security in outsourcing or cloud-based project: the general framework

In today’s world, a growing number of companies contract out part of their IT to external suppliers in the form of cloud, outsourcing and even managed services. Whatever the method, the result is the same: someone else takes care of your devices or applications. Many articles address the security issues of cloud services. However, few of us realize that the same arguments also apply to other kinds of outsourcing.

In this series of blog posts:

  1. We will go through the challenges of the Chief Security Officer in a complex IT world.
  2. Then we will add the different aspects of the outsourcing: from the challenges you have to take care to the characteristics you want to find to your outsourcer.
  3. Finally we will discover that in most cases an essential element is missing to establish the link between you and your outsourcer.

the IT world is becoming more complex and so does security

It is widely acknowledged that IT is becoming more and more complex. The time is long gone when a single individual could pretend to master an entire technical solution. The Internet brought power to PCs and servers, relegating mainframes to historical curiosities. Smartphones and tablets are pushing mobile computing to a new era.

But technology is not the only sector that has drastically changed. The way we do business is very different now than it was ten years ago. Our partners in one area are often our competitors in another, and governments have a more prominent role through laws and regulations. Large multinational companies must address these changes and so must their clients and partners.

User behavior is changing, as well, through mobility. People want to work from anywhere just like they do at the office, using devices they choose to use without cumbersome permissions. And they want to communicate using all sorts of vehicles, like instant messaging and social media, sometimes challenging their own company’s confidentiality rules.

what skills do CSOs need to face it

Somewhere in the middle, the Chief Security Officer (CSO) is assigned the task of managing the security risks associated with these changes and must come up with appropriate solutions to alleviate them. How does he do it?

The CSO must understand the legal frameworks of all the various countries in which his business operates.

The CSO also needs to master a variety of technologies, including WAN, LAN, servers, PCs, tablets, operating systems, databases, enterprise applications, internal applications, development, hacking methodologies, etc.

But all of this knowledge is useless in developing a sound security program if he doesn’t first have a good understanding of the way business is done in his own enterprise. The CSO must adapt his security strategies to the risk appetite of his enterprise and ensure that all technical solutions support the way his business is run. He must also be aware that no single solution will solve every issue.

a word about CSOs ecosystem

Most people would agree that these requirements are too many and too difficult for a single individual to master. Fortunately, most CSOs can rely on teams of experts for help.

  1. System administrators will translate high-level policies into technical procedures.
  2. Network experts will comply with the security rules of the company.
  3. Internal auditing will check for compliance.

And, at the end of the day, a full set of technical and business experts will also help the CSO make educated decisions and translate them into technical or business countermeasures.

understanding the real world

However, this picture is of an ideal world. In reality, people who support the CSO have their own constraints and goals, and those are not always aligned with the security and risk management targets. Users want to have access to internal systems and confidential information from anywhere. Developers need to roll out their applications on time to support new products and will do what they need to do in order to make that happen.

Security is very often not considered, no matter what the company’s policies are. As a company relies more and more on external suppliers to manage a part of its IT, every player should be aware and aligned with the strategic security view of the CSO.

This was a difficult task when the CSO had to rely on internal resources for IT management, but it becomes a real challenge when IT is externalized to one or more parties. And that’s what I’m going to tackle in the next blog posts… Stay tuned!


crédit photo: © XtravaganT -

Michel Nolf

I am providing information security officer consultancy for multinational clients and governmental institutions.  Being paranoiac as any security responsible, I am quite relax at home enjoying family. My work has driven me to work with many different cultures that I am so happy to meet during my vacations.

Working in the security for so much time, I have seen the evolution of the mentality but I dream for more. But dreaming is not enough…Let’s work on it!