churn •24x7 capability •Not a technology company •Drive for outsourcing •How to keep contemporary Benefits of outsourced MSSP •Centre of excellence •Provided by a technology company •Predictable costs •Leverage core providers Core Services Infras security Identity security App security Data security Assurance Security services Threat intelligence SOC Monitoring Governance
  5. 5. Strategic expectations of a managed service Wanted to leverage existing shared services -Escalator effect -Contemporary services -Shared costs Thought leadership -Provider invests in service, to sell to others -Influence BAT security strategy -BAT can influence provider services strategy Market maturity was always going to be an issue! -Unlikely to get (or desire) everything as a managed service today -Current state and strategic direction often unclear Hard to assess during RFP -Different expectations of reference sites -Different between geographies -Differences between dedicated and shared.
  6. 6. Successes, Issues Successes: •Single provider of firewalls across the globe •Single provider of endpoint security •Global SOC and security monitoring capability •And some true managed tools with real value add. •Quantum leap forwards and delivering real benefits. Time Issues: •Cost and time trump quality. -Commodity purchase vs partnership -Provider readiness. -Customer interferes to drive costs down •Dedicated services, built to customer specification -Provider driven to address customer specific requirements -SLA focussed - lose sight of the business outcome. -Need for internal resources •Customer expectations of resultant service. -Driving CI outside of SLAs ? -Business outcome driven services -Internal resourcing model.
  7. 7. Security gets harder Threats gain in sophistication and types The “Nexus of forces” increases our exposure What expectations does the business have re cyber-security ? Mobile – new endpoints, new gateways Social – Business naïve to the new medium Cloud – New ways in, collateral damage Information – Are we ready to secure this ? Predicting attackers, targets and approaches Detecting sophisticated attacks Responding to compromise Vs. Traditional IT Security prevention, risk management and compliance. We are dependent on outsourced services to meet the increasing need. Lots of tools to master! But who is •looking for suspicious activities ? •Proposing new capabilities? •Aligning security to the threat?
  8. 8. Cyber-security joins the dots (BAT interpretation) 8 Cyber Security “Assess the posture” Threat Intelligence “Identify the threat” Security Operations Centre “Run the toolset” IT Security Management “Manage Security” Prevention Detection Response External sources Vendor sources Provider sources Mgmt boards ISMS Policy What is happening in the wider world Look for this.. Block this Initiate response What is happening inside BAT Operational security status Analytics Reporting Architecture Transformation Analysis Orchestrate Assess What is the status
  9. 9. Key points MSSP managed services work well, when either: •Provider operates customer’s service •Provider has existing shared service (System of record) •Be clear where a provider is selling managed services/ or managed resources. You cant outsource the risk of the customer being compromised, only the controls we expect the provider to execute •The need for cyber-security must be justified •The cybersecurity function is likely an internal function (systems of innovation) Strategic outsourcing. •Take true managed services where they really exist and where they fit (Pace Layering) •Retain design and ownership where they do not •Cyber-security is key
  10. 10. Discussion points (subject to time) 10 •Partner capabilities •Historically seen as an infrastructure operation and monitoring point solutions. •We need more e.g. security engineering, life cycle management, incident management and incident response, continuous improvement etc. •Are the vendors/suppliers able to deliver or are we asking for too much? •MSSP should form part of the Strategic Capability for Security •This is against the original cost driver and is not a commodity purchase. •Not self-standing - requires supplemental internal resource and true partnership with MSSP •Must be agile to tackle growing cyber threats. •How do we position this internally and commercially ? •Structure – Should the MSSP sit •As part of IT ? •As part of the CISO office ? •Or as a separate Operational capability? •Does separation offer any 'checking' value or does it make it disjointed from the strategy?
  11. 11. Q&A 11

×