28 February 2016

IT-services Outsourcing - Between cutting costs and major security risks

Outsourcing is a widespread practice nowadays in major corporations and state organizations.
Most directors and leaders see it only as a marvel key solution for cutting costs.
True, but very naive vision.

The hidden dark other side is often ignored: major security risks.


Outsource is done by another company which has other economical interests and is more preoccupied by own image and prestige than by being a fair partner.
In case of major problems, top priority is hiding to the customer and keeping secret the real scale of events.
If all is solved in reasonable  time, a "filtered" version is presented and billed to the customer.
In case of non-solved events, all remain highly secretive and almost 100% customer will never ever know.

Hence major security risks and headaches for future.

The aspect becomes more critical when outsourcing is done via nested intermediary providers or foreign companies.
The economical and juridical aspects become very diffuse in case of incidents and disputes.
It becomes impossible to control and track high-sensitive internal information.

And when outsourcing is done by a foreign company, it's only one single step to economical/technical espionage and catastrophe.

IMHO it is a fundamental mistake to choose such solutions in critical key sectors of the state or corporations.
In such situations, ISO27000, ITIL and Common Criteria, remain only simple obsolete words.

Solution: think wider in the future, short-term cutting costs via outsourcing might be your next step to disaster.

Want outsourcing? Use only national companies which are easy to control, check and verify.

Ancient expression: "Never trust a stranger" is still very actual in IT-Security.