Security in outsourcing deals: problem or solution?

Question:
Security in outsourcig deals: problem or solution?
It seems to be somekind of paradox. Outsourcing could lead to efficiency if processes are standardized. So implementing security as a part of standard governance should be part of some solution. At the same time every customer demands their own security standards implemented which often differ in approach and/or weight. Each line of industry (ofcourse) have their own standard. This makes it next to impossible to deliver according all those standards at the same time (according contract) and still reach efficiency goals. Or is the whole community silently agreeying to deliver uncompliant? Anyone have any thoughts about this matter which they would like to share with me in Dutch or in English?

Answer:
.......,
I have been evaluating/auditing security aspect of outsourcing operations for a while.

It is actually possible to find efficiency in delivering security requirements for outsourcing providers.

Security has a universal interpretation, regardless of the languages that it is spoken.

You are right that every customer/ every industry/ every information security framework brings some new obligations to the solution providers, and it is not possible to offer a standard cookie-cutter solution set for a broad customer base.

Here are the tested approaches to ease the pressure of never-ending customer security requirement on outsourcing providers:

1)- Map it : When analyzed thoroughly, you will find more common requirements than the exclusive ones. In my own projects I can tell that more than 80% of the security requirements are common. The first step is to form cross-industry requirement matrixes. Several organizations deliver these mapping matrixes (e.g. ISACA) Customer has requirement A, which matches your solution B. You can find mapping matrixes for COBIT, ITIL, ISO27001, PCI, etc. For example if you have an ISO 27001 compliant service and your customer is asking for HIPAA you may easily map your existing ISO controls to HIPAA.

2)- Offer Self-Service: Flexibility of the delivery infrastructure is the most effective answer for the diverse customer requirements: When we initially developed a reporting portal, we thought that having 100 reports would be sufficient for our customer base. It wasn’t. As you have indicated, it never ends, every day there is a new requirement. We ended up building a reporting engine so that the customers can build their own reports . Today if a customer has a new security report requirement, we tell them to go to the portal and build one. For the workflow we took the same approach. We could not enforce our own workflow for escalation to all customers so we ended up developing a business rules engine. Now incidents are escalated according to customer requirements on the backoffice system. If a customer requires sophisticated flow, they choose to pay for developing their own business rules on our rules engine. It is possible to increase the number of example but I assume the idea is clear

3- Get Modular: Even the mighty outsourcing providers are brought to their knees by weird customer requirements. Make sure that the operational flow and the compliance of the outsourcing operations can interface with 3rd party specialists. That is the beauty of multi-sourcing under single contract. I was working with a large TelCo where outsourcing provider had everything but the DNS appliances, introducing a 3rd party specialist under outsourcer’s umbrella fixed the problem. If the interface agreements are done, and if there is a structured framework for auditing outsourcing service partners this is a way to grow healthy operations (low on cost side as well).

4-Focus on Service Management: Usually service/outsourcing companies rely on generic service managers who are afraid to go outside the contract terms. That does not work well in information security world. If the service managers can understand customer requirements properly and relate to outsourcing backoffice operations, many of the problems can be fixed before escalation. I like to see all customer facing members of the team working at the delivery side in the operations for a while. It is the only way to learn to flip the burger before selling it.

At the end of the day, the whole community is silently following a darwinist path, the ones who are adapting the requirements intelligently without hurting the operations and the budgets survive… The old way of my way or the highway approach just hurts the whole service industry.

I would have written more since the topic requires more attention, but please let me know if you have a specific question.

regards,
- yinal ozkan