Outsourcing Your IT Does Not Outsource Your Risk

Risk is an integral part of business. No-one ever expected the Fukushima nuclear plant to meltdown after an earthquake; it was a risk. It was a known, documented risk; but one that had been mitigated against to a large extent already. Sometimes all the planning in the world won’t stop a risk becoming an issue.

In IT, the threats may never be as devastating as Fukushima, but in an IT world with ever changing threats, there are a few simple steps you can take to reduce risk to acceptable levels. New tools and well defined, usable policies allied with effective reporting can secure you from the majority of attacks.

Risky business

Outsourcing is intended to create flexibility in IT provisioning; and managed/cloud services are now a very competitive market. Costs are lowered; capital expenditure can be all but removed in many cases. Unfortunately this is not the full story.

Risk is now shared, and in any symbiotic relationship between Systems Integrator and client, transparency and a shared risk register are vital tools used to combat a changing threat landscape. In general, where an SI tends to be responsible for the technical risks, the business risk remains firmly with the customer.

So where are the problems? At a business level, the items we see most often are:

  • Policies and standards need to be able to adapt to risk. Few are flexible enough to withstand outsourcing, let alone cloud deployments
  • If you are outsourcing you will have 3rd parties running some or all of your infrastructure. You rely on the contractual agreements and audits to monitor security, but often there is no definition of the risks and inherent level of risk sharing
  • If you are running services in the cloud, you have to consider different levels of business risk that you are taking on with a public or private cloud approach. Your infrastructure isn’t governed by you; you can’t see it and attacks may come from shared resources or other sources which you are not able to see
  • Inherited or legacy reporting is typically inadequate for the outsourcer’s requirements; requests for extra reporting rely on Change Requests (CRs). CRs take time, so responsiveness can be reduced
  • Investment in security, even by the most agile of application providers, SI’s and outsourcers is fixed at point of contract signature whilst the threats develop. Clients’ budgets are stretched currently, and although investment in security is higher than ever as a percentage total of contract values, it still remains low in real terms.

Hackers are now being invested in by governments, organised criminals, the press (think Leveson inquiry, Rupert Murdoch and the closure of the News of the World), and have more freedom and more resources at their fingertips than those trying to fight it.

Don’t just stand there, take control

There is risk in standing still while threats to confidentiality, integrity and availability of business information continue around you. IT setup costs are high; and will always increase as business seeks to keep up with changes in hardware, software and new business opportunities. In short I usually advise the following:


  • Share existing policies and standards early
  • Create proper service descriptions
  • Define your process and procedure correctly
  • Ensure your reporting is relevant and timely.

Secure your legitimate transaction paths:

  • Manage identities from anywhere to anywhere
  • Control network and application usage
  • Protect data with multiple layers of security.

Spot and control illegitimate transaction paths:

  • Baseline user behaviour
  • Find the odd behaviour in the crowd
  • Control or stop progress through the stack.

By controlling the legitimate users and exposing the fraudsters in this way, risk is highlighted before it becomes an issue. Mitigations can be put in place proactively instead of reactively, and security for once stays ahead of the attackers. Performing these processes repeatedly strengthens an environment and helps security evolve in line with the threats.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Rob Newby is the Principal Information Security Consultant and Information Security Team Leader within the Business Assurance team at T-Systems (UK). He has worked in the Information Security industry for 12 years, for companies across the UK, Europe and the United States. Although currently working on private sector Telco and Energy accounts, Rob has also been a CLAS Consultant since 2009.