Another year coming to a close and I am full of hope for new thinking on security for the road ahead. One particular aspect in our profession that I would like to see change in the very near future is the typical approach to incorporating security in contracts with IT Service Providers.
Very often I have seen generalist IT Project managers treat security, unknowingly I must stress, as a cosmetic add-on that can simply be plugged into the service being bought/consumed from a 3rd party specialist IT Services organisation. Very sadly security never worked that way and most likely never will.
To draw a simple but trivial parallel, when you are looking to build a house you don’t go to a building contractor and say give me a 3 bedroom house and expect that to be sufficient information for them to deliver the right house for you. You need to provide far more information such as size, environmental characteristics, unique design and configuration that aligns with personal taste, safety and external physical constraints or limitations as well as general cost considerations. The same level of detail and diligence must also be applied when considering security in IT Service contracts.
Much too often I have seen organisations quoting in their IT Service contracts with their suppliers, security should be compliant with ISO 27001 and/or that data security should be maintained in accordance with recognized good practice! Just what does that mean?!!! If you don’t express enough care, clarity and detail around your security objectives and characteristics then don’t be surprised when you see your IT Service provider giving you a diluted and not-fit-for-purpose security solution.
Don’t just grab a bunch of security standards and plug them into the service contract in the hope that your service provider will understand and deliver to your unique business security objectives. It won’t happen. They will simply take the path of least effort and give you the cheapest vanilla security option. Each business is unique and each will have its own security objectives, their own interpretations of recognised good practice and standards and certainly their own risk appetites and tolerances.
Cutting security short during the contractual phase of the project is sure to lead to considerable conflicts, costs and disruptions during go-live phase. .This is doubly true for regulated organisations.
It is not rocket science, all it takes is just some prudence and initial planning. As a project manager or IT director looking to consume IT services from a specialist 3rd party organisation you can help yourself by doing the following minimum:-
- Engage your internal security specialists to identify the key security risks pertinent to the service in question. If you don’t have internal security capability then seek outside help.
- Be clear and descriptive about the actual security services and controls you expect your service provider to deliver in order to address your unique risks. Quoting solely an industry standard is not helpful to anyone. Don’t expect your service provider to do the heavy lifting for you here; They won’t because it is your responsibility and it is their profitability.
- Use your security and industry expertise to be mindful of what is realistically achievable in terms of security controls. Don’t expect that your service provider will have all the silver bullets. Some security controls will simply be technically infeasible due to complexity and technology maturity constraints universally regardless of who your service provider is. Hence be discerning of your security controls selection factoring in their cost, complexity and achievability.
- Document your distilled security services and controls as a unique and tailored list with sufficient description and clarity in order to share and discuss it with your service provider early prior to contract sign-off. This document should form the security part of the contract and will provide the definitive frame of reference for the security controls/services to be incorporated as part of the overall service and solution. It should not be ambiguous or open to interpretation.
- Prior to final contract sign-off, do obtain some objective assurance from your service provider that they can deliver the security controls you expect; Either through some audit type assessment or recognised 3rd party attestation.
- Once the service is operational, measure the efficacy of the security controls over time to ensure they are delivering in accordance with expectations. This should be relatively straight forward because you have already done the hard work of defining and documenting the details around your security controls so you know what you expect from them and the risks they should be mitigating.
- Lastly, always review your starting assumptions and fine tune the security services over time to ensure you are still maintaining an adequate security posture. Formulate the contract jointly with your supplier to allow for changes and updates in the course of time. This has to be agreed jointly in order to form an agreeable, objective and realistic model for updates and changes that won’t disrupt the business, heighten the security exposure or bankrupt the supplier.
As a concluding remark, I would strongly recommend that not just the client organisation but equally the service organisation should consider the points above and each should challenge the other prior to contract sign-off on the security aspects. It will save both a lot of pain, conflict and cost later.