Today, mitigating outsourcing security risks is more important than ever. Burton Group Analyst Diana Kelley offers tips on determining risk levels, monitoring your vendor and negotiating service level agreements.
CIO: How would you describe the security landscape surrounding outsourcing today?
Kelley: I would say that it's a landscape that is becoming more defined and is gaining awareness overall. Companies have learned that they need to be security-aware with outsourcing. And, ultimately, one of the most important lessons is that you can't transfer your reputational risk. If something goes wrong, it's going to come back to you, not necessarily to your outsourcer. So that fantasy of, "I'm not going to have to worry about it anymore, I just give this problem over to somebody else and they'll take care of it", is just not true.
CIO: Can you give some recommended practices to ensure the highest degree of outsourcing security?
Kelley: The number-one important thing you can do is to understand what it is you're outsourcing. And that sounds kind of simple, right? It's like, well, I'm outsourcing my call centre; I'm outsourcing the management of my security. But it goes much deeper than that. It's actually understanding what's implicated in the outsourcing structure from a risk management perspective. So if you're outsourcing data — let's say it is a call centre — well, does that have insurance patient data, personal health data in there? Is it some other personally identifiable information that needs to be protected? You're not just outsourcing a call centre, it's the data and the controls around that data that you're also outsourcing.
A call centre's also a great example where a company's being represented by the vendor. If the person who's answering that call is not helpful or doesn't have the right information, you associate that with the organization you were trying to reach. So you're outsourcing a lot of things — your reputation, the protection of the data, the risks associated with it, the regulatory compliance requirements around the data or even the business processes that are involved. So number one, you really have just got to get a handle on what it is you're outsourcing and what you need to do to protect that.
CIO: Which country you're outsourcing to and the particular risk levels of each country, that's important as well?
Kelley:Yes, absolutely, because we have different legal jurisdictions in different countries, even different areas in the same country. We have a number of different requirements here in the US, but also around the world there are requirements. So in the US, we're used to hearing about the old standards by now — HIPAA and SOX and the privacy disclosure laws that are known under the umbrella of SB 1386. We also have the SEC 17a-4 Rule for brokers and traders. In Canada, for example, they have PIPEDA for privacy; in Japan they're looking at implementing something that's being called JSOX; in the European Union there's the Data Directive. And these different regulations around the world impact what can and can't be done with data and the storage of that data and the processing of that data.
So you need to be aware of what kind of requirements are extant in the jurisdictions that you're outsourcing to, as well as what kind of legal recourse you may have. It could be that if someone loses your data in the country you're used to doing business in, you're used to the legal system and the kind of recourse that you have within your own legal system. But other legal systems around the world may operate differently, so you want to understand that as well, because you don't want to be in a situation where they lose your data but you don't have any legal recourse to either get your data back or have some sort of remuneration for the damage that was potentially done.
Another thing that's important about different countries in the world is that we have different levels of geographic stability. For example, there are flood zones in certain areas of certain countries or tornado areas. There are different levels where the power grids are more stable or less stable, so you also want to assess those kinds of things.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.