The news that NHS Digital has received more money to fund their ongoing SOC services programme highlights a broad uptick in investment in cyber capabilities across the NHS as health boards and trusts across England and Wales seek to implement detection and response capabilities. With 200 NHS trusts across England having failed security audits in 2017 the focus is now on the rapid improvement of security capabilities across almost all the organisations providing frontline care and this typically means SIEM technologies will be on top of the 'to do' list.
While the headlines speak of investments being made to improve the ability to identify and respond to coordinated attacks and other cyber risks, the key focus of the trusts remains patient safety and therefore the availability of care systems and not IT or cybersecurity per se. Many trusts have little or no experienced cyber experts, which raises the risk that security technology investments will be made with a 'tick box' mentality.
NHS trusts can do a great deal to improve the chances of successfully implementing their SIEM platform of choice before making a purchase by focusing their procurement and delivery planning on the critical security use cases that the organisation will realise value from. Too many organisations are still failing to define the specific risks they wish to address and understand what is required to mitigate those risks from a technology selection, project delivery and service operations perspective, defaulting instead to 'taking the road to anywhere' mentality which almost always leads to somewhere they didn't need to be.
Security technology vendors by comparison have a wealth of experienced security professionals with thousands of man years of experience in delivering security capabilities and yet we vendors, myself included, are rarely engaged in discussions with prospective clients seeking validation or a critique of their project plan or vision, defaulting instead to focusing on assessment of the features of one technology against others.
End user procurement and security service owners evaluating different technologies spend little or no time asking questions that will provide insight into deployment and operational best practice which are arguably more important to the success of the project than the tool itself.
Rather than exclusively focusing time together with vendors on comparing one feature set against another, buyers should engage experts who can help them answer key questions such as:
- What are the key risks that need to be monitored and reported on?
- What are the key use cases the platform needs to deliver / support?
- When will the organisation realise value and will they recognise it when they see it?
- Who will run the platform and at what level of service?
- Do they have a security partner that is really able to help them move up the security maturity curve rather than just facilitating the sale of the technology, and are they willing to work with a vendor recommended partner instead of their favourite one-stop shop?
Having the answers to these questions in advance of talking to technology vendors will help buyers to quickly identify those vendors that can help projects succeed at attaining their stated objectives rather than simply making a sale and hoping it will deliver something of value at some point.
Expert guidance need not come with a price tag either. Most technology suppliers eager to demonstrate the value of their organisation (not just their product) will spend time with prospective clients helping to set them up for success, including yours truly.
NHS Digital has changed the overall potential value of a proposed contract it will eventually award to an external security partner to support the development and delivery of a Security Operations Centre (SOC). According to additional information for an OJEU procurement document, the estimated total value has been increased from £20m to £30m.