Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security Service Provider (MSSP) Journey
BAT’s Managed Security Service Provider
Who are BAT?
World’s second largest tobacco company founded over 100 years ago.
Operates in approximately 186 countries.
•A number of them being in the more interesting areas of the globe.
•Has 250 brands.
•Approximately 95,000 employees (45,000 ‘knowledge workers’)
•Gross turn over £40bn per year – (£26bn taxes).
Currently undertaking a major re-alignment of business practices from a federated model to a centralised business model.
Looking for consolidation of business practices and supporting IT systems.
Whilst the underlying business is the same, there is a drive for more shared services.
A heavy focus on consolidation to leverage capabilities and reduce costs through -
-Enterprise class solutions
BAT Security journey
•2010 - Establish a base foundation - Security organisation and capability
•Now - Optimise the foundation (enhanced)
•Right-sized cyber-security (advanced)
We are here
Security – The journey
Security – The toolset
Why outsource ?
Challenges of running security with internal team
•Multi-technology, multi-discipline – staff churn
•Not a technology company
•Drive for outsourcing
•How to keep contemporary
Benefits of outsourced MSSP
•Centre of excellence
•Provided by a technology company
•Leverage core providers
Strategic expectations of a managed service
Wanted to leverage existing shared services
-Provider invests in service, to sell to others
-Influence BAT security strategy
-BAT can influence provider services strategy
Market maturity was always going to be an issue!
-Unlikely to get (or desire) everything as a managed service today
-Current state and strategic direction often unclear
Hard to assess during RFP
-Different expectations of reference sites
-Different between geographies
-Differences between dedicated and shared.
•Single provider of firewalls across the globe
•Single provider of endpoint security
•Global SOC and security monitoring capability
•And some true managed tools with real value add.
•Quantum leap forwards and delivering real benefits.
•Cost and time trump quality.
-Commodity purchase vs partnership
-Customer interferes to drive costs down
•Dedicated services, built to customer specification
-Provider driven to address customer specific requirements
-SLA focussed - lose sight of the business outcome.
-Need for internal resources
•Customer expectations of resultant service.
-Driving CI outside of SLAs ?
-Business outcome driven services
-Internal resourcing model.
Security gets harder
Threats gain in sophistication and types
The “Nexus of forces” increases our exposure
What expectations does the business have re cyber-security ?
Mobile – new endpoints, new gateways
Social – Business naïve to the new medium
Cloud – New ways in, collateral damage
Information – Are we ready to secure this ?
Predicting attackers, targets and approaches Detecting sophisticated attacks Responding to compromise Vs. Traditional IT Security prevention, risk management and compliance.
We are dependent on outsourced services to meet the increasing need.
Lots of tools to master! But who is
•looking for suspicious activities ?
•Proposing new capabilities?
•Aligning security to the threat?
Cyber-security joins the dots (BAT interpretation)
Cyber Security “Assess the posture”
“Identify the threat”
Security Operations Centre “Run the toolset”
IT Security Management “Manage Security”
What is happening in the wider world
Look for this..
What is happening inside BAT
Operational security status
What is the status
MSSP managed services work well, when either:
•Provider operates customer’s service
•Provider has existing shared service (System of record)
•Be clear where a provider is selling managed services/ or managed resources.
You cant outsource the risk of the customer being compromised, only the controls we expect the provider to execute
•The need for cyber-security must be justified
•The cybersecurity function is likely an internal function (systems of innovation)
•Take true managed services where they really exist and where they fit (Pace Layering)
•Retain design and ownership where they do not
•Cyber-security is key
Discussion points (subject to time)
•Historically seen as an infrastructure operation and monitoring point solutions.
•We need more e.g. security engineering, life cycle management, incident management and incident response, continuous improvement etc.
•Are the vendors/suppliers able to deliver or are we asking for too much?
•MSSP should form part of the Strategic Capability for Security
•This is against the original cost driver and is not a commodity purchase.
•Not self-standing - requires supplemental internal resource and true partnership with MSSP
•Must be agile to tackle growing cyber threats.
•How do we position this internally and commercially ?
•Structure – Should the MSSP sit
•As part of IT ?
•As part of the CISO office ?
•Or as a separate Operational capability?
•Does separation offer any 'checking' value or does it make it disjointed from the strategy?