Outsourcing Services is like......
Buying 3rd Party services is like choosing to buy a car.
Increasingly, businesses are increasingly moving into a more specialised and digitalised IT environments. This, in turn, means that they need to seek more specialist suppliers to deliver and support them in these more technical environments. There are very many suppliers offering the perfect vehicle that suits your every needs but unlike buying a car, you are often being a service (rather than a physical object) and something that is so unique/new that you know very little about how it works and whether it is truly the perfect vehicle that will fit into your fleet. Add to this, the fact that you will likely be speaking a 'Swiss Tony' and not a technician who fully understands how this will fully integrate and help enhance your business.
Most important purchase in life?
It has previously been reported that buying a car is one of the 3 most important purchases a person makes in their lifetime. However, since the advancement of technologies, as a business owner, this is no longer true. Buying outsourced IT services is more important and far more complicated than purchasing a car.
Unlike the motor trade, the suppliers providing the IT services you are seeking are focused on telling you about all the latest 'Bells and Whistles' their services will provide you and not how well the manage the security and safety of the operations they provide. If they do, it tends to be the pre-scripted answers, based upon the previous answers given to their previous customers. In addition, when the services go wrong or are breached it is rarely the 3rd party supplier who ends up all over the media.
With the changing threat landscapes, protecting both your sensitive company data or your employees/consumers personal data and maintaining resilient supporting IT systems. Consequently, gaining a high-level of assurance with your partners/suppliers has never been more important but how can you achieve that degree of comfort you are seeking.
Of course, the supplier wants to convince you to buy their services - That is why they are in business! But are they truly selling you the safe service that you deserve or are you just another 'Jack', being sold the mystical 'magic bean' or an unscrumpulous vendor selling you the that unsubstantiated (fake) service.
If you are buying a service based on the promises that it will resolve all of your problems, do you have the resources with the expertise to understand and interpret how this can integrate into your business?
Quite rightly the motor industry is heavily regulated, helping to ensure that motor vehicles are safe, secure and environmentally friendly. However, even though this is a heavily regulated industry we have seen some very well-known manufacturers attempt to manipulate the rules (e.g. DieselGate). With the provision of IT services being less mature and with far fewer regulations (but increasingly being the target of cyber criminals), how does a business protect itself from the dangers associated with outsourcing of services, whilst enhancing business operations?
Managing your 3rd party assurance is equally, if not more, important than your internal Cyber/Information Security measures. Unlike services delivered 'in house', 3rd parties will develop their offerings to appeal for a wider audience/customer base and you will be unlikely to find the perfect vehicle for your business. Therefore, just like buying a new motor vehicle, you need to do your research and 'test-drive' a number of options, to find the 'best fit' for your business. Having found your preferred option, you then need to be methodical in your due diligence and management of the outsourced services.
First off, are you documenting all of the services being delivered by all your outsourced companies? Next, how much consideration and time is spent on the review of the content of your contractual agreements (including the right to audit) and Terms & Conditions (T&Cs), or are you giving this a cursory glance? Think about how much protection you will have from these documents, in the event of something going wrong!
Do you take the word of the vendor, as to how secure/robust their services are, or do you insist on invoking your right to audit? If you do not have the expertise resources, do you consider bringing an independent expert to provide you with that additional assurance?
If you are relying on 3rd parties to help support your compliance obligations, have you documented which control is the sole responsibility of an internal or external resource and which are shared responsibilities? This becomes essential when any grey areas contribute to mis-assumptions of who was responsible for supporting/delivering a specific control. The use of a comprehensive RACI (Responsible, Accountable, Consulted, Informed) becomes vitally important in ensuring effective management of 3rd parties services, within regulated business operations (e.g. GDPR, PCI DSS, HIPPA, etc.) and for reducing the potential of missed responsibilities leading to a data breach.
It is a fact of modern business life that organisations will be increasingly looking to specialist companies to help them provide the niche services needed to provide the increasing demand for innovative, digitised, mobile and interactive solutions (Internet of Things (IoT), Artificial Intelligence (AI), Machine Learning, Mobile Applications, etc.).
The success or failure futuristic business operations requires a combination of things:
Recognise the benefits of outsourcing, whilst understanding the need to thoroughly scrutinise and periodically review the value and risks associated with their suppliers (do not become 'Supplier Complacent' and don't be afraid to consider moving to alternative suppliers - given a continual evolving and innovative supplier market). Treat your suppliers as an extension to your business.
Innovative and proactive suppliers need to be mindful of the need to balance innovation with the delivery of secure services (being open to having their operations scrutinised). Work in partnership to your customers, recognising the value of delivering on your promises and remembering the message from 'Mad Men'.
Global governments need to recognise how the increasing growth of the digitised and internet-facing modern business operations, creating a changing face of today's criminal activities. As a result, criminals are increasingly looking for opportunities to monetarise poorly developed business enhancements. Consequently, the changing threat landscape needs to be managed through the development of appropriate legislative enhancements designed to encourage businesses to acknowledge their obligations to develop technologies responsibly.
It is clear that since the introduction of the internet, technological advancements have developed at 'break neck speed' and faster than any other historical advancements. In comparison, motor vehicle development has been positively 'snail like'. However, it is important to recognise the impact safety concerns had on the stages of the development - tempering advancement with the protection of the drivers and other road users.
Much like the advancement of the motor industry, consumers are extremely receptive, showing a desire to embrace the convenience of easily interacting and communicating with business, through innovative and mobile interfaces. However, this development/advancement must not be delivered at the expense of privacy, or adversely impacting these consumers, especially given the broad capabilities and age ranges of the prospective consumers. (Note: Are there are common lessons-learned that can be applied from the motor industry, e.g. Accident Age Demographics, Accidents are preventable, Human Error is biggest cause of accidents, etc.).
However, unlike the safe development of the motor industry, the development of the cyber industry is not being given the same respect, with the 'Drivers' often just being able to 'adapt and go' with new technological advances. For example, despite the availability of near instant and convenient advancement of electronic communications, increasing the potential exploitation through Phishing, Businesses/Government/Schools have been slow to teach the 'Drivers' how to safely navigate the 'Inter-Galactic Highway'.