Security as a service: how are the patterns of risk and reward
changing?
In seeking to provide a detailed response for the above
questions, views have been sought from the wide community of
experts that make up the BCS Security Forum Strategic Panel (SFSP),
writes Andrea Simmons, consultant forum manager for the
BCS Security Forum.
By implication of the title, there is an assumption of an
existing understanding in relation to outsourcing/third-party
contract management risks. However, collective experience shows
that there is still, sadly, a great deal of naivety with regard to
relationship management and the ongoing requirements of so doing in
relation to any outsourced activity. It is an oft-quoted phrase
that "you cannot outsource responsibility" and no better examples
have we seen of this in action than the various data breaches that
appear to have occurred continually throughout 2008 - with a number
of key government outsourced service providers managing to
experience instances of
mislaid, lost or stolen data - and the impact has been seen to
be significant loss of contract and therefore considerable
financial expense. The latter shows just how much the "reward"
element is changing as the result of a loss of data can mean the
loss of the contract. So ultimately the "reward", if the service is
provided in accordance with expectation in relation to contract
terms, would clearly mean the ongoing support and maintenance of
the arrangement.
In many ways, security as a service strikes the mind of a
security professional as yet another oxymoron within our
acronym-overloaded industry. Security is not a service - it is an
intrinsic part of business activity, no matter what the nature of
the operation. Security management is a part of risk management and
all risk must be owned by those potentially affected by it.
Departure from this principle usually leads to incidents, crises,
even disasters.
However, it is fully accepted that there are clear benefits in
outsourcing day-to-day delivery of second-tier infrastructure
components (malware protection - anti-virus, anti-spam, log
management, etc) to avoid the overhead of maintaining hardware and
software to support this requirement. Risk management has to step
in to regularly review the existing organisational posture to
ensure that the perceived threat landscape is being addressed by
the available service. In particular, keeping data on the internet
in relation to the very core of the internal security posture of
the organisation needs to come with significant guarantees from the
service provider about its own security stance. Hopefully part of
the reward shift is that organisations are expecting their
suppliers to adhere to best practice and, where possible, show
compliance with relevant available standards, including ISO27001.
Internal governance needs to be able to evidence that the equipment
upon which they are relying to provide internal assurance with
regard to operating risk are maintained appropriately and are
available as and when required.
It is just a sad reflection of the state of the available
technology that it is necessary to do this at all.
Read more expert advice from the Computer Weekly Security Think
Tank >>