Formulation of a cyber security sourcing strategy and successful insourcing of core security services from service provider

Sector: Pharma
Area of expertise: Cyber Security
Service area: Executing projects


The Chief Information Security Officer (CISO) and Head of the global Security Operations Center (SOC) of a global pharmaceutical company had decided to evaluate the sourcing strategy of its core security services, and potentially bring relevant services inhouse.

The need for change in outsourced security services was three-fold. First, suboptimal detection and response workflows related to core security controls managed by service providers led to an increased need for enhanced internal SOC control of cyber security technologies. Second, several potential cost-effectiveness parameters. Third, the use of multiple vendors and technologies across network environments increased the complexity and workload of operational processes, which led to a need for revisiting the sourcing model to make it vendor-agnostic and fit for enterprise-wide coverage.

Kopenhagen Konsulting was engaged to initially formulate the sourcing strategy and thereafter manage the insourcing of the Anti-Malware and Data Loss Prevention (DLP) services.


Sourcing strategy

In close collaboration with the management team of the global Security Operations Center and subject matter expects, Kopenhagen Konsulting formulated the sourcing strategy.

The first step entailed creating an overview of all security technologies and services, which were mapped by several parameters incl. how they were managed (internally, externally by a service provider, or a hybrid), coverage of networks, strategic outlook, how well the services were currently managed, and whether it was considered a core or supporting security service. Based on this, all security technologies and services were prioritized based on operational importance for the mission of the Security Operations Center. Secondly, the overview was used to define which services to potentially insource, and which services to continue being managed by service providers. Lastly, Kopenhagen Konsulting developed a business case to facilitate the management decision for adopting an insourcing strategy of several core security services, which among other covered expected benefits, risks, budget, resources, and a transition plan. The business case was subsequently presented to and approved by Executive Management

Insourcing of Anti-Malware and Data Loss Prevention services

The first core cyber security services in scope for insourcing were selected to be the Anti-Malware and Data Loss Prevention services. Five key change drivers led the decision:

  1. Improved visibility for the SOC to ensure one pane of glass for all Anti-Malware and DLP alerts across all network environments
  2. Higher control and efficiency in incident response
  3. Establish a foundation for enabling DLP enterprise wide to improve resilience against insider threats
  4. Improved security posture through timely capability development, automation, and orchestration
  5. Stronger internal career path across Security Analysts, Administrators, Engineers, and Architects

Kopenhagen Konsulting was selected to lead and drive the project. A global project team across three regions was defined with six distinct working teams: System & Application Management, Service Management, IT Quality, IT Sourcing, Technology Vendor Management, and a transition team from the service provider. The project was governed by a Steering Committee with senior leadership representation from the security department and IT departments, as well as several reference groups to ensure a smooth adoption of the change that among other covered regional IT departments, IT operations, service desk, and IT service management.

The project scope covered three key objectives and deliverables:

  1. Setup an internal operational team manage the services:
    A new service team in the SOC was required to ensure operational excellence post insourcing. The future operational setup was established by hiring several additional headcounts to the administration and service management team, as well as have architects and engineers allocated across the geographical offices. Furthermore, global service desk teams and IT operations departments were engaged to handle service desk routing, software package deployment and end-point support.
    Among other, the following operational responsibilities were defined and/developed as part of the project: Service roadmap, technical design and architecture, application and service operations, life cycle management, service level agreements (SLAs), software packaging, testing and qualification, change and release management, incident and problem management, capacity management, end-user support, access management, technical integrations, management reporting, and service budget. All operational processes and responsibilities were documented in formal process documentation and/or runbooks.
  2. A one-to-one transition of the as-is service from the service provider to the internal SOC
    The initial scope for the project was to ensure a seamless transition of the service from the service provider to the internal operations team. Hence, a transition team was engaged from the service provider. The transition was performed contractually with support from IT sourcing in the negotiations, and the technical migration was ensured through three separate phases before formal service take-over: 1) Two months of handover of all documentation, accesses, and technical runbooks, 2) Two months of parallel operations were the service provider upheld existing SLAs, while being shadowed by the internal team, 3) One month of parallel operations where the internal team upheld existing SLAs while the service provider were available for full assistance on request. Upon finalization of the third phase, all operational and contractual responsibilities were transitioned to the internal SOC.
  3. Consolidate installed technologies to a single vendor and implement basic DLP features globally
    To ensure full visibility and operational effectiveness the service was consolidated under a single Anti-Malware and DLP technology, as the network environments in the company historically had used various vendor technologies. Thus, a change in agents and policy orchestrator platform was implemented across the global endpoints over a two-month period. Upon having a single technology footprint worldwide, the operational team implemented basic DLP policies on every PC in the company to enhance the security level.
  4. Optimize the platform and operational policies
    Upon taking over the service, the internal operations team worked to consolidate the applied policies to optimize capacity, performance and the security posture, accesses were changed, and the required operational reporting were configured. In addition, a test and development infrastructure were established. Lastly the technology vendor agreements were changed to include periodic health check review of the infrastructure, and remediation plans were put in place accordingly to the outcome of the assessments.
  5. Design the future state of the service
    The last part of the project was to define the future state of the service, which covered the considerations such as consolidation and optimization of the infrastructure, further enablement of technical security features and capabilities, extension of the service into the Operations Technology area of the company, improved integrations with cloud platforms, and simpler and cheaper deployment processes.


The outcome of the engagement by Kopenhagen Konsulting were two-fold:

First, it established a pragmatic sourcing strategy to direct future decision making for the management of core security services.

Second, the insourcing project was completed within time and budget, and established a model to be used as a vehicle for future insourcing of services in the security department. Furthermore, the insourced services resulted in a significant decrease in costs of approximately 50 percent, while improving the overall service delivery to the Line of Business and operational excellence of the technical platform for an enhanced security posture.