My name is Alexander, I am a department analyst Cybersecurity outsourcing SearchInform. I set up DLP, identify and analyze incidents, generate reports for the customer, prevent information leaks.
Internal security outsourcing is a relatively new service, the companies that provide it can be counted on one hand. It’s nice to be aware of yourself as a “rare” bird, and even looking into reviews the demand for personnel in information security, you are generally filled with pride.
But in working with customers, this does not really help, because there is no established experience on the market, which means you are filling your own bumps. Therefore, the idea arose to tell what I do, what conclusions I draw from working with customers.
Working as an internal security analyst is like going to Willy Wonka’s factory with a golden ticket. With a “map of marauders”. And in the invisibility cloak. With full approval from the Director of Hogwarts. There is a reason to lose your head. But only in dreams.
The prose of life quickly lands ground, because outsourcing is essentially a customer service with its three “pillars”:
· Clear request;
Adjusted for the fact that you are working with such a delicate history as internal security incidents.
Inquiries and questions
A classic customer of cybersecurity outsourcing is a company with 50 to 200 employees. As a rule, there is no information security service, because discipline was a priority in the control of employees. Infobez ceases to be an empty sound when something happened – a leak or theft.
Deploying DLP and other large security software on its own for such a company is usually an overwhelming task – there is no one. The owner already has a chronic lack of time and a bunch of other headaches to deal with another one. And it is not clear whether it will pay off at all? Therefore, outsourcing for such a company is a real way out.
To understand what the business is “hurting”, please fill out a questionnaire. I need this to understand what to pay closer attention to, what the employer considers a violation and what not, etc.
This is just an excerpt from the questionnaire so you can get an idea:
– control priorities;
– a list of dismissed employees;
– list of contractors;
– list of competitors;
– list of mail domains of the company and competitors;
– organizational structure;
– a list of employees, including remote employees.
Here is an example of why you need detailed information in the questionnaire.
I see that the employee is clearly discussing some order, in the correspondence he mentions: “payment for savings by phone number.” And he names the amount – 35,000 rubles. Any information security specialist will pay attention to such an incident. Before transferring information to the customer, I check with the questionnaire: is this form of calculation accepted in the company, is there a recipient of the correspondence among the counterparties. I also collect information about which documents are involved in payment. When I look at all this information as a whole, it becomes clear that the likelihood that the employee “leans” approaches 100%. I transfer the information to the customer.
It is clear that the customer also has questions for us. If the company was already familiar with us (for example, it used the Timeinformer time tracker), they usually ask: what exactly and how are we going to do in the DLP system? One client also wanted his security specialist to have full access to the program.
Those customers who did not have any experience with us have more questions.
Here is a sample set *
By essence of the service:
· what program we install for control;
· what channels it monitors;
· what we can see in the program;
· do we sign an NDA;
· in what form we will give reports;
· how often, how much time the analyst (that is, me) will spend on them;
· whether the customer will have access to the system.
· how to deploy software (on the customer’s server, ours or in the cloud).
· who communicates on the customer’s side;
· how to contact in case of urgent incident.
* (I did not plan to answer these questions within the framework of the post. Therefore, I will just briefly clarify: we implement and maintain our own DLP, deploy it on our server or the customer’s facilities, sign the NDA, report on the incidents found in the approved form. If you have any questions – I will answer in the comments).
All questions from the customer are removed during the test (we conduct it within a month). I collect a report twice, from which the essence of the service is clear and whether it is useful to the client.
In my practice, incidents are already detected in the first three hours of work. We discuss with the customer, and if necessary, adjust the work.
For example, I learned from one client after the first report that he needed a different incident response schedule. At first we agreed that I should only report urgently dangerous violations, such as leaks. But it turned out that it is important for the client to learn about violations of labor discipline in the same way. In other companies, it is enough to receive this information as part of regular reports.
I myself read earlier that if something cannot be outsourced, then these are internal security issues. Now these conversations also exist, but rarely.
When a client comes to me, the manager has already answered his main questions, so a basic level of trust has already been created. Sometimes, even during negotiations, it is important for the customer to look the analyst in the eye, to see that a living, adequate person will work with him.
If the alertness was at first, in the process of work it comes to naught. It seems to me that it becomes clear to the client that I am not emotionally involved in the process, I do not seek to judge his company or employees, because I do not have dinner with them, I do not celebrate corporate holidays.
I convey information dispassionately. If something critical has happened, it is urgent. Other violations – in the framework of regular reports.
For example, I don’t bother the customer every day with notifications of such violations of discipline as prolonged smoke breaks, I report them as part of a regular report. I draw your attention, they say, the picture is as follows: in accounting every day about 2.5 hours – inactive time. That’s half an hour employees spend on morning coffee + an hour before lunch reading the news + half an hour talking afterward. The computer is idle for another half hour before leaving work. Then the customer decides for himself how critical these violations are.
Effective interaction can be organized only if there is a feedback between the customer and the outsourcer. This is not always the case. It happens that I send a report to the client, but there is no reaction. Then I run the risk of underestimating the importance of some kind of violation, not seeing the sign of a larger incident. The company always knows better what is critical, how quickly you need to act in order to have time to prevent the problem.
Also, when there is good contact, I can direct the client’s attention to some risk.
for instance, I see that one of the employees is planning to quit. For the company it is a personnel problem, for me it is a security problem. upon dismissal, they can drain the data – out of revenge or simply to take back the work. Therefore, my job is to draw the customer’s attention to such moments, to strengthen control.
Customer response to incidents varies. Someone reacts instantly and immediately takes action. As soon as I informed that an employee was using TeamViewer bypassing the rules, the program was already removed within an hour. In other companies, management takes an observant position.
The first approach allows you to quickly stop the problem, which in some cases is necessary. But then, for some time, we can stop seeing information on other incidents, because employees, having received a suggestion, begin to use workarounds. The second approach allows uncovering large fraudulent schemes that are discovered only as a result of long-term monitoring. But sometimes you have to put up with small losses. Such is the gambit.
Both approaches have their pros and cons. In the process of work, if it is built correctly and based on trust, the client and I quickly come to an understanding of how to act. There was even such an interesting experience when a customer ordered outsourcing before purchasing DLP for independent work. The information security service wanted to look at how we work with incidents, learn from experience, and develop an approach to response. This is not a typical story, but an exemplary one.
In general, talent wins games, teams wins championships.