a network information security service enterprise in the eyes of network security veterans - security village

Posted by fierce at 2020-03-02

(this article is based on the author's previous blog revision, and the last revision is on February 28, 2018)

On the first day of work on the seventh day of the first month of 1898, I was shocked to see a famous catering enterprise in Hangzhou - "zhiweiguan" with a daily turnover of more than 2 million yuan during the Spring Festival. What scares me is that I don't sell more than 3000 Dongpo meat and more than 1000 west lake vinegar fish in a day, but I roughly estimate that the annual turnover of zhiweiguan is equal to that of a medium and large-scale enterprise providing national network security products and services. This makes me believe that the market capacity of a crawfish in the catering industry can be equivalent to that of the whole Chinese network security industry. The network security industry is a very small industry, so what is the situation of the branch of network information security services in the network security industry?

Let's take a look at the latest and authoritative definition of network security: it refers to the ability to take necessary measures to prevent attacks, intrusions, interferences, damages, illegal use and accidents on the network, to make the network operate stably and reliably, and to guarantee the integrity, confidentiality and availability of network data. (quoted from the network security law of the people's Republic of China which came into force on June 1, 2017). Back in those days, people who claimed to be information security thought that people who were doing network security were very low. Now it's different. Cyber security has been redefined, including data, system and cyberspace. As the foundation of a country, it is a national sovereignty field as important as the national sea, land, air and space. In my opinion, the connotation of security has changed from information security of initial data to information system security. At present, it has evolved into cyberspace oriented network security, as shown in the figure below.


Let's see what is network information security service (hereinafter referred to as "security service"). Security service is a security process and task performed by suppliers, organizations and personnel. Security service also refers to the service that meets the needs of the whole security management and provides enterprises and governments with comprehensive or partial information security solutions. Security service is the integration of security control, which can be divided into security management service focusing on the management of procedures and risks, security operation service focusing on the implementation and implementation of security control measures by personnel and security technology service focusing on specific security control measures. The risk assessment, consultation and planning, security audit, strategy optimization, emergency response, penetration test, technical training, etc. we often talk about are all in the scope of security services. Corresponding to the whole life cycle of information system, the "best practice" of security services can be illustrated by the following figure.


According to relevant statistics, in 2017, the domestic network security market capacity was 40 billion yuan, and according to the author's experience, the security services accounted for about 10% - 15% of the whole network security market. At present, there are 14 Listed Companies in the network security industry. In 2017, Q3's operating revenue totaled 11.64 billion yuan, a year-on-year increase of 37.2%,. The median growth rate of operating revenue was 25.3%. There are three network security companies listed in 2017, including two listed through IPO, namely Geer software and Zhongfu information. 360 entered A-share market through asset restructuring with Jiangnan Jiajie, a listed company. This year, the total amount of investment and financing disclosed by domestic network security companies reached 1.1 billion yuan, down from the same period of the previous year, and the total amount of investment and financing disclosed in the same period of the previous year was 1.5 billion yuan.

Network and information security will develop simultaneously with big data, cloud computing, Internet of things, artificial intelligence, mobile applications and other fields, and the national regulations and systems on network security will be gradually improved. Network security work itself is a process, its essence is risk management, because information security risk always exists, information security products can not solve all problems, so information security services have become the core content of information security work. In the context of focusing on business security, the evaluation and consultation on customer business system from three aspects of management, technology and application system can help customers fully understand their own risks and provide customers with more perfect and targeted security solutions.

At present, the policy environment and market environment of security services are still in the "primary stage". Compared with the total investment of information engineering, the proportion of information security investment in both the construction stage and the operation and maintenance stage does not match its importance. Network security in the eyes of user leaders may be: say it is important, do it secondary, don't be busy. If the network security service is regarded as a product, the current users are confused about the results of the security service. For the service items as large as tens of millions and as small as thousands of yuan, the users only think that the number of people involved is different, the length of work is different, and the final delivery may be the same, and it may not be of any effect.

At present, there are mainly several types of security service forces: mainstream security products and service providers, large Internet companies and self built security teams of enterprises, companies and institutions that focus on a certain industry to do customized services, and companies that are not specialized in security services and integration.

At present, the security services and values provided by security service providers need to be recognized by users. In other words, security services have not been accepted by users from the "charge" level. In this case, relying solely on security services can not generate as high income as security products for the time being. In most safety product manufacturers, the safety service department is basically to assist in product sales, and the development of professional safety service-oriented companies is slow.

Compared with product technology, service usually has more localization advantages. Therefore, the security service market has recently become the arrow of many security enterprises. The author has been engaged in security service work in security service providers since he started his career, and the problems encountered by security service providers can be summarized as follows: vicious competition in the industry, unclear and fast changing project scope, difficult to control project progress, fast flow of implementation personnel, and conflict of resources needed for project implementation.

1) Vicious competition in the industry

Vicious competition exists in every industry. In the security service industry, the author thinks that vicious competition is the biggest problem that troubles daily work. The reason is not right or wrong. The survival of enterprises is the first demand. Here we can only use one sigh, and 200 words are omitted here If we stand a little higher, we can say that the pattern vision of security service enterprises is not big enough. In the competition of security market, the enemies of security service companies should be black products, grey products and hostile forces threatening national security, which are the ultimate enemies.

2) Unclear scope of the project

Because security service is a new business, most of the sponsors of information security service project requirements have little involvement and understanding in the field of information security, and few professional technical personnel put forward clear project scope requirements. During the implementation of the project, the scope of the project changes with the wishes of Party A, user needs, external conditions, time factors and other factors. There are often big differences between the final delivered results and the initial demand description of the project, which often lead to the increase of the overall project implementation cost, the longer implementation cycle, and even the failure of both parties to change the scope of the project Consistency leads to difficulty in project acceptance.

The implementation scope of security service projects is inconsistent in the measurement of both service providers and customers in most projects. In the actual project management, due to the lack of professional information security knowledge, customers can only propose a vague project scope according to their own business needs. The service provider proposes a framework item according to the fuzzy range proposed by the customer. In terms of meeting the needs of business and project quality, and controlling the project implementation cost not out of control due to scope change, both parties of the project often fail to reach an agreement.

3) Project schedule is difficult to control

In the security service project, most of the work is knowledge work, and the schedule may be the only visual visual representation of the project deliverables, which can be used by the team to manage and track the project. But this is another big problem.

The implementation plan of safety service project changes frequently with the implementation of the project, and the project schedule control lacks effective means. The influencing factors mainly include: the objective factors of the user, such as the change of the operation and maintenance plan of the user's information system or the temporary new requirements or specifications put forward by the superior supervisor and the regulatory authority; the subjective factors of the user, such as the user's understanding of the information security discipline gradually becomes clear with the implementation of the security service project; the change of the scope and requirements; the third-party operation and maintenance and development plant related to the information system The influence of business factors; the influence of security requirements in special period, such as the national day, the two sessions, the convening of large domestic and international conferences, the hostile attack, etc.; the resource conflict on the key path in the process of multi project implementation; the poor communication among project stakeholders in the process of implementation, etc.

4) Fast flow of security service personnel

Security service is a talent intensive service industry, and high turnover rate of personnel is an important factor affecting the implementation progress and quality of information security service projects. The main members of the security service project are mainly staffed with 1-3 years of work experience. Such personnel are in the unstable period of their occupation planning, and the influence of the Internet plus tide is more dryness in the whole industry. There is no certain occupation planning and fixed force to resist the temptation of the outside world. On the other hand, the project manager of the information security service project is generally the personnel with 3-5 years' working experience. After a certain period of accumulation, such personnel have a certain understanding of the information security industry and formed their own network circle. They often have the impulse of starting their own business or partnership, or are sought after by the industry headhunters and change jobs.

In addition to personal reasons, domestic information security service enterprises or their information security service departments are generally not established for a long time, most of them are still in the early stage of enterprise development, and there are many management problems. The main reasons are: lack of mature corporate culture, lack of sufficient personnel communication, superior subordinate relationship and so on. Corporate culture is the "soul of spirit" of an enterprise. Corporate culture is regarded as the criterion of judging behavior by employees, and its influence is huge. The influence of corporate culture on the loss is penetrating, complex and can not be ignored. In the early stage of development, enterprises generally only have rules and regulations, no corporate culture of their own, no sense of belonging, no sense of responsibility of the owner of the enterprise, no emotional ties that are difficult to be separated. Therefore, it is easier to generate the idea of leaving.

Secondly, there is less communication between employees. Due to the lack of communication at ordinary times, employees can't feel the atmosphere of the company. The communication between employees and their immediate superiors is very important. If they don't communicate with each other, they can't understand each other and affect other aspects. At the same time, the communication between senior management and grassroots employees is also very important. The top management often looks at the development of the company from the strategic point of view, and the proposed policies are forward-looking. But most of the grass-roots employees are looking at how they are now. In the company's communication, the middle level often knows what the senior level does, but the grass-roots personnel do not understand, some do not understand the high-level practices, and they are not optimistic about the future of the enterprise.

Finally, the sense of identity is not enough, and the path of career development is not smooth. Employees don't feel valued by management. For example, when some key employees are lost, the management has nothing to say, and the employees will feel that they are unimportant in the eyes of the management; when the feedback is not enough, the employees feel that their efforts are not recognized, and they cannot see the results of their efforts; the problem of role matching. Employees feel that their ability is very strong, but their role can not use this ability. Due to the limited positions related to the company, everyone's development space is limited; due to the great work pressure, sometimes although there are training opportunities, they have to give up, which makes employees feel no development for a long time.

5) Conflict prone internal resources

For a security service provider, the number of its full service team members is fixed. Often because of the conflict of internal resources, the implementation quality, schedule and cost of information security service projects are quite different from the original plan. For example, during the implementation of information security service projects, the information security needs of special periods (National Day, two sessions, large domestic and international conferences, hostile attacks, information system emergency failure emergency plan) often lead to sudden application for internal resources of the company; because the company undertakes multiple projects of the same type and needs at the same time on the critical path The phenomenon of concurrent application of resources (personnel, tools) will occur.

To solve the vicious competition problem of security service industry, the government, security manufacturers, security service providers and all parties of the whole industry chain need to work together, which is a long-term process of jointly building a complete industrial pattern and a good industry atmosphere. The safety service company shall formulate a set of project management mechanism applicable to the company in combination with the actual situation, effectively define the project management process and the responsibilities and rights of relevant personnel, and conduct time management, cost management, progress management, scope management, communication management, risk management, quality management, procurement management and human management from the five links of project start, plan, implementation, control and end Management should be standardized.

In view of the problems in the implementation process of security service projects for security service enterprises, the author believes that security service projects are mainly divided into two categories: short-term or single implementation and medium and long-term step-by-step implementation. In the short-term or single project, Party A directly employs experienced service providers to participate in the construction or operation and maintenance implementation process. Generally, such projects are based on clear service requirements, such as security services, emergency response services, information security technology training services in important periods. The other is the medium and long-term step-by-step implementation, which is a traditional project management mode. Here we need to apply the theory of project management to the practice of security service project management. Starting from the basic theory and combining with the actual situation of the project, we can make flexible application, formulate and take specific measures to control the progress of the project. After all, the project management theory is a highly summarized and abstract thing, not a universal formula. To do a good job in safety service project management, we must consider the problem from the perspective of the whole project. Project management is an overall system engineering, and all fields and aspects are complementary, cannot exist independently, and need to coordinate and cooperate with each other. Effective range management, communication management, human resource management and project integration management can alleviate the impact of various subjective and objective factors on project schedule management.

To solve the problem of resource conflict, in addition to the use of conventional overtime, parallel implementation, outsourcing and other means, it is also necessary to establish a set of resource conflict resolution mechanism according to the actual situation of each company to deal with the problem of resource conflict in the process of project implementation.

In order to solve the problem of rapid personnel flow in the process of safety service, in addition to fully considering the risk factors of personnel change at the stage of project planning, it is also necessary to effectively supplement from the company's management level, in cooperation with the company's cultural construction, career planning, personnel promotion channel construction and other aspects.

The solution of the above problems is also an important part of the operation of security service enterprises. In my opinion, there will be a group of MSSP (managed security service provider) in the future, and these enterprises may operate in partnership. It can be understood that such MSSP enterprises only provide a platform, similar to law firms, security service teams join in small groups or individuals, and operate in the amoeba mode. Amoeba business is to take the leadership of each amoeba as the core, let them make their own plans, and rely on the wisdom and efforts of all members to achieve their goals. Through such a practice, let every employee in the front line become the main role, actively participate in the business, and achieve "all employees participate in the business", let every employee pay attention to profits as the boss. In fact, many domestic security service providers have also partially adopted this operation mode, but they have not put it on the table.

Partner system is the combination of corporate governance structure and incentive mechanism, and is a power structure of enterprise management. With the development of the company, we should not only focus on the incentive level, but also on the corporate governance level. The operation of the partnership cannot be separated from the communication between the partner team and Tancheng. During the operation of the company, there must be conflicting opinions and conflicts of interest. As partners, they need to communicate frankly. The core of the partnership system is the trust and cohesion of the team.

The author of this paper is a technical veteran of network security, who has been engaged in network information security services and enterprise management work in Party B. because of the individual differences in the development track and business scale of the enterprise in which the author works, the perspective and perspective of the author have certain limitations. This paper is only for reference, and welcome to exchange.