GSA UK - Outsourcing security: don’t just leave it to the experts

Founding Member of FormIGA – the global Industry for Good Alliance

Home
RESOURCES
Industry News
Outsourcing security: don’t just leave it to the experts

Outsourcing security: don’t just leave it to the experts

19 Jun 2012 12:00 AM | Anonymous

When it comes to data security, many firms decide they’re happy just to leave it to the experts, safe in the knowledge that they’ll keep their data under lock and key and away from harm. However, with such vast amounts of data leading to a dilution of the security process, how can a company ever be completely satisfied that the experts are doing an expert job?

Perhaps the most honest answer is that they can’t, and I’m sure that the old adage about ‘out of sight, out of mind’ is applicable to many in this instance – until something goes wrong! There are, however, steps that businesses can take in the way they draw up SLAs that can help them to mitigate the potential risks involved.

The first of these is to make sure that you have clear, up-to-date policies in place to govern your security processes. This includes ensuring that your suppliers have ‘skin in the game’ – that they’re likeminded companies who understand the industry and have a stake in the success of your company’s data security. One way to achieve this is by enforcing accountability with penalties invoked in the event of any breach.

Of course, I’m not naïve enough to believe it’s impossible for the best-laid plans to go awry, and so as the outsourcer you need to be sure you understand the data being outsourced, and are ready to ask yourself the right questions. For instance, if a breach occurs, would there be catastrophic consequences to the business? If the answer to this is yes, you may need to either reconsider or look at segregation of the data – either way there are likely to be cost implications to manage the risk.

This decision has to be taken by the person best placed to understand the potential IT security threat and business impact – the CIO. They need to be comfortable that the organisation’s appetite for risk is adequately mitigated with the supporting controls, tools and training in place.

With the CIO and fellow board members driving the security responsibilities of staff members, a secure business culture should follow. However, a business can only promote a culture of security if all staff members are complying with instructions. Clearly, before this happens, clear and explicit instructions on what should or should not be done, must be shared across the business with named individuals who have the accountability for security in each area. What you’ll see is that a culture of security will quickly become the norm, and when people understand and buy in to it, understanding the implications for both the firm and themselves if they aren’t ‘on-side’ and compliant will soon follow!

In summary, it’s important to make sure everyone is pulling in the right direction with clear accountability. You can’t just leave your data with another company and hope for the best; by creating stringent guidelines, for both your company and for service providers, the pieces of the data jigsaw should, with careful planning and monitoring, fall into place and stay there.