COMMENT
Ensure the outsourcer meets your needs
It's critical that your needs are reflected in the contract so the provider is clearly 'on the hook' for their security obligations. Therefore, your contractual provisions need to be workable, pragmatic and comprehensive. A 'fire and forget' approach to security - simply dumping all the obligations onto the provider - is short-sighted and probably unenforceable.
You should thoroughly explore the capability and competence of the outsourcing supplier and their delivery team to ensure they understand your security sensitivities. You also need to understand the supplier's approach to IT security: how will access be controlled, monitored and logged for the purposes of verifying the integrity of your outsourced operations?
With security, as with any other service, you get what you pay for. So make sure you understand the commercial terms for security and do not pay over the odds for a level of security that is excessive in comparison to your real needs.
Stay up-to-date
Inevitably, the constant evolution of possible threats will require a flexible and adaptive approach to IT security arrangements. Keep security as a regular agenda item for your governance meetings with the outsource provider, and develop and regularly review your joint contingency arrangements in the event of a significant security incident. Once you have embarked upon an outsourcing arrangement, security becomes a joint concern although you are still accountable.
Ensure that you exercise your rights of audit and access in accordance with the contract, and verify that the outsourcer is keeping up-to-date with regulatory requirements in accordance with their agreed obligations. An external third-party advisor may also be helpful in keeping you and your outsourcer fully effective in your IT security arrangements.
Looking to the future, IT security almost certainly faces unexpected new challenges. This could be in the form of novel viruses, sophisticated attacks, gaps opened by the plethora of devices and access points, or unexpected conflicts and overlaps between applications.
As cloud computing becomes a reality, the audit trail for any one transaction becomes lost in the fog, and clients and outsourcers will need to work hard, and work together to ensure mutual assurance in the years to come.
Stay tuned for future columns in which we'll look at other factors for outsourcing success.
William Benn is a partner with Alsbridge, the advisory firm specialising in shared services and outsourcing. Read more on IT outsourcing and beyond here.
