Mobile Services Security: Mobile Platform Security AF Security
Building a Security Services Business Case - etouches a Security Services Business Case ... Will...
Transcript of Building a Security Services Business Case - etouches a Security Services Business Case ... Will...
Building a Security Services Business Case
Robin GareissExecutive Vice President & Founding Partner
www.nemertes.com
Agenda
About NemertesThe Security Services Landscape and DriversBest Practices for ROI and Business CaseBest Practices for ROI and Business CaseExample: Network Based Firewall ServiceBottom Line
© Copyright 2010 Nemertes Research
Nemertes: Bridging the Gap Between Business & IT
Quantifies the business impact of emerging technologies emerging technologies Conducts in-depth interviews withIT professionalsAdvises businesses on critical issues such as:
U ifi d C i tiUnified CommunicationsSocial ComputingData Centers & Cloud ComputingData Centers & Cloud ComputingSecurityNext-generation WANsg
Cost models, RFPs, Architectures, Strategies
© Copyright 2010 Nemertes Research
Security Services Reality Check
Will security services meet the corporate risk profile?What services are best to outsource?hStraight forward functions like firewalls versus complex and customized Straight forward functions like firewalls versus complex and customized
functions like identity management
Does the corporate culture work with security outsourcing?hStructured versus ad hoc operationshDistributed versus centralized operations
How does outsourcer skill set compare to internal resources?
© Copyright 2010 Nemertes Research
Security Services Landscape
S it
Premise-Based Hybrid Cloud
VulnerabilitySecurity Information
& Event Management
(SIEM)
WebApplication
Security
Vulnerability & Compliance Management
EndpointSecurity
(SIEM)(SIEM)
Security
Web Application
SecurityAnti X &
Data Leak Prevention (DLP)
y
Managed IDS/IPS
Anti-X & Content
Inspectio
EndpointSecurity
n
Anti-X & Content
InspectionEndpointIDS/IPS
Managed Managed
nn
Managed
Security
Firewallg
Firewall/IPS & DDoS
FW/IDS/IPS
© Copyright 2010 Nemertes Research
Best Practices for Security Services ROI Model
Determine candidate security functions to outsourcehFocus on compliance, control, and organizational culture
Look for measurable security functionsyhSkill level of person requiredhFrequency of tasksFrequency of taskshTime associated with task
Assess opportunity costsAssess opportunity costshWhat else can these people be doing?
© Copyright 2010 Nemertes Research
Example: Network Based Firewall Service
Baseline Requirements:Number of employees using the service?Loaded cost of engineering staff?Loaded cost of engineering staff?Current Security Operations Center (SOC) staffing versus desired SOC staffing?SOC staffing?hFull-time versus 9-5, Monday - Friday
Net Present Value (NPV) Depreciation Method and Amortization Net Present Value (NPV), Depreciation Method and Amortization Period?
© Copyright 2010 Nemertes Research
Capital Costs
Cost Quantity Annual Total
P i Fi ll $ 7 875 4 $ 31 500Premise Firewall $ 7,875 4 $ 31,500Depreciation Year 1 $ 2,500 4 $ 10,000
$ $Depreciation Year 2 $ 3,333 4 $ 13,332Depreciation Year 3 $ 1,112 4 $ 4,448Depreciation Year 4 $ 555 4 $ 2,220
© Copyright 2010 Nemertes Research
Operational CostsQuantity Time
(Hours)Total
HoursAnnual
Cost( )Maximum rules in FW ACL 30Number of on-premise firewalls 4Number of rule changes per year 20 8 640 $ 30,080*Number of patches per firewall/year 12 4 192 $ 9,024*Time to implement new firewall 8Time to implement new firewall 8Annual Internet Bandwidth (Assume T1 @ $500/month)
4 $ 24,000
Annual HW/SW Maint @ $1,775/year 4 $ 7,100Number of SOC Engineers (24 x 7) 5 $ 450,000*
*Assumes Engineer Unloaded Salary of $
© Copyright 2010 Nemertes Research
$90,000
Outsourcing Costs
Monthly FeeLow High Averageg g
Typical Network Based Firewall Service
$14,000 $20,000 $17,000*
I l d 4 T1 S iIncludes 4 T1 ServiceNo on-premise equipmentFull-time SOC Support
*Fees assessed from multiple NBFWS
© Copyright 2010 Nemertes Research
providers
Putting it all Together
Return DIY NBFWSYear One CapEx $ 41,500 $ 0Year 2 CapEx $ 13,332 $ 0Year 3 CapEx $ 4 448 $ 0Year 3 CapEx $ 4,448 $ 0Annual OpEx $ 520,204 $ 384,000*First Year Total $ 561,704 $ 384,000
1 - Year Return $ 177,704Second Year Total $ 533,536 $ 384,000
$2- Year Return $ 327,240Third Year Total $ 524,652 $ 384,000
3 - Year Return $ 467 8923 - Year Return $ 467,892
*
© Copyright 2010 Nemertes Research
* Assumes two security staff remain to support non-firewall functions (M-F, 9-5)
Bottom Line
Evaluate compliance, culture and operational environment before operational environment before choosing candidate servicesAssess outsourcing effect on risk gpostureChoose services with measurable taskstasksh Quantize and quantifyh Be realisticBe realistic
Focus on outsourcing as a means to maximize security staff skill setOutsource functions that require 24x7 SOC operations
© Copyright 2010 Nemertes Research