LAS VEGAS -- This just in: your outsourcing operations could be dangerous to your company.
Speaking here at the 2011 Forrester IT Forum, analysts Jan Erik Aase and Chris McClean agreed that third-party vendor activity -- from access management to data security to app development -- tops the list of risks for most companies.
The question: how best should you manage that risk?
"None of these issues are new," McClean said. "They've been going on as long as business has. But the ecosystem is getting a lot more complicated. The number and complexity of the issues is getting tougher."
In an age where "Mass. hospital contractor loses data for 800K people" is no longer a surprising headline, third-party vendors are under increasing scrutiny by the companies that employ them.
But are they really?
As it turns out, many organizations are entering into relationships with outside vendors without adequately protecting themselves from catastrophe triggered by vendor instability.
What's more, with an influx of new, small startup companies, it's hard to know who to trust.
"They don't have the process in place that I'm used to. They don't even have a security officer. They don't have the wherewithal to meet our security requirements," Aase said. "So what do we do: engage, or not?"
Attempting to hammer out a set of best practices, Aase and McClean said the impost important thing is to figure out what is and isn't essential to your security policy, then create a new plan to handle these unorthodox new partners.
For example: what if a startup doesn't have proof of financial stability? Would you end the discussion right there? Folks in the room agreed that obtaining a competitive edge sometimes trumped security concerns.
Still, no one in the room was willing to deviate from integrity clauses within standard Terms and Conditions.
Do you have a clear data security policy? Most folks in the room said yes, but few said they take boilerplate language and modify it to vendors' different levels of risk during procurement.
The other problem: vendor risk is often only a part of initial due diligence. Just one man was bold enough to raise his hand and admit to this on behalf of his company, but Aase and McClean noted that most traditional risk models focus on pre-deal due diligence.
The problem: most risk conversations are actually "deal risk," such as delivering on commitments and having a backup plan when a vendor fails.
"We thought about coming in here and scaring you, but I don't think we really need to. Just read the newspaper," Aase said. "But they don't tell you who the vendor was -- just the client. You are ultimately responsible. You have chosen to outsource to a third party. You are fully accountable."
In the early days, factors such as negative press coverage, Sarbanes-Oxley and FTC action didn't exist. Now, there's a huge list of considerations that's on everyone's mind. It's no longer just a procurement and vendor management worry, Aase said.
"Risk management really affects every part of the business," McClean said. "The security risk professional really needs to be the source of guidance."
But with an increasing number of third-party vendors comes an increase in the number of sources of reputation, financial, operational and regulatory risk.
The typical large enterprise has more than 200 third-party relationships that are of potential risk, Aase said. But enforcing controls is difficult -- internal policies and procedures have little effect outside corporate walls.
Worse, an increasing number of decisions occur without consideration for risk -- delivery models often circumvent the security professionals tasked with assuring safe dealings.
"Security pros can't ensure data security without help," Aase said. "Collaborating will give us the ability to augment our contracts."
A sobering fact: only half of sourcing and vendor management teams do regular, systematic tracking of vendor viability. Most firms only track financial stability after the deal is already signed -- and should an event occur, sourcing and vendor management teams with vendor viability tracking often don't have a disaster plan.
So what to do? McClean outlined a pocket guide:
- Establish context (time, budget, etc.)
- Identify risks
- Analyze them
- Evaluate them
- Treat them
But hurdles remain. For one, technology populism, self-provisioning and as-a-service offerings are on the rise; moreover, the correlation between spend and importance is weakening, making it harder to discern what's critical.
Not to mention the proliferation of source code vulnerabilities, Aase said.
"The word re-use makes us excited," he said. "But for security and risk, that's a dirty word. How do I know you're not reintroducing back-door opportunities to hack into our site?"
But collaboration within the organization is ultimately key.
"It's still not perfect," Aase said. "At the end of the day, a business user can overrule security concerns about a vendor anyway. That's why collaboration is important."