The CISO’s dilemma: Do you trust your partner’s partner?

The prevailing logic in strategy circles is that the business will be delivered greater value by breaking up many of the functions of the IT department and outsourcing the services to third party specialists.

While it can at least be viewed as an improvement on the strategy that preceded it – the wholesale farming out of the entire IT department in one fell swoop for ten-year outsourcing deals – it is a strategy that tends to work better for some services than others.

Take a commoditised IT service that isn’t strategic, where suppliers have proven they can deliver it at scale across multiple industries, and the strategy is sound. There are many IT functions for which that isn’t the case.

In any event, it’s largely become the role of the CISO to ensure that outsourcers – and their subcontractors – meet standards acceptable to the business. That’s a tough fight when, as one government CISO remarked last week, “the great conundrum of outsourcing is that the recipient looks to keep the cost of service delivery down, while the outsourcer focuses on profit.”

Troy Braban, CISO at Australia Post is a realist about outsourcing - as much as CISOs would love to ”double and triple the size of internal teams, we know the best security doesn’t rely only on our security teams," he said.

“Part of our role today is an education process" to ensure everyone in the chain is conscious of security issues, he told a panel of his peers at last week’s AISA conference.

But as outsourcing agreements grow both more commonplace and complex, it's getting far more difficult for the CISO to provide a level of assurance to the business that the organisation’s numerous technology partners comply with the standards he or she would insist on for services delivered internally.

Troy Braban noted that most of his peers now have on average 19 or 20 partners to do due diligence on at any given time.

It’s an even bigger number when you look at heavily outsourced operations like banks.

Damian McMeekin, head of group security at ANZ Bank, relies on large outsourcing partners to ensure the bank is getting the best intelligence and level of assurance on security risks. All banks require the services of niche service providers to solve some “carefully defined” information security problems.

“I need complexity in my ecosystem,” he said. “I have to maintain that balance very carefully.”

The recent large-scale data breaches at several US retail chains brought home the issue of what happens when third parties contracted by a company don’t take adequate care of their security.

Earlier this year attackers gained access to Target US’s network – in a breach that cost a CEO and CIO their jobs and cost the company hundreds of millions of dollars to remedy – via the credentials of an air conditioning contractor used by the retailer.

“Who would have thought [the security threat] came from the air conditioning vendor?” asked Mike Burgess, CISO at Telstra.

Nor, I imagine, would the US National Security Agency (NSA) have predicted that its biggest threat came not from foreign forces but from the ethical stance taken by a lowly third party contractor, Edward Snowden.

These sorts of events have been a wake up call in terms of how much due diligence is required not just on suppliers, but on their suppliers.

At Telstra, any new contract has to consider “wherever data is stored, processed or otherwise handled” as part of delivering the service, Burgess noted.

“We’ve made a lot of effort to know who touches our data, whether it’s a byte or a petabyte,” he told his peers.

“You have got to look from one subcontractor to the next subcontractor, to the next subcontractor, right down to the last contractor in the chain. You have to know them and you have to set expectations for security and privacy, and assess their capabilities to meet those expectations.”

Burgess said security breaches tend to more often be a “human problem” than a technology one, and often because the last contractor in the chain “doesn’t have [data security] in their heart or their head.”

“If you don’t stress it in your ecosystem, you’ll be surprised the way Target was surprised,” he said.

The bulk of this work has to be agreed during negotiations. But as one CISO lamented, that was too often the time the business wanted to race ahead in anticipation of banking savings on the outsourcing deal, rather than investing in the time and resources to properly define agreed behaviours and metrics for performance.

Dave Powell, CISO at National Australia Bank, told the same conference that organisations too often forget to factor in the cost of this groundwork to the ROI equation – especially when pursing the adoption of cloud services.

Leonard Kleinman, a senior security technologist at a large Australian government agency, concluded that it was vital to get the metrics right before any such deal is signed.

Otherwise, he noted, you are "overlaying governance layers retrospectively." Which tends to be close to impossible.