IT outsourcing can be a highly positive experience.
You outsource your IT operations to someone who has more experience and expertise and can do it more cost-efficiently.
However, for an outsourcing venture to succeed you will need to have a proper information security risk management process in place. One of the better methodologies you can use, to prevent unnecessary risks, is the information security risk management standard ISO 27005.
If your methodology is in place and a security strategy has been laid out and communicated to both your organisation and outsourcing supplier then you have nothing to fear. But when it isn’t done properly it can have a negative impact on your organisation.
The 2013 Trustwave Global Security Report had less than positive news on outsourcing. The researchers discovered that of 450 global data breach investigations, 63% were linked to an outsourcing supplier.
The outsourcing supplier responsible for IT system support, development or maintenance had neglected or introduced security deficiencies that were easily exploitable.
The results are strikingly similar to a report from 2009, commissioned by VanDyke Software and carried out by Amplitude Research. They discovered that sixy-one percent of their 350 respondents, whose organisations outsourced IT jobs, had experienced an unauthorized intrusion between 2007 and 2009.
In comparison only thirty-five percent of the companies that did not outsource had dealt with unauthorized intrusions.
Don’t worry, take proper measures Don’t let these numbers scare you. There are many highly professional outsourcing suppliers out there.
Most of the issues reported in the above studies are due to miscommunication between organisations and their outsourcing supplier. The blame can therefore not be placed solely with the supplier, but should instead be shared between both parties.
When IT outsourcing is done correctly it can be highly beneficial for both you and your outsourcing supplier. All you have to do is take the proper steps to ensure a secure and rewarding outsourcing experience.
Where to start? Performing a proper risk assessment can inoculate you against a bad outsourcing decision.
First consider what areas you want to outsource. Then look into what the potential business impact would be if something went wrong, and whether outsourcing makes you more vulnerable.
The more risk involved, the more you need to vet the potential outsourcing supplier. SecureAware can help you with this by, among other things, supplying you with questions that you can present to your potential outsourcing partner.
A recognised security standard, such as ISO 27001 for information security, is a good indicator that the outsourcing supplier takes security seriously, but it is never a guarantee.
You’d also want to check who did the accreditation, as there are some “fast-track certifications.” You also want to check out what parts of the business the certification covers.
Next you’d want to check if they “practice what they preach,” if they don’t your company name may end up all over the six o’clock news.
Building a trusting relationship This process isn’t just a matter of inspecting their business once or twice. This can take weeks or months. You rely on them to manage risk aspects on your behalf. You need to be certain that they are up to the challenge, and that you understand each other.
Building a mutually understanding and trusting relationship can take time and requires a large amount of diligence on both sides. It is important that both parties take the time to fully cover exactly how this partnership is to go down.
That way you can minimize misunderstandings and potential security issues. Take the necessary steps and you will be on the road to a positive and beneficial outsourcing experience.
For inspiration you can use this list of questions that you can present to your potential outsourcing supplier:
Feel free to give us feedback if you found the list useful or not, or if you have any additions.
About the Author: Lars Neupart is founder of Neupart A/S and wants you to know that SecureAware = efficient information security. Get more of him on Twitter.
PS: Click here to follow us on LinkedIn.
Here's how SecureAware can help your IT outsourcing risk management:
- It can help you ask the right questions to your supplier and collect the responses.
- It can help assess your business risk in relation to your IT outsourcing provider.
- It can help manage and communicate your requirements to your supplier as an integrated part of your information security policies.
Click here to read more about how SecureAware can benefit your organisation.