Security and outsourcing – whose responsibility is it anyway?

Security continues to be a thorny problem for organisations to deal with. According to a recent survey by the Ponemon Institute, 67% of IT organisations have tightened access to company data because they had increased requirements or concerns around security. As companies hear about more and more data breaches occurring through an employee’s compromised remote access account or a vendor’s network login, the immediate reaction is to shut down access as much as possible.

At the same time, however, outsourcing around IT security is increasing. When Pierre Audoin Consultants researched attitudes towards outsourcing of security operations, the firm found that 34% of companies used managed security services, while 13% outsourced all their IT security requirements. Of the large enterprises surveyed, only 21% used no external services.

>See also: Hot source: the rise of outsourcing

For CIOs and CISOs in charge of IT teams, they are in between a rock and a hard place. The demands for reduced costs and more expertise around specialist systems makes outsourcing a viable and necessary consideration. However, they also have to deal with the business vacillating between demands for greater flexibility and more locked-down systems, depending on what stories are hitting the news. This makes managing long term security planning more difficult.

Managing the demands of outsourced IT and security operations can be challenging. However, it is possible to implement better approaches that make the most of the skills that are available, whether these are internal or external assets. Tools like remote access make outsourcing possible, yet can also represent a security risk if not implemented and managed properly.

It’s also important that access is maintained at a steady level. Rather than shutting down services or changing approach in response to the latest scare stories, it’s vital that IT can plan ahead to improve and support productivity by enabling access that is secure, controlled and monitored.

PCI DSS applies to all organisations that handle payment card details, including retailers, payment processors and banks. The third iteration came into force in January 2015. The main aim for this version was to make PCI compliance simpler for companies – in essence, turning it from something that was onerous and into something that would fit with more generally accepted best practices.

One of the biggest areas for consideration was responsibility around payment card data. Payments can go through multiple parties during a transaction – from the retailer through a payment processor or other third party and then on to the customer’s bank or building society, and then all the way back again – so all those different companies have to be secure and in compliance. However, in the event of a breach occurring, the responsibility for security could be unclear.

PCI DSS 3.0 puts the responsibility for IT Security squarely on the shoulders of the retailer, even when there are outsourced relationships involved. This theme of responsibility should be expanded to include the entire IT infrastructure that is in place, not just payment IT.

The reason for this is that attacks can come in via third party access; once the outer perimeter is breached, it is possible to escalate out from that initial landing point. Rather than looking at finger pointing, the responsibility for security has to stick with the retailer.

For all companies, the approach that PCI DSS looks to support can be valuable to learn from. The challenge is to keep the feeling of responsibility and ownership in place, even when multiple third parties are being brought together around security operations.

One approach that can be useful here is for the CIO to own the connections between his or her company and the third parties involved. Rather than relying on whatever remote access choices the outsourcer has made, the CIO can stipulate how and when outsourcers come into the network.

This means that the company can maintain its own audit and control over access, rather than relying on the third party for this. This approach can be considered to be like maintaining a security concierge, who only invites people into the network when they need access, rather than allowing them free access all the time.

Another approach is to arrange for management logs and data to be shared on a regular basis – this would provide the CIO with necessary information to show that his or her partners are working in the right way and that the right processes are being followed.

This approach puts the emphasis on getting the right reports and understanding them, so the CIO or CISO can always point to how their rules on access and support are being followed.

One area that does need to be considered around outsourcing of IT security operations is privileged access management. Most CISOs are aware of privileged account management, which covers controls over access to sensitive data within specific applications.

>See also: Rise of the outsourced CIO

Privileged access refers to that access to network assets from outside the organisation – this has to be controlled as well, particularly given how much outsourcing and remote working schemes are taking place. Control over this access is important during outsourcing projects, as both parties involved want to be able to demonstrate that they are following the rules they have put in place.

Looking ahead, companies may consider more outsourcing of what can be a critical part of their infrastructure. Certainly, more CEOs and board-level directors are aware of how IT security decisions can affect their businesses. To be successful in this environment, it’s important to understand the division between operations and responsibility.


Sourced from Stuart Facey, Bomgar

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics