Despite our desire for simplicity, IT continues to become more complex. Distributed applications or client-server models have become the norm. Smartphones and tablets are pushing mobile computing into a new era and changing user behavior. Cloud has significantly altered the way we provide IT solutions and how we meet business needs with technical solutions.
Long gone are the days when a single person could master and manage an entire enterprise network. Today, many businesses lack the dedicated staff and financial resources to manage their ever expanding IT needs. Faced with this situation, a growing number of companies contract out part of their IT to external suppliers.
While many articles have explored the security issues linked with cloud services, there are still many people who fail to recognise the same arguments apply to other outsourcing services. In fact, the challenge of managing risks and security in a diverse IT environment remains the same; whether it’s cloud, outsourcing or managed services, the reality is you are handing control of your business’ devices or applications to someone else.
The security challenge
The challenge for many businesses is deciding the level of security controls and risks a company is willing to accept – one can choose a fully-dedicated environment where security levels are dictated by the organisation, or a public environment can be used in which the default setup is accepted.
For many businesses, the move to an outsourced model presents an opportunity to increase the level of network security. It could even be the trigger for a security upgrade.
Establishing an outsourced project
Outsourcers will generally set technical, physical and organisational security controls that will be applied across all of the outsourcer’s services. This creates a baseline and spreads the cost of security across its client base. It is essential to understand the outsourcer’s baseline and request additional security if the project requires it.
Before entering into an outsourcing agreement, it is also important to consider legal matters. If the outsourcer is providing a “standard” service, it up to the company to ensure that the legal requirements are met – for example, regional data storage compliance and confidentiality legislation.
Managing multiple outsourcers
Outsourcer management is often neglected despite the fact that many companies outsource different parts of a project to a range of suppliers. For example, one company might handle the telephony infrastructure, while another manages WAN. In this situation it is essential to ensure both outsourcers deliver the same level of security for their services. It is also crucial to establish clear communication between the various outsourcers and internal departments – especially during periods of disruption or change.
Incident management
Incident management (both poor and effective) has significant legal, reputational and operational impacts. It is essential to establish a process that dictates when a security incident is detected by the outsourcers; it is adequately evaluated, and reported to the organisation within a predetermined timeframe.
Before entering an outsourcing agreement, it is necessary to ensure that the outsourcer’s obligations are clearly stated and a check needs to be done to confirm the outsourcer doesn’t have any legal constraints that are incompatible with the business.
Conclusion
Whatever part of an organisation’s IT or process is outsourced, it is essential to ensure all security aspects are fully considered and met, and each outsourcer delivers the same level of security for their services. Detailed consideration of these challenges will allow businesses to benefit from the cost and productivity gains offered by outsourcing, while maintaining strategic security plan of the business.