Security as a service: how are the patterns of risk and reward changing?
In seeking to provide a detailed response for the above questions, views have been sought from the wide community of experts that make up the BCS Security Forum Strategic Panel (SFSP), writes Andrea Simmons, consultant forum manager for the BCS Security Forum.
By implication of the title, there is an assumption of an existing understanding in relation to outsourcing/third-party contract management risks. However, collective experience shows that there is still, sadly, a great deal of naivety with regard to relationship management and the ongoing requirements of so doing in relation to any outsourced activity. It is an oft-quoted phrase that "you cannot outsource responsibility" and no better examples have we seen of this in action than the various data breaches that appear to have occurred continually throughout 2008 - with a number of key government outsourced service providers managing to experience instances of mislaid, lost or stolen data - and the impact has been seen to be significant loss of contract and therefore considerable financial expense. The latter shows just how much the "reward" element is changing as the result of a loss of data can mean the loss of the contract. So ultimately the "reward", if the service is provided in accordance with expectation in relation to contract terms, would clearly mean the ongoing support and maintenance of the arrangement.
In many ways, security as a service strikes the mind of a security professional as yet another oxymoron within our acronym-overloaded industry. Security is not a service - it is an intrinsic part of business activity, no matter what the nature of the operation. Security management is a part of risk management and all risk must be owned by those potentially affected by it. Departure from this principle usually leads to incidents, crises, even disasters.
However, it is fully accepted that there are clear benefits in outsourcing day-to-day delivery of second-tier infrastructure components (malware protection - anti-virus, anti-spam, log management, etc) to avoid the overhead of maintaining hardware and software to support this requirement. Risk management has to step in to regularly review the existing organisational posture to ensure that the perceived threat landscape is being addressed by the available service. In particular, keeping data on the internet in relation to the very core of the internal security posture of the organisation needs to come with significant guarantees from the service provider about its own security stance. Hopefully part of the reward shift is that organisations are expecting their suppliers to adhere to best practice and, where possible, show compliance with relevant available standards, including ISO27001. Internal governance needs to be able to evidence that the equipment upon which they are relying to provide internal assurance with regard to operating risk are maintained appropriately and are available as and when required.
It is just a sad reflection of the state of the available technology that it is necessary to do this at all.