Choosing a Service Delivery Model WEAKNESSES OPPORTUNITIES THREATS STRENGTHS In-house Procured Hybrid CESG Selecting the service delivery model that fits your organisation and delivers the required business and security outcomes is critical0 Use the following SWOT kstrengthsC weaknessesC opportunitiesC threatsp analysis to consider the advantages and disadvantages of the three most common models0 © Crown Copyright 2515 • In 1 house resources understand the business and the environment7 and can make more business focused risk management decisionsE • Organisation has complete control of all relevant security policies7 procedures and processesE • Sensitive operational activities and information retained within the organisationE • Supplier is responsible for recruiting7 training and retaining security specialistsE • As a dedicated security organisation7 the supplier is favourably positioned to hire and retain skilled resources7 should have high security standards and be regularly auditedE • The supplier offers expert and specialist services as a core businessE • The supplier offers expert and specialist security analyst services as a core businessE • Supplier can provide critical friend and knowledge to help establish in 1 house serviceE • Visibility of the risk landscape beyond the boundaries of the organisation can be limitedE • Recruiting and retaining security specialistsE • Ongoing security specialist training commitmentE • With little or no experience of operating this type of service7 it will take longer to establish a service and expose the organisation to increased riskE • Business information and monitoring data will be held off 1 site and managed by the supplier7 raising additional risksE • Maintaining the continuity of archived records to meet legal or regulatory requirements when a contract is terminatedE • The need to recruit and retain some specialistsE • The need for some ongoing specialist trainingE • Maintaining the continuity of archived records to meet legal or regulatory requirements when a contract is terminatedE • Some business information and monitoring data will be held off 1 site and managed by the supplier7 raising additional risksE • Maximise investment in existing security productsE • Reduction or redeployment of security resources for greater effectE • Development of in 1 house specialist security skillsE • Flexibility to change the security operations services as required7 encouraging a more pro 1 active and dynamic risk management approachE • More informed risk management capability as the supplier is developing analytic solutions to protect all its customersE • The supplier should see patterns developing across their customer set7 and provide advance warnings of attacks allowing defences to be put in placeE • The supplier may have existing ’)j7 capability7 if requiredE • The supplier may provide mature incident response processesE • Any dedicated security research capabilities within the supplier could benefit the organisationE • Retention of sensitive operational activities and information within the businessE • Flexibility to tailor aspects of the service to meet specific risk management needsE • N st level response could be retained locally with the option to request support from external service providersE • The supplier should see patterns developing across their customers that could provide advance warnings of an attack and allow defences to be put in placeE • Development of some in 1 house specialist security skillsE • In 1 house security analysts may not see wide scale attacks developingE • Easier for malicious insider to collude with in 1 house analystE • In 1 house service could be swamped by a major incidentE • Lack of skilled analyst resources in the marketE • The amount of information generated by the monitoring capability could flood the organisationE • The supplier may be responsible for numerous customers and may time slice resourcesE • The full business relevance of security events may not be understoodE • Not having an in 1 house capability may give a false sense of security7 and affect the organisation’s IA cultureE • The supplier may only offer a standardised service which may not directly support the organisation’s risk management objectivesE • Reduced flexibility and increased risk7 due to long lead times to deliver changes requested by the organisationE • Blurring of in 1 house and supplier responsibilities7 possibly leading to service delivery confusion Fespecially in the areas of incident response and handling2E • The supplier may be responsible for a number of customers and may time slice analytical and specialist resourcesE