Organizations of all kinds are facing a shortage of skilled cybersecurity workers. To close the gap, they often outsource their security to third-party firms. But they need to make sure that these firms actually take all the necessary steps to keep their IT and data secure.
Negotiating terms with IT outsourcing firms is critically important. “Suppliers are understandably concerned about not paying damages that are disproportionate to the revenue received, and therefore seek to limit or disclaim their liability,” Rebecca Eisner, partner in the Chicago office of law firm Mayer Brown, told CIO magazine. “Customers are equally concerned, particularly where suppliers do not have the same incentives to protect customer data as the customer, and because the negative impacts of a security incident are generally far more significant to the customer than to the supplier.”
Cybersecurity has never been more important. A report commissioned by President Obama recently concluded that the next administration must do more to work with the private sector to bolster cybersecurity protections. Additionally, as CIO points out, dispersed IT environments, with data residing in the cloud and on users’ mobile devices, also make cybersecurity more complex and difficult to maintain.
The shift to the cloud is changing the nature of IT outsourcing, as companies look for outsourcing firms that can automate IT services and remove manual processes for organizations. “The old style of outsourcing — known as ‘your mess for less’— is definitively out of fashion at this point and enterprises will vote with their dollars for IT-service providers that reduce either complexity or time to achieve the desired outcome,” 451 Research Analyst Carl Brooks told The Wall Street Journal’s CIO Journal.
While the outsourcing trend is taking place, security is always lurking in the background as a concern. “The points of access and potential points of security failure multiply with this ever expanding ecosystem,” Eisner told CIO. “In addition, many of these systems are provided or managed by third party suppliers.”
Why is so much security being outsourced? The primary reason is because firms do not have enough cybersecurity talent in house. According to a survey from Intel Security released in July, businesses large and small are facing an increasingly diverse and sophisticated array of cybersecurity threats, but are having trouble hiring enough highly skilled employees to help them combat those risks.
Small businesses, in particular, will face increased competition for cybersecurity talent as larger enterprises with more resources recruit and attract workers, says Candace Worley, vice president of enterprise solutions marketing at Intel Security. More than 60 percent of survey respondents work at organizations that outsource at least some cybersecurity work
The survey found that 55 percent of the respondents believe that technology solutions will meet the majority of their organization’s needs within the next five years. Additionally, the survey respondents say, in-house talent shortages will be remedied by outsourcing cybersecurity duties to vendor partners and outside firms. The solutions most likely to be outsourced, the survey found, are those that lend themselves to automation, such as threat detection, network monitoring and access management.
Bearing all that in mind, there are clear steps organizations can take to ensure that their IT is protected when negotiating security with IT outsourcing firms.
Eisner told CIO that organizations need to know which firms process, or have access to, its most sensitive data. They also need to work with the third-party firm’s security, vendor management and legal teams to find out which supplier relationships create the most security risks, so that those can be adequately addressed.
Eisner also recommends that businesses explore existing IT service provider agreements to make sure they comply with up-to-date cybersecurity and data privacy policies. Similarly, businesses should review outsourcing firms’ security and privacy contract terms regularly with their legal counsel to ensure that those baseline requirements are updated and in compliance with laws and regulations.
Finally, Eisner said, IT leaders and managers should educate the company’s board of directors, officers and employees about security and privacy risks — especially those that might pop up in outsourcing relationships — and how they can be mitigated.