Buyers with magnifying glasses: security inside outsourcing relationships
This column originally appeared in Outsource Magazine Issue #23 Spring 2011 as part of the lead article “Safe and Sound”. To read the full article, click here.
From a buyer’s perspective, the labyrinth created by outsource partnerships is a tangled morass that must be carefully pulled apart at the start of relationships. Customers want to know where their data will be, why it will be there, and how it will move across borders. They want details on audit protocols, security practices and personnel. Once a baseline is understood, they want an ongoing understanding of how the data continues to be managed with updates on changes before they happen.
Unfortunately, outsourcers often don’t have great answers when all of the buyer’s questions come charging at them. They face explaining the complexity inside their virtual environments, which were constructed to save costs, not manage privacy and information security concerns. Outsourcers often fail to understand the complexity of the impact of the different laws Western clients must consider. And there is little in the way of thought leadership offered to clients to guide them on the best ways to handle outsourcing from a security perspective – at least, this is the impression many advisors and lawyers managing these deals get from their attempts to get to the bottom of the morass.
Where is the data?
Sharon Polsky from Amina Corporation in Canada advises her clients to ask the outsourcer to document where the data will travel. She takes this information and overlays how the laws play out across the data’s journey.
“Clients don’t consider how their own employees may cause them problems by sending, as they normally would to a team locally, to a foreign nation with completely different laws,” says Polsky.
Alan Brill from Kroll Ontrack agrees with Polsky: “I see situations where the outsourcer answered the data location question with ‘none of your business.’ When the client threatened to cancel the outsourcer responded with a half-hearted solution about how the data could be tracked, leaving us with little confidence. There is a vacuum of technical information on the outsourcer’s side on how their systems work,” says Brill.
Another common security problem is the rapid rate of merger and acquisition in the outsourcing vertical. “One day you know exactly what is happening, then a few months down the line, after a breach occurs you realize your outsource partner has been acquired, but continues to operate with the same name, and your data is in a new location without notice. Behind the scenes of course consolidation happened for efficiency,” says Brill, who recommends that contracts include clauses requiring notice when anything changes that was not agreed to in the original contract.
Accountability: tracking process and people
From an information security perspective, outsource relationships need to be considered from the inside out, from the people to the process, from the front door to the last byte written onto a back-up disk. This is not for the faint of heart.
From a Western desk, managing an infrastructure in the same building, the process of credentialing employees, verifying backgrounds, establishing strict logging frameworks, tracking physical location of back-up tapes and other items considered to be security essentials run with multiple problems. Implementing all of these cleanly across an outsource relationship is intrinsic to security success but often difficult to conjure up.
“In some of these places, background checks are illegal,” says John Nicholson from Pillsbury Winthrop Shaw Pittman.
When I asked Nicholson about audit reports – specifically the ones provided by outsourcers that are in some circles questioned violently – he said all of his clients get the reports and review them.
“Do they ask for details on remediation?” I asked. John didn’t have an answer beyond repeating again that all clients get access to the reports and try to establish a mutually agreeable auditor. I was asking, with persistence, because information security circles hold great doubt around some of the credentials that these outsourcers hold.
“Only about five locations in the U.S. hold the CMMI Level 5 certification. It is an extremely difficult certification to obtain and then of course maintain. The US Army, Boeing, Raytheon hold a CMMI 5, because they have the resources to achieve such complexity in their security systems. How can it be that the rest of the list is all Indian outsourcers in India?” asked Royht Belani, CEO of Intrepidus Group. I checked in on the list and was surprised to see that Belani is right: almost all of the Level 5 certifications are held outside of the US in India.
“Certifications make people feel great, but we all know they are worthless if there is not a consistent focus on security posture. The largest security breaches, such as Heartland Payment Systems in 2009, happen inside ‘secure environments’ certified by an auditor. These organizations often leave the environment after the ‘ok’ and return when its time to prepare for the audit again. Organisations engaging in outsource relationships need to ask more questions, looking beyond the audit report to the daily processes in place for protecting information,” says Brill.
Polsky laughed when I asked her about audits versus the reality of the security posture of the organisation.
“Sometimes I wonder if they have a dog guarding the front door. Most of my clients never visit the physical site. Who knows for sure if you don’t show up to see for yourself?”
Business side – What should the CSO be thinking about?
One of the problems of securing data inside outsourcing relationships is that the conversation falls into the gap between the business and the technical side of the company. While the dream is that a CIO or CSO will be at the table, participating in that discussion, often it’s the general counsel. Many people I spoke with said the lawyers end up being enmeshed in the details of security. “I can’t tell you how many times I have been asked while working onsite to review an outsourcing contract that was casually passed through the security team at the very last moment,” says Belani.
It’s not clear why this happens, but from the more than ten people I spoke with, this is a common problem. Lawyers are likely doing a great job identifying the liability concerns, attempting to hold the provider liable for possible loss, but do they have the technical background to analyse the complexity of these technical arrangements?
When it all goes sideways
When a breach is detected, the first step is to set in motion an organisation’s incident response plan. This typically involves calling outside forensic investigators to review the situation, create evidence presentable to local authorities, and to craft an expert opinion on the situation. But before all of this happens the first question is, ‘who is footing this bill?’ I was reminiscing with Brill about my own time on incident response teams and asked out how the payment factor plays out for outsourcing relationships.
“Big companies have breach insurance, which they love when an incident happens. Time and time again I see insurance companies voiding the policy because the outsource relationship was not included,” says Brill.
“If leaders constructing the contract took the time to contact the risk team inside the organization and verify that their coverage extended to the outsource relationship, many, many more organisations would be covered when problems arise.”
“All they need to ask is, ‘What if there is a third party?’ The risk teams know how to manage this answer,” Brill told me. This links back to the gap between business and technical conversations where CSO leadership is required to build the bridge between the risk team and the contract lawyers.
In the end, it’s all about brand
While organizations are excited about taking advantage of cheaper labour forces, 24/7 workforces and other aspects of outsourcing they must continue to consider their brand and protect it.
“In the end, they don’t come after the outsourcer, they come after you,” says Brill.
Nicholson agrees: “It’s your customer: without them what do you have? Protecting your brand is first, foremost and last. There is no such thing as offloading risk inside an outsource relationship.” Nicholson says his top concern is understanding what happens after the contract is signed. “Many times we see one outsourcer outsourcing to another outsourcer. The last guy in the chain runs into a security problem and the client is shocked and angry at footing the bill,” says Nicholson.
Information security is the protection mechanism behind brand security. Without it, brands find themselves in precarious positions. From the advisors I spoke with, outsourcers have a market opportunity to provide thought leadership and processes to build strength in their own offerings for clients seeking protection.