What kind of security?

It’s best to have checks and balances on the IT side so that security breaches don’t have to be caught in audit or when balancing the books at the end of the month.

You want multiple layers of robust IT security. This means physical security, password strength, good separation, good monitoring, good architectures, very vigilant intrusion detection, and aggressive forensics following up on intrusion attempts. Thist way, a single point of failure won’t cause a major deficiency in financial recordkeeping.

Clients and outsourcing vendors need to share control and agree on an approach to risk management. A good way to start is by doing a vulnerability assessment. Most companies think they’re more secure than they really are, and a vulnerability assessment will uncover the human errors and architecture problems that make it easy to break into their sites.

Such an assessment will also show that there’s no such thing as a perimeter defense. Some companies still resist having their outsourcing vendor move their data to a data center. They see this as a risk and think their data will be safer if they keep it on the premises. But a good intrusion test proves that data is just as vulnerable on company premises as it would be in a data center. The level of security needed will also be the same in either case.

Clients and vendors can decide what level of security is needed by doing a business recovery analysis. The client will get a better sense of which parts of the infrastructure are business-critical — chemical formulas, financial data — and which aren’t. These assessments will enable clients and vendors to agree on how much money to spend on what level of security for which parts of the infrastructure.

Outsourcing means sharing risk

A company can outsource its IT in part or in whole, and can even outsource its accounting. What it can’t do is outsource its fiduciary and security responsibilities.

Outsourcing vendors can take on more responsibility for IT security responsibility than for Sarbanes-Oxley. The only way vendors could get this deep into a client’s accounting is if they took charge of a client’s accounting department in a business process outsourcing deal. Even then, the client would retain fiduciary responsibility. The client also retains responsibility for IT security, and should set security policy based on the vendor’s recommendations.

New accounting and privacy regulations may not have made substantial changes in outsourcing contracts, but they should change the way companies make outsourcing decisions. That they should choose vendors whose capabilities meet their needs goes without saying. Once they’ve narrowed outsourcers down by capabilities, they should pick someone they trust. Outsourcing agreements are more like marriages than contracts. Sharing risk is a trust relationship. Trust is more important than getting it all right in the contract on the first day.

Russ Owen is group president and managing director of the BAE Systems global account within CSC’s European Group. This article is based on his remarks at a panel of top executives from leading IT services firms at the Gartner Outsourcing Summit held in Los Angeles in April.

< previous page | 1 | 2