BAT, a large tobacco company, is undergoing a business transformation and looking to consolidate IT systems. It has outsourced some security functions to a managed security service provider (MSSP) to gain efficiencies. The outsourcing has had some successes like a global firewall and endpoint security, but also issues around costs, customization needs, and meeting expectations. As threats grow more sophisticated, BAT will need to ensure its outsourced security controls can address advanced attacks and that the MSSP aligns with its strategic security needs.

1. BAT’s Managed Security Service Provider
(MSSP) Journey

2. Who are BAT?
World’s second largest tobacco company founded over 100 years ago.
Operates in approximately 186 countries.
•A number of them being in the more interesting areas of the globe.
•Has 250 brands.
•Approximately 95,000 employees (45,000 ‘knowledge workers’)
•Gross turn over £40bn per year – (£26bn taxes).
Currently undertaking a major re-alignment of business practices from a federated model to a centralised business model.
Looking for consolidation of business practices and supporting IT systems.
Whilst the underlying business is the same, there is a drive for more shared services.
A heavy focus on consolidation to leverage capabilities and reduce costs through -
-Standardisation
-Enterprise class solutions
-Increased governance

3. BAT Security journey
•2010 - Establish a base foundation - Security organisation and capability
•Now - Optimise the foundation (enhanced)
•Right-sized cyber-security (advanced)
We are here
Security – The journey
Security – The toolset

4. Why outsource ?
Challenges of running security with internal team
•Multi-technology, multi-discipline – staff churn
•24x7 capability
•Not a technology company
•Drive for outsourcing
•How to keep contemporary
Benefits of outsourced MSSP
•Centre of excellence
•Provided by a technology company
•Predictable costs
•Leverage core providers
Core Services
Infras security
Identity security
App security
Data security
Assurance
Security services
Threat intelligence
SOC
Monitoring
Governance

5. Strategic expectations of a managed service
Wanted to leverage existing shared services
-Escalator effect
-Contemporary services
-Shared costs
Thought leadership
-Provider invests in service, to sell to others
-Influence BAT security strategy
-BAT can influence provider services strategy
Market maturity was always going to be an issue!
-Unlikely to get (or desire) everything as a managed service today
-Current state and strategic direction often unclear
Hard to assess during RFP
-Different expectations of reference sites
-Different between geographies
-Differences between dedicated and shared.

6. Successes, Issues
Successes:
•Single provider of firewalls across the globe
•Single provider of endpoint security
•Global SOC and security monitoring capability
•And some true managed tools with real value add.
•Quantum leap forwards and delivering real benefits.
Time
Issues:
•Cost and time trump quality.
-Commodity purchase vs partnership
-Provider readiness.
-Customer interferes to drive costs down
•Dedicated services, built to customer specification
-Provider driven to address customer specific requirements
-SLA focussed - lose sight of the business outcome.
-Need for internal resources
•Customer expectations of resultant service.
-Driving CI outside of SLAs ?
-Business outcome driven services
-Internal resourcing model.

7. Security gets harder
Threats gain in sophistication and types
The “Nexus of forces” increases our exposure
What expectations does the business have re cyber-security ?
Mobile – new endpoints, new gateways
Social – Business naïve to the new medium
Cloud – New ways in, collateral damage
Information – Are we ready to secure this ?
Predicting attackers, targets and approaches Detecting sophisticated attacks Responding to compromise Vs. Traditional IT Security prevention, risk management and compliance.
We are dependent on outsourced services to meet the increasing need.
Lots of tools to master! But who is
•looking for suspicious activities ?
•Proposing new capabilities?
•Aligning security to the threat?

8. Cyber-security joins the dots (BAT interpretation)
8
Cyber Security “Assess the posture”
Threat Intelligence
“Identify the threat”
Security Operations Centre “Run the toolset”
IT Security Management “Manage Security”
Prevention
Detection
Response
External sources
Vendor sources
Provider sources
Mgmt boards
ISMS
Policy
What is happening in the wider world
Look for this..
Block this
Initiate response
What is happening inside BAT
Operational security status
Analytics
Reporting
Architecture
Transformation
Analysis
Orchestrate
Assess
What is the status

9. Key points
MSSP managed services work well, when either:
•Provider operates customer’s service
•Provider has existing shared service (System of record)
•Be clear where a provider is selling managed services/ or managed resources.
You cant outsource the risk of the customer being compromised, only the controls we expect the provider to execute
•The need for cyber-security must be justified
•The cybersecurity function is likely an internal function (systems of innovation)
Strategic outsourcing.
•Take true managed services where they really exist and where they fit (Pace Layering)
•Retain design and ownership where they do not
•Cyber-security is key

10. Discussion points (subject to time)
10
•Partner capabilities
•Historically seen as an infrastructure operation and monitoring point solutions.
•We need more e.g. security engineering, life cycle management, incident management and incident response, continuous improvement etc.
•Are the vendors/suppliers able to deliver or are we asking for too much?
•MSSP should form part of the Strategic Capability for Security
•This is against the original cost driver and is not a commodity purchase.
•Not self-standing - requires supplemental internal resource and true partnership with MSSP
•Must be agile to tackle growing cyber threats.
•How do we position this internally and commercially ?
•Structure – Should the MSSP sit
•As part of IT ?
•As part of the CISO office ?
•Or as a separate Operational capability?
•Does separation offer any 'checking' value or does it make it disjointed from the strategy?

11. Q&A
11