He said he prefers to measure items which provides an idea how effective companies are at helping clients manage and mature their security posture. There are several SLAs Kudelski provides as part of its client agreements including response and triage time for security events, health issues, quiet data sources, etc.
"We offer our clients service credits and monetary guarantees in the unfortunate case where we have a violation. There are also more subtle mechanics we like to follow, such as % of false positives which helps us make ongoing improvements to our monitoring and ensuring data sources are properly configured to provide the appropriate relevant, contextualised data via a specific use case, and how many of our threat hunting findings can be translated into new monitoring alerts," he said.
He added that effective security is difficult to measure but a reasoned, pragmatic approach to evaluating and measuring effectiveness is required to steadily improve a vendor's capability in a rapidly evolving threat landscape.
Allan suggested some security service commitments could be:
- Documented secure architecture (perimeter, hardening, processes, etc)
- End to end encryption for both data-at-rest and data-in-motion
- Security insurance that covered breaches or costs relating to exposure
- Industry related certifications
"However, these are not service level agreements and having security in the SLA doesn't immediately make sense to me," he said. "There is rarely, if ever, any kind of security SLA - mostly because security is applied in layers rather than a checkbox. The approach that most providers use is to achieve a compliance certification with attestation from a third party (HIPAA, PCI, etc). Those that are more mature will document a public security architecture model which they leverage at both the physical and operational side."
He said a security SLA would almost always cover the five core areas only - hardware, software, availability, reporting and notification, and incident response times.
Source: CSO Online
Sign up for CIO Asia eNewsletters.