It’s been almost 2 years since Declan Ingram did this presentation at Kiwicon that looked at perimeter security – IDS/IPS/WAFs/FWs etc and “Managed Services”.
Listen to the start of the podcast for the introduction….some good stuff…..and then the full presentation starts at 14:50. As Patrick Gray of Risky Business says; “If you are a Chief Security Officer, this is a must listen”:
http://risky.biz/netcasts/risky-business/risky-business-49-your-shiny-new-ips-wont-save-you
Talking recently to a client who is about to go into RFP for a “managed services” solution highlighted to me that many organisations are still struggling to understand what it is they actually want vs. what they will actually get/end up with. Accountability hand-balled? Better Security? Meeting Compliance? What do they want? Read on:
The big tip for all organisations is to be careful, wary, ask questions and ensure you know what your requirements are AND your provider can meet them and actually prove to you they are doing what they say they are doing for you! You don’t want to end up in a situation like I talked about in this linked post here:
“Lets spend a few million on something that “will make our organisation secure”! The sales guy guarantees it. (12 months later, sales guy is working for a competitor and now bags that product he sold the client last year as being crap “….and far from being able to deliver what we told them it would”). Just recently I spoke with a Senior Sales Head who has moved onto another company. He wasn’t fussed at all to tell me about a large Managed Services deal he closed last year with his old company that also included a heap of leading-edge “security” products. “We made a squillion! But you know what Draz, while it’s “okay”, it just doesn’t work in some critical areas – parts of the SLA the client deemed as critical to them and areas we told them it would work. They won’t know and the chances of them finding out is low to non-existent. “How could you do that?”, I asked. “Well it was a key requirement for the client and we decided we could do a sort of “workaround” that almost gave them what they really wanted. They don’t know that. We wanted to win this business and we did what it took to win it.” Knowing what it was he was talking about, and to protect my source, I won’t go into detail about it, but their “workaround” was not so much a “workaround” in my opinion, but rather, something that totally changed the outcomes of the deliverable to a level that potentially would increase the risk to the client. How often does this happen? More often than not in my opinion and we see stuff like this all the time.”
The old saying is so true: “You cannot outsource accountability!” Make sure you end up getting what you are “buying” and if you are not sure, get someone in to help you – before if possible but even after you have purchased……contracts and SLAs are there for a reason. (Hopefully you’ve at least had your legals cover you).
I wonder what PCI QSAs make of the comments made about card info in logs of these systems. I don’t imagine your average PCI QSA is even thinking about this. Worse still, do most even have the expertise to assess what Declan Ingram is even talking about?
Great podcast. Really highlights how big a rort this can be. The millions/billions being blown on managed services not being done right is scary! Trusting salesmen with no skin in the game nor care factor is just nuts.
Thank you Declan Ingram. After listening to this 2 weeks ago we were able to better to understand and work on our new contract with supplier. They must now change a lot. We now think where did the money go to. Everyone in office listened to podcast. Funny but important. Best I have listened to.
Ich Declan sound very sexy for computerman. My computer is broken Declan and want some fixing. Ich can secure me anytime Declan.