Building a Security Services Business Case. Andreas M Antonopoulos Senior Vice President & Founding Partner

Transcription

1 Building a Security Services Business Case Andreas M Antonopoulos Senior Vice President & Founding Partner

2 Agenda About Nemertes The Security Services Landscape and Drivers Best Practices for ROI and Business Case Example: Network Based Firewall Service Bottom Line

3 Nemertes: Bridging the Gap Between Business & IT Quantifies the business impact of emerging technologies Conducts in-depth interviews with IT professionals Advises businesses on critical issues such as: Unified Communications Social Computing Data Centers & Cloud Computing Security Next-generation WANs Cost models, RFPs, Architectures, Strategies

4 Security Services Reality Check Will security services meet the corporate risk profile? What services are best to outsource? h Straight forward functions like firewalls versus complex and customized functions like identity management Does the corporate culture work with security outsourcing? h Structured versus ad hoc operations h Distributed versus centralized operations How does outsourcer skill set compare to internal resources?

5 Security Services Landscape Premise-Based Hybrid Cloud Web Application Security Managed IDS/IPS Endpoint Security Security Information & Event Management (SIEM) Endpoint Security Data Leak Preventio n (DLP) Anti-X & Content Inspectio n Web Application Security Endpoint Security Vulnerability & Compliance Management Anti-X X& Content Inspectio n Managed Firewall Managed FW/IDS/IPS Managed Firewall/IPS & DDoS

6 Security: Drivers for Managed Security Services

7 Best Practices for Security Services ROI Model Determine candidate security functions to outsource h Focus on compliance, control, and organizational culture Look for measurable security functions h Skill level of person required h Frequency of tasks h Time associated with task Assess opportunity costs h What else can these people be doing?

8 Steps for Success

9 Example: Network Based Firewall Service Baseline Requirements: Number of employees using the service? Loaded cost of engineering staff? Current Security Operations Center (SOC) staffing versus desired SOC staffing? h Full-time versus 9-5, Monday - Friday Net Present Value (NPV), Depreciation Method and Amortization Period?

10 Network Based Firewall Service

11 Capital Costs Cost Quantity Annual Total Premise Firewall $ 7,875 4 $ 31,500 Depreciation Year 1 $ 2,500 4 $ 10,000 Depreciation Year 2 $ 3,333 4 $ 13,332 Depreciation Year 3 $ 1,112 4 $ 4,448 Depreciation Year 4 $ $ 2,220

12 Operational Costs Quantity Time (Hours) Total Hours Annual Cost Maximum rules in FW ACL 30 Number of on-premise firewalls 4 Number of rule changes per year $ 30,080* Number of patches per firewall/year $ 9,024* Time to implement new firewall 8 Annual Internet Bandwidth (Assume $500/month) 4 $ 24,000 Annual HW/SW $1,775/year 4 $ 7,100 Number of SOC Engineers (24 x 7) 5 $ 450,000* *Assumes Engineer Unloaded Salary of $90,000

13 Outsourcing Costs Monthly Fee Low High Average Typical Network Based Firewall Service $14,000 $20,000 $17,000* Includes 4 T1 Service No on-premise equipment Full-time SOC Support *Fees assessed from multiple NBFWS providers

14 Putting it all Together Return DIY NBFWS Year One CapEx $ 41,500 $ 0 Year 2 CapEx $ 13,332 $ 0 Year 3 CapEx $ 4, $ 0 Annual OpEx $ 520,204 $ 384,000* First Year Total $ 561,704 $ 384, Year Return $ 177,704 Second Year Total $ 533,536 $ 384, Year Return $ 327,240 Third Year Total $ 524,652 $ 384, Year Return $ 467,892 * Assumes two security staff remain to support non-firewall functions (M-F, 9-5)

15 Bottom Line Evaluate compliance, culture and operational environment before choosing candidate services Assess outsourcing effect on risk posture Choose services with measurable tasks h Quantize and quantify h Be realistic Focus on outsourcing as a means to maximize security staff skill set Outsource functions that require 24x7 SOC operations

16 Thank You Andreas M Antonopoulos SVP & Founding Partner andreas@nemertes.com