As what I have discussed from my previous posts, IT (Information Technology) is very essential to every organization. Considering IT‘s relevance to the general operations and its function as the foundation of the IS (Information Systems) of a company, it is very important to establish measures and systems designed to provide security and to safeguard information (such as business and personal data, voice conversations, still images, motion pictures, multimedia presentations, including those not yet conceived) utilizing various forms of technology developed to create, store, use and exchange such information against any unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby preserving the value, confidentiality, integrity, availability, intended use and its ability to perform their permitted critical functions 1.
IT security prevents unauthorized access to computers, networks and data. When you reach your bank account through an online portal, IT security ensures that you — and only you — can see and make changes to your checking account. The overarching goal of IT security is to uphold the confidentiality and integrity of this kind of sensitive information without inconveniencing the user 2.
Now, seeing the value of IT security in ensuring safety of the IS, the next step for organizations is to analyze whether there’s a need to set up their own IT security or to just outsource it from available service providers.
IT security outsourcing is relatively common in the current technologically advanced era. Large companies gradually invest in building their own IT security services but this requires deep planning and analysis to determine whether it is feasible or not, especially for small to midsize companies, since IT security still remains a challenge for some organizations.
Due to the high cost of establishing an in-house IT security team or department, only huge companies usually go with it. As a solution, some institutions choose to outsource IT security since there are now several IT providers available. These providers specialize in the field thus, it is considered to be more efficient and cost-effective to outsource IT security from them. They also employ trained IT security experts thus outsourcing means cutting extra cost for recruiting and training employees, as well as the required tools and machine cost, and so on. This is good news for small to average businesses that typically cannot afford to put up their own IT security team.
So should organizations outsource IT security services? Well again, it depends on the technological capabilities and financial capacity of the company to build and maintain their own IT service team/department and on some issues due to the entry of an external entity that can access important or confidential data.
Hiring an outside organization to provide IT security is cost-effective and all but this also means that the company has to share critical data and information to an outsider. This makes the systems and data vulnerable to possible theft and hacking which may bring doubts on the credibility and reliability of the provider. Loss of control should also be expected since you are turning over IT security responsibilities and some authority to the provider.
Aside from concerns on control and security risks, there are also other drawbacks to outsourcing versus instituting IT security services. In outsourcing, you will have to wait for the providers to respond to your concerns unlike when you have your own team. There may also be instances of unexpected costs when hired experts suggest solutions to the business’s technological needs. This may lead to over-investing which defeats your cost-cutting purpose.
So what should be the safety measures to take to ensure that the IT security provider does not exploit the openness of your systems and steal strategic and sensitive information?
- Make sure that the service level agreement includes concrete legal consequences in case of security breach.
- Require company permission and validation for every IT security transaction and processes. Keep both hard and soft copy for possible future purposes.
- Let the provider submit official reports and to keep track of the processes.
- As much as possible, learn how the processes work so that you have grasp on the situation.
- Study and analyze the proposals and ask for another expert’s view or opinion to keep you on track.
- Be specific and on point when it comes to the service agreement to avoid loopholes.
- Insist on receiving alerts to any potential privacy-related compliance issue.
- Specifically identify authorized persons that should be permitted to receive and access personal and confidential information.
It is good to be extra cautious in dealing with service providers even though they have already a trusted image. Further more, part of potential risks can possibly be avoided if the organization will just choose certain IT security services to outsource. This means to outsource only imperative processes.
To expound, here are some key questions for outsourcing security 3:
- Can a third-party supplier provide a better quality of service than you can provide internally for the same, or lower, cost?
- Can the third-party supplier meet all of the compliance requirements that you must abide by?
- Can you verify that the service provider delivers what it claims it supplies?
- What would be the consequences for your organization should the service provider fail to deliver their claims or otherwise fail your needs?
IT security is a very imperious subject for organizations because it involves not just the organization but the clients as well. Thus, a long process of analysis and deliberation should be followed to guarantee that there will be no security related conflicts and challenges in the future.
“It can be argued that all of the technology security stack can be outsourced except governance, risk and compliance, because it is one of the key processes in IT security,”- Vladimir Jirasek, of the CSA (UK).”4
(1) IT Security Resources. (2000-2017). SANS. Retrieved February 16, 2017
(2) What Is IT Security?. (n.d.). Sanford-Brown. Retrieved February 16, 2017 from: http://www.sanfordbrown.edu/Student-Life/blog/February-2015/What-Is-IT-Security
(3) Best practice in outsourcing security. (2000-2017). TechTarget. Retrieved February 17, 2017 from: http://www.computerweekly.com/feature/Best-practice-in-outsourcing-security
(4) Outsourcing of IT security is not for everyone. TechTarget. Retrieved February 17, 2017 from: http://www.computerweekly.com/opinion/Security-Think-Tank-Outsourcing-of-IT-security-is-not-for-everyone
The Pros and Cons of Outsourcing IT. (2017). Penton. Retrieved February 17, 2017 from: http://tech4businessnow.com/the-pros-and-cons-of-outsourcing-it/
IT security. (n.d.). Amanetworks.com. Retrieved February 16, 2017 from: https://www.amanetworks.com/san-diego-it-professional-service/it-security-san-diego/