Outsourcing data security

Having recently been served a series of sharp reminders about the growing threat posed by cyber attackers, many CIOs have now turned a critical eye towards understanding their exposure to data loss.

What they are finding is that much of their data actually resides, or at least flows, through a number of third party service providers that are outside of the organisation’s direct control.

As a result, many CIOs are now asking if their data security can be successfully and reliably outsourced and to whom?

Bringing in the armed guards Before we can answer that, we need to look at the two different types of outsourced security.

The first is the use of third party suppliers to provide security services within the enterprise. Some of the most common types are malware managers, email monitoring, firewalls and virus protection software.

For this type of security, outsourcing to third party specialists is often a recommended option for organisations. Specialist third party suppliers tend to service multiple large clients and are therefore able to spot threats and deploy responses far faster than isolated in-house teams.

Many of the larger outfits also invest significantly in R&D to deliver ever-increasing levels of security to their clients.

However, the security services market is also highly fragmented, leaving CIOs to work with an increasing number of different services providers in order to properly defend against a growing onslaught of new and emerging threats.

This may not remain the case for long. HP’s purchase of Fortify Software and ArcSight last year seems to indicate a move towards more consolidated security offerings in the future.

Locking down the cloud The second type of security outsourcing relates to that day-to-day data flow that underscores the operations of almost every organization.

This bit is often much more difficult to manage.

A large percentage of organisational data now flows through third party suppliers who provide a range of services from data warehousing to customer analytics.

The emergence of cloud computing (or Outsourcing 3.0) only exacerbates the complexity by shuttling data from centre to centre, creating backups and artefacts across multiple systems.

In fact, in a report by KPMG and the e-Crime Congress, more than two thirds of the senior security professionals surveyed said that cloud computing would increase their risk of e-crime. nearly nine out of 10 said that internet-hosted software such as webmail and enterprise social networks would pose an equal risk.

The answer is not to ignore the business opportunities — sometimes imperatives — surrounding outsourcing and cloud; nor is it simply to bury your head in the sand.

Out of sight, but not out of mind Through greater use of outsourcing, CIOs have effectively been delegating their security management to a hodgepodge of disparate vendors that may include everyone from their CRM service provider to their website hosting service.

IT leaders would be well advised to remember that a supplier’s ability to manage and store data does not necessarily reflect their ability to also protect that data.

That is not to say that data service providers are not secure; many successfully differentiate themselves based on their reputation for security.

However, it does mean that CIOs will need to go above and beyond simply including security clauses into outsourcing contracts in order to get peace of mind.

Often, the details agreed upon by those signing the contracts either don’t represent the reality on the ground, or are not properly communicated to the individuals or teams that actually provide the service. This may ultimately result in a mismatch between client expectations and what service providers are able to deliver.

Protecting the Crown Jewels The other challenge facing CIOs is one of classification. Not all data requires the same level of protection and not all information holds equal value to the organisation.

But to properly classify and protect the organisation’s Crown Jewels, CIOs will need to develop a better understanding of the sensitivity, value and risk profile of the enterprise’s various data streams.

They must work across the business to develop appropriate protocols and controls to properly secure that data.

Unfortunately, there is no silver bullet in the offing.

Just as quickly as companies develop ways to plug the chinks in their armour, cyber attackers seem to move to develop new and more powerful assaults.

There is a degree of automation that is eventually developed to respond to most security threats in the same way that spam filters automated elements of email security. But, usually these are brought to market months or even years after the threat is first detected.

So, for the time being, the answer is that CIOs have to recognise that data security is an executive-level risk and responsibility for that risk cannot be outsourced.

Security therefore needs to be part of the organisation’s overall sourcing strategy, with clear policies and oversight and assurance processes in place for service providers.

Because ultimately, it will be the CIO that will be called to the mat should the company’s crown jewels go missing.