This is the first of a three part article that provides advice to organisations looking to procure managed security monitoring, protective monitoring (PM) and/or Security Operations Centre (SOC) services.
This article focuses on public sector organisations although the general advice applies to any organisation. If you are a public sector organisation (any organisation on this list): you should use G-Cloud to procure these services– see the buyer’s guide for more info on this framework: G-Cloud buyers guide
Why use G-Cloud for protective monitoring services?
- It’s very competitive; the open market place drives down prices
- Suppliers have signed up to the terms and conditions already; it makes commercials easy
- Maximum of 2 year terms make your supplier work hard to keep you
- You can go for shorter terms and change supplier quickly if needed
- You may be able to trial the service to ensure it meets your needs
- You can change supplier easily
- You can compare prices and service features and benefits
There are many other generic reasons why g-cloud is very buyer friendly but this article focuses specifically on protective monitoring
What are the perceived problems with using g-cloud for protective monitoring services?
We will try to stick to the commercial/procurement arguments, not the technical ones:
The negatives we hear often are:
- With such a short term contract we will only just be getting started before we will be coming to the end of the contract. PM is often seen as something that takes time to deploy and tune and for big organisations / requirements this is seen as a major hurdle
- In a similar theme as above; there is a concern that the chosen supplier will implement and roll out their particular software/appliances that will therefore bind them to the customer and remove the customer’s ability to change supplier
- The customer may have made existing investments in security technology that they wish to leverage (i.e. they do not want to replace their existing technology with that of the supplier)
- The customer may have an existing Security Operations Centre (SOC) or at least some security staff that they wish to maintain and not replace – how could a g-cloud PM Service fit in with this?
- The customer may require something more then what is being offered – i.e. large organisations PM requirements may fall more into the SOC or CERT category then the PM category so how do they address the gaps and how could a jigsaw of services work together to be effective?
Ensure you know exactly what the PM service does; i.e. what the supplier if offering. Use a comparison matrix to compare supplier’s services that includes technical and operational aspects.
How to avoid the pitfalls/ how to select the best suppliers
Use g-cloud to your advantage! There are two key areas in g-cloud services terms and conditions that are often misunderstood when it comes to PM services – on-boarding and off-boarding. Understanding how to apply these effectively to PM is vital to the buyer. These are fixed costs that the supplier must stick to for deploying and then removing their service and migrating any data they have to the new supplier. These can be used by the buyer as follows:
- Ensure that the PM Service has fixed on-boarding costs that cover all the time and effort, kit, etc. that is required for the service – do not accept their claims that it’s too difficult to predict – we can do it so there is no reason why other suppliers can’t.
- Ensure the PM Service has fixed off-boarding costs that cover the time and effort to remove the service and migrate any data they have collected to a new service. Do not accept claims that this is too difficult or ‘depends on too many variables’. We can do it, it is possible, and it is vital to ensure you don’t get tied into any one supplier. The above two points can be used to mitigate most of the perceived problems – if you can fix them you can evaluate the true cost of a service, the cost of moving to a new one and the cost of implementing the service. If in doubt opt for a short initial term or a trial – g-cloud makes it easy to change supplier if you need to. For larger organisations and those who have existing PM services and staff in place there are a few more points to address…
- Look for a supplier who will work with you (a collaborative approach). The supplier needs to be flexible and agile and must be able to accommodate your existing services. This may seem difficult to do with a g-cloud contract but not if the supplier has thought about this in their service offering (i.e. it is part of their service offering)
- You will need to focus on suppliers that are as technology/product agnostic as possible. You won’t be able to contract for SOC staff to run your existing technology – this is not something that g-cloud is for but you can look for a SaaS PM service that provides a light touch integration with your existing technology and supports a collaborative delivery model that includes use of the service by your staff. This is referred to as loosely coupled.
- It is likely that service offerings that provide this loose coupling are described as SOC services; this is a key item to look out for as a SOC service should provide more than a PM service.
- If you can whittle down the list of potential suppliers to those that provide true SOC services then ask the following questions:
- How will you integrate with and support our existing technology?
- How will you integrate and support our existing processes?
- How will you co-operate the service with our existing team?
- Can you provide a full 2 year cost breakdown given the following scenario…(ask the for the same from all short listed suppliers)
- Can you provide fixed on boarding, off boarding and data migration costs?
Choose a PM supplier that offers short terms – 3 or 6 months, even if you are looking at a 2 year contract - as this is a good indicator that the supplier has designed their service to minimise on boarding and off boarding effort.
Look for offerings that provide scalability and ensure you can cost up expansion and compare the costs of this with other supplier services. Ensure you can easily price up expanding the service and or shrinking it – the service should be designed to be ‘elastic’. If you are a public sector organisation looking for PM Services and you are considering a supplier that doesn’t have PM services on g-cloud or whose g-cloud service doesn’t provide fixed price on boarding, off boarding and data migration ask why this is. We would go further and advise you to walk away ASAP and choose a supplier who does.
- Look for suppliers who offer services, not particular products as the service aspects are what counts
- Look at the outcomes of the services offered; don’t focus entirely on the technical aspects (i.e. assessing events per second, etc); instead decide on what outcomes need to be achieved and determine which service addresses them the best. Do you require an incident response service or just a detection service? Clarify what would happen if an incident was detected.
- Look for SLA’s in the service – what are they, what do they cover, etc? Assess the scope of the service – is it just a log monitoring and alerting service or does the supplier offer more (both in terms of technical security items as well as service related items such as triage and incident response)
- Ensure you create a comparison matrix to compare features
- Ensure you create a comparison matrix to compare prices that includes how the service would be scaled up
- Look for the flexibility to scale up and down (look for flexible service levels that can change month by month or even day by day
- Always choose suppliers with up to date, valid Cyber Essentials Plus (CES+) and ISO27001:2013 certifications – and ensure that these are scoped correctly (cover the services they are supplying to you).
In the second part of this series we focus on the main reasons why these services can become expensive and provide advice on how to avoid the common pitfalls…