Outsourcing and offshoring have been part of the business toolset for some time. The security risks associated with outsourcing and offshoring should now be well understood and easy to mitigate. Indeed, the Information Security Forum Benchmark Survey consistently shows outsourcing to be an area of strength in security controls. So, time to relax then?
Hardly. Outsourcing and offshoring risk assessment and mitigation are areas of strength because we understand that the risks, when information is processed by a remote third party, are different. They might be higher, and they could be lower - in both cases outsourcing and offshoring demands, and usually gets, our attention.
But as we move into a brand new world of uncertainty the business pressures change. Previously marginal benefits from outsourcing may now look positively attractive to an organisation seeking to conserve cash. New variations of outsourcing - such as cloud computing - may sound attractive and be a compelling business proposition. And the business wants to act now.
And there lies the problem. Consistently the biggest information security problem associated with outsourcing has been in being late to the party. Finding out about the outsourcing deal after it had been signed, not being invited to participate in the vendor assessment process and realising that security was not part of the deal.
Outsourcing deals tend to be long term, and managing security in a long term outsourcing relationship is a specialised skill involving contract management, service monitoring and establishing working relationships. In addition to acquiring these (sometimes) new skills, information security professionals can find it harder to understand the security status of an outsourced operation.
It is often difficult enough to identify security metrics that the business understands; to conduct a covert investigation; to ensure that everything is patched when the IT operation is in house. If it is run by a different company where the servers are on the other side of the world (and it may be that you don't actually know where they are) then the day job can be much harder.
So what to do? Understand: that security in an outsource requires specialist skills; the criticality of the systems that are being outsourced; how security works in a shared environment. Be assured of the ability of the outsourcer to recover your systems from a disaster, and know how you would maintain service if your outsourced service terminates early or unexpectedly.
But above all, get to the party early and avoid the hangover.
Andy Jones, is principal research consultant at the Information Security Forum.
This was first published in June 2009