Whatever IT services you outsource -- desktop support, network maintenance infrastructure management or software integration -- there are seven critical factors to the success of your outsourced service: Security, reliability, scalability, performance, elegance, performance, future-proofing and relationship management. We always put security first on the list. Why? What about cost or simply meeting requirements?
Well, a low-cost but unsecured outsourcing arrangement will ultimately be more expensive - in remedial work, reputational damage, and worry. And I'd argue that no service will meet your requirements if it does not offer the necessary standard of security.
There are four stages to ensuring that your outsourcing arrangements will meet the required security standard: knowing your requirements; specifying your expectations of the outsourcer; ensuring that the outsourcer can meet those requirements; and staying up-to-date.
I've put together a detailed explanation of each of these stages -- a primer of sorts for any organization looking to outsource or to improve its outsourcing practice.
Know Your Requirements
Your requirement for IT security will depend upon the nature of your business, regulatory considerations, the sensitivity of the data and the consequences of loss or misuse. For example, a hospital will have very different data to worry about when compared to a bank - but both must ensure rigorous data security to meet regulatory standards.
Even when data or systems are not subject to external regulation, the needs and expectations of users and stakeholders will influence the security standards of any IT service (whether outsourced or not). You might want to consult with outsourcers on your likely security requirements but you can't outsource this stage of the plan.
Specify Your Expectations
Having determined the required standard of security, it's critical that the outsourcer can understand and implement an appropriate security strategy. Given the wide range of terminology used in IT and IT security, it's inevitable that confusion will arise during the contracting and transition phase of outsourcing unless both parties can converge on a common set of terms for IT security.
As a starter, the family of ISO/IEC 27000 series standards offer an effective framework for security - and these may be relevant and sufficient for your outsourced IT needs. The ISO 27000 family has evolved over many years of development and provides a deep and broad set of standards to cover most common IT outsourcing arrangements.
Other frameworks would include sector-specific requirements (for example, in financial services), the globally recognized SAS 70 standards for internal controls, or the best practices from industry groups. The key point is to eliminate confusion in the management of your IT security.
As the 'owner' of the system (even if you don't build or operate it yourself), you will have a statutory duty to protect any personal data that is held -- and a professional duty to protect any commercially sensitive intellectual property within the outsourced service .
Ensure the Outsourcer Meets Your Needs
It's critical that your needs are reflected in the contract so the provider is clearly "on the hook" for their security obligations. Therefore, your contractual provisions need to be workable, pragmatic and comprehensive. A "fire and forget" approach to security -- simply dumping all the obligations onto the provider -- is short-sighted and probably unenforceable.
You should thoroughly explore the capability and competence of the outsourcing supplier and their delivery team to ensure they understand your security sensitivities. You also need to understand the supplier's approach to IT security: How will access be controlled, monitored and logged for the purposes of verifying the integrity of your outsourced operations?
With security, as with any other service, you get what you pay for. So make sure you understand the commercial terms for security and do not pay over the odds for a level of security that is excessive in comparison to your real needs.
Inevitably, the constant evolution of possible threats will require a flexible and adaptive approach to IT security arrangements. Keep security as a regular agenda item for your governance meetings with the outsource provider, and develop and regularly review your joint contingency arrangements in the event of a significant security incident. Once you have embarked upon an outsourcing arrangement, security becomes a joint concern although you are still accountable.
Ensure that you exercise your rights of audit and access in accordance with the contract, and verify that the outsourcer is keeping up-to-date with regulatory requirements in accordance with their agreed obligations. An external third-party advisor may also be helpful in keeping you and your outsourcer fully effective in your IT security arrangements
Looking to the future, IT security almost certainly faces unexpected new challenges. This could be in the form of novel viruses, sophisticated attacks, gaps opened by the plethora of devices and access points, or unexpected conflicts and overlaps between applications.
As cloud computing becomes a reality, the audit trail for any one transaction becomes lost in the fog, and clients and outsourcers will need to work hard, and work together to ensure mutual assurance in the years to come.
Source: written by William Benn for Silicon.com.
William Benn is a partner with Alsbridge, an advisory firm specializing in shared services and outsourcing.