Have a think about where your IT services are coming from. Are they all provided by in-house staff? If you are a large organisation, chances are your business is being supported by a mixture of multiple outsourced and in-house IT services. It is now the norm for businesses to have what the industry is calling a ‘multi-sourced IT model’. This approach naturally brings about immediate benefits in terms of helping the organisation move faster to deliver operational goals and meet customer demands. But as we have seen with many of the recently publicised breaches to multi-national corporations, the extent to which you are managing the security risks becomes a key indicator to how well you are managing a multi-sourced IT model.
It is not surprising that security breaches via third-party IT providers are becoming a regular occurrence, as the responsibility of security due diligence often remains unclear between procurement, risk management and IT. For example, evaluating providers exclusively through Service Level Agreements (SLAs) will not highlight security risks such as access to and control of sensitive data as it moves across multiple platforms, compliance regimes and jurisdictions.
The proliferation of ‘shadow IT’ contributes to these security challenges, as risk management, IT nor procurement functions may even be aware of third-party applications or cloud services being adopted without consideration of the potential pitfalls of inconsistent security support.
For organisations with – or planning to implement – a multi-sourcing governance model, we would advise their security team to take the following initiatives:
- Perform a third-party risk assessment that focuses on pre-engagement controls, the business needs, the engagement with the provider, and ongoing compliance activities.
- Maintain clear visibility and governance of your security controls by cooperating with other functions such as procurement, vendor management and quality assurance.
- Continuously monitor your network for targeted threats and vulnerabilities that could open the gates to attackers.
- Prepare for third-party provider breaches. There is no excuse for not including third-party provider breaches in your incident response and readiness plan.
Many of our clients have found it more efficient and cost-effective to partner with security specialists to assess their third-party risk exposure, develop a sustainable security program and continuously monitor their IT estate for targeted threats with managed security services (MSS).
To learn more about how you can manage the risks of multi-sourcing, download our free whitepaper here.