security in outsourcing or cloud-based project: how to glue the client and the supplier views

The previous posts (find part 1, part 2 and  part 3 here) discussed the need for businesses and outsourcers to collaborate in the development and implementation of IT security. Security entails controlling, mitigating or managing risks, and someone must take responsibility for this.

the missing link: the Information Security Officer

The outsourcer must provide a highly educated security professional who will sit between the client and its organization. This person, let’s call him the Information Security Officer, will ensure that security needs and requirements from the  clients are well understood and that they fit within the proposed solution from the supplier. He will act during the build phase of any project but also be a main actor during the run phase.

the Information Security Officer: an audit facilitator

The Information Security Officer is a critical component of audits. When you request an audit, the outsourcer must ensure that all resources are available at the time of the audit. The scope of the audit must be understood and agreed. The Information Security Officer may perform the audit of the outsourced environment himself, or he may act as a facilitator between you and your chosen auditors.

This role of facilitator is “natural” for the Information Security Officer. Not only does he understand the project and the outsourced environment, but he also has a good understanding of

  1. your business,
  2. the reasons behind the audit
  3. and what is really needed.

He also knows who to contact for the necessary information, either inside the project team or within the organization.

This three-way knowledge – the project, the client and the organization – puts the Information Security Officer in an ideal position to drive audits smoothly and ensure that security controls are in place.

security meetings, processes and risk management: CSOs bring in their knowledge

The Information Security Officer participates in security meetings with his clients. This ensures that all findings, corrective actions and requests are correctly pursued. He also contributes his understanding of the outsourcer and of the timeliness and feasibility of his clients’ requests.

Many processes must be defined to facilitate the efficient collaboration between businesses. Those processes touch security areas, like user management and incident management, since any failure in those areas could have a dramatic effect for both the outsourcer and the client in an outsourcing project.

Risk management is a pillar of security management. You may have assumptions about the implementation of your project but the Information Security Officer is in the ideal position to identify those assumptions and highlight risks that you may not be aware of.

Throughout the life of the outsourcing project, many changes will occur: new services will be implemented or you may contract with new partners. The world of security will also evolve: new technologies will be developed and new attacks will be deployed. The Information Security Officer will be fully aware of how each of these changes might affect his clients’ security solutions. He will assess the impact on the security of his clients’ data and present correct and verified information regarding any new risks. He will also suggest solutions and potential mitigation actions.


Whatever part of your IT or process is outsourced and whatever type of management (managed services, full outsourcing or the cloud) you prefer, the Information Security Officer is the only one who can ensure that all security aspects are fully considered and met. He is the only one with a 360° view of the project, your business and the outsourcer’s company. This view allows him to provide you with the unique guarantee that your requirements are perfectly understood, that audits will be executed correctly and that incidents will be correctly and efficiently managed.

Having an individual Information Security Officer in an outsourced project guarantees that security will be managed in the way that you want it to be managed.

Do you want to know more? Do not hesitate to download my whitepaper on this subject.


crédit photo: © XtravaganT -

Michel Nolf

I am providing information security officer consultancy for multinational clients and governmental institutions.  Being paranoiac as any security responsible, I am quite relax at home enjoying family. My work has driven me to work with many different cultures that I am so happy to meet during my vacations.

Working in the security for so much time, I have seen the evolution of the mentality but I dream for more. But dreaming is not enough…Let’s work on it!