Hard-to-find security skills and the rapid pace of malware evolution make a strong relationship with a managed security services (MSS) provider as important as maintaining the internal tools to keep business executives apprised of IT-security risk, Foxtel information security manager Kevin Shaw has advised.\u201cWhether it\u2019s talking with executives or with the MSS provider, the more you put into a relationship the more you get out of it,\u201d the 18-year IT-security veteran told attendees at the AusCERT 2013 security conference. \u201cThe results of doing that pay for themselves ten-fold.\u201dProperly informing those relationships, however, remains one of the security executive\u2019s biggest ongoing challenges: different expectations, changing technologies, malleable business objectives \u2013 and the constant dread of being the one confessing a security breach to a risk and audit committee or angry CEO \u2013 all force security executives to be as proactive as possible when it comes to managing risk.\u201cNothing is standing still, and even the IT environment you\u2019re trying to protect is evolving quickly itself,\u201d he said. \u201cWith third parties such as suppliers and contractors coming through, the size of the organisation can fluctuate quite dramatically depending on what projects are on the go. So, it\u2019s a very nebulous environment that you\u2019re trying to build some structure in.\u201d\u201cIt\u2019s like trying to bake a cake on the back of a running horse.\u201dData gathering for the big pictureShaw, who manages the information-security posture for the pay-TV broadcaster, long ago recognised the importance to of knowing exactly what\u2019s installed in an organisation\u2019s IT environment.\u201cIt\u2019s amazing how many organisations don\u2019t really understand how many devices they have on the network, who\u2019s connecting, and where the servers are,\u201d he said. \u201cThese days with virtual machine environments, we have people spinning up instances all over the shop without necessarily coming through the IT or security department.\u201dRegular discovery scans, even those conducted outside of change management database (CMDB) systems, are crucial to keeping track of the ever-changing configuration. Once devices have been located and identified, they should be verified and approved, then tied to their owners long-term so there is a clear line of responsibility.\u201cI want to know that if someone adds a new server, that I can come back through my actionable intelligence and confirm that box has the right agents, has been hardened for the criteria we\u2019ve mandated,\u201d Shaw said. \u201cThrough repeated scans that touch the boxes on a regular basis, we can later understand whether they are in the same kind of configured state as when they were was deployed.\u201dUnder Shaw\u2019s guidance, Foxtel has maintained a long-term MSS relationship with Symantec, which provides extra skilled staff that not only keep apprised of new threats, but monitor the company\u2019s infrastructure 24\/7 for signs of malicious activity. The MSS staff are also given data on device ownership so they can quickly tie a specific issue back to the business impact it might have.\u201cIt really helps to be able to take all that back to the MSS provider, because they are the people with the global vision, the honeypots, and the intelligence coming back from other clients. They can start joining the dots and giving you actionable intelligence from all the data we\u2019ve fed through.\u201dA few years ago, Shaw said, a potential security incident was detected only because the MSS was able to correlate the many sources of data and raise the alarm.\u201cThe only reason it was picked up was because it went through the MSS provider, was picked up and married together with other information and sent back to us to deal with,\u201d he said. \u201cHad we relied on our own resources to respond to it, we would not have picked up the signal because we didn\u2019t have all the information that they had going through the MSS.\u201d Everybody owns [infrastructure] when they don\u2019t want you to touch it, but nobody owns it when it\u2019s their bum on the line if things go wrongThe executive sellBuilding on the MSS relationship not only allows Foxtel to be more proactive in maintaining its security posture, but supports interactions with executives who are less concerned with technical minutiae but think of IT security in terms of business risk.Analysis of internal cost-recovery claims is a great way to marry IT-security activity to potential business change: once the IT staff know which business units are paying for what systems and services, it\u2019s much easier to know how any potential security issue will affect which parts of the business.Using this information to drive change, however, can be tricky because it can upset tightly managed perceptions of control over infrastructure. \u201cI\u2019ve had to learn to sell in different ways to different audiences,\u201d Shaw said.\u201cYour IT operations person wants to know that your systems aren\u2019t going to be bringing down his infrastructure; otherwise, he\u2019s absolutely not going to let you come near anything he\u2019s got. Everybody owns it when they don\u2019t want you to touch it, but nobody owns it when it\u2019s their bum on the line if things go wrong.\u201dSecurity data from regular device scans often reveals configuration changes that might have otherwise gone unnoticed, and which could potentially affect compliance with requirements such as the PCI DSS payment-cards security requirement.Shaw has often found it\u2019s easier for an internal security organisation to get leverage with other business units by handballing the bad news to the MSS: \u201cit\u2019s always effective bringing in external parties to talk to your executives,\u201d he laughed. \u201cPeople come in externally and say the same things that you would say, and it has much more cachet if it\u2019s coming from an external expert.\u201dStrong relationships, backed by justifiable assertions about the integrity of IT-security efforts, can pay off when it comes time for arguing for IT-security budgets.\u201cEvery year we find ourselves having to fight pretty hard to protect what we\u2019ve already been allocated in terms of the budgets; those constraints are no different than anywhere else in IT,\u201d Shaw said. \u201cI\u2019m constantly having to sell security and compliance, and the threat the organisation is facing, on a daily basis.\u201d\u201cYour executives are not going to give you budget unless you can marry together the value from MSS, actionable intelligence \u2013 unless you can demonstrate the value to the business and where the business is trying to go. But it is a lot easier for me to get budget and funding around using an MSS than it is to buy technology and get the head count to run it internally.\u201dFollow @CSO_Australia and sign up to the CSO Australia newsletter.