Are information security risks really increasing with offshoring and outsourcing and how can the IT security professional assess and mitigate the risk?
This is of course something of a trick question, or should be. All organisations need to begin any risk assessment for existing outsourcing contracts from an operational risk perspective. For most organisations this reality check may be satisfied by considering the following:
- Does this contract still make economic sense for both parties?
- Are we aware of any changes in the outsourcer's business that may be cause for concern?
If there are concerns, then the sooner they are addressed the better.
Assuming for the moment all is well, the security professional needs to do a quick reality check. What if anything has changed? On the risks front, there are unlikely to be any material new risks as such, but what may have changed significantly is their likelihood.
There has been a growing trend in recent years around the threat from insiders. Staff on both sides can easily become disgruntled or feel the organisation "owes them". This may be triggered by feelings of being overlooked for pay increases, promotions or other forms of recognition and rewards.
Another growing trend is the rise in organised crime. Unfortunately, the "faster, cheaper, better" mantra applies equally to the tools and techniques available to the criminal fraternity.
The shedding of staff by either the organisation itself or the outsourcer and its service providers will dilute knowledge, experience and skill, both on a technical and a business level. As teams shrink, there may also be division of duties and span of control issues when remaining staff assume more responsibilities.
Managing leavers and their exit from the organisation can be critical.
There may also be a knock on effect on:
- Incident and problem management
- Patch management
- Service improvements and upgrades
- Delays in reporting and escalation.
However you face these challenges, it is important that you use this time and experience to learn the lessons and make improvements to your outsourcing framework for the future.
Roger Southgate, is a past president of ISACA London and an independent governance and risk consultant