Offshored & Shadow IT Risk Management
The InfoSec Consulting Series #4
By Jay Pope
In this artcile we build on the discussions on business transformation risks with the urgent need for offshored and shadow IT risk management. We look at some of the risk management challenges presented by these very different issues and what might be done to tackle them.
Off-shored IT
When an organisation needs to reduce its IT organisational costs, outsourcing may be one of the first things that comes to mind. This was certainly the case a decade ago, when many organisations that took the decision to outsource services believed it was a great deal more straightforward than some probably believe today. The reasons why this has become a more risky and complex strategy include the increased scrutiny by regulatory bodies of an organisation’s relationship with its service providers; the increasing use of multiple external providers; and the sheer variety of third parties that exist in different scope, size and location. Complicated supply chains that involve fourth – or fifth-party suppliers are increasingly common and make it notoriously difficult to resolve problems, should something go wrong. For IT, the most serious risks from outsourcing, some of which may be a result of sub optimal due diligence in procurement, which affects operations and transactions, business continuity, confidentiality of information, or regulatory compliance. Let’s look at strategies for Offshored & Shadow IT Risk Management.
Procurement & Security
The relationship between ‘Procurement’ and ‘Security’ is an often-overlooked factor in determining the amount of ‘flowed down’ security issues in the delivery pipeline and in operations. Security Consultants are often called upon to formulate tactical mitigation strategies for could have been easily avoided if the Security Contract Schedules and SLAs included relevant, appropriate and proportionate security obligations in the first place. In my experience, commercial teams in Government Organisations tend to view their role through a siloed perspective and define success simply as ‘Contract Enablement; how often do we see a press release, or an Organisation’s Webpage announcing the award of a big ticket IT contract only for it to be that Programme becomes the one that the best technical delivery experts want to avoid getting involved with, because it has too much technical debt to cope with. Organisations in the financial sector tend to be much better at including the right security obligations in their supplier contracts, but in either case, there is always room for improvement, and it starts with building relationships between procurement and the security teams.
Operational & Transactional Risk
To mitigate against this class of risk, the Security Team first needs to understand the process flow for a certain transaction and then understand the points in that process flow where something could go wrong. If any of these steps are offshored, what would the supplier’s role in a failure be? It is impossible to fully manage every risk so valuable resource needs to be deployed carefully with a strategic focus on those risks that are more likely to occur and those which would cause the greatest impact to the company, its customers, and stakeholders if they did occur.
Business Continuity Risks
Do you know what business continuity plans your IT service providers have in place? Could they continue with their operations in the event of a natural disaster that impacted their core infrastructure or business? Examples may include a threat to the national grid, a political upheaval, or any other significant crisis? It is important to go beyond verbal assurances here. Simulating specific scenarios with your vendors, such as a data centre outage or similar, will demonstrate how they will respond in a crisis. Assurance teams communicating with vendors on business-critical processes is key here, as is avoiding over-dependence on a single supplier and, ideally, having the ability to bring certain functions back in-house or the ability to switch to an alternate supplier, should the need arise. Also, do your Prime Suppliers’ carry out offshored and shadow IT risk management on their own supply chain? Do they obligate their own suppliers to the same standards that they are obligated to?
Risks to Confidentiality of Information
The Security Team will identify critical Information Exchange Partners (IEPs) that either transmit or store confidential information and will consider the type, volume and frequency of data handled. The higher the volume and frequency of sensitive data handling, the higher the risk of its confidentiality being compromised. To reduce these risks, site visits to higher risk suppliers can be useful to check-out security and data protection control. The frequency of these visits can be stepped up for those suppliers handling the most highly sensitive data.
Compliance Risk
Regulators will hold a business accountable for regulatory compliance impacted by third parties. This includes carrying out the appropriate due diligence when they consider outsourcing, to confirm that a service provider has the right people, technology and processes in place to effectively deliver a function. It is wise to think strategically before outsourcing some functions or indeed to consider how much of a process to outsource to minimise risk.
Shadow IT
Cloud technologies have led to the acceleration of the widespread adoption of Shadow IT. This is a serious challenge that the Security Team must deal with and could be tackled from various opposing angles. Some of the obvious threats from shadow IT include:
- Shadow IT applications are outside the jurisdiction of the IT department and hence pose a significant risk in terms of regulatory compliance. In many industries, such as healthcare and finance, for example, failures can obviously have very serious consequences;
- Data privacy cannot be managed by the IT Department if data is stored in SaaS applications since they have no oversight as to where it is stored – or may not even know it exists. Breaches here can be very damaging and seriously threaten a company’s reputation;
- IT Departments are unable to protect data that they don’t know exists as they cannot enforce any form of password complexity and change policies to ensure the security of potentially highly sensitive corporate data.
The flip side of these challenges is the reason for the rising tide of shadow IT in the first place. Users feel able to do their job better in the presence of applications that match their requirements. They believe that they can be more productive and not have to face the perceived ‘obstacle of the IT department. Ironically, this can also reduce the burden on their colleagues in IT, allowing the latter to refocus their efforts more productively.
So how do you strike the right balance in tackling this problem? Some direct but effective offshored and shadow IT risk management tactics are as follows. Firstly, clamp down tightly on all Shadow IT and make it difficult to use, locking down internet access, enhancing perimeter devices and pursuing and punishing transgressors. Or at the other extreme, embrace shadow IT with open arms and allow users to use the applications that suit them best.
In most organisations, it should be possible to find a middle ground that looks at the reasons why users are turning to these applications in the first place and attempts to make IT departments more flexible, agile and more responsive to the needs of their users.
Add to this a renewed focus on control, with the IT department setting up the new applications so that regulatory compliance for data security, storage, user authentication, authorisation and so on can be assured. A well-defined and adhered-to shadow IT policy is, of course, needed for this to be possible.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.