How does the vendor stay in touch with the broader security community?
Question No. 9: How does the vendor stay in touch with the broader security community and how does it receive updates?
An outsourcing vendor should demonstrate that it is plugged in to the broader community and has multiple data feeds for new threats, viruses and other malicious code. What is the communication vehicle to update clients on security risks, news and breaches? How fast does your personal cloud get updated upon notification of a new threat?
Your chosen vendor needs to demonstrate that it has incident response processes with connections to law enforcement, multiple feeds of threat intelligence and a direct linkage to the broader security community. Security is about proactive management; a vendor's quality of service (QOS) in this respect is determined by how well-informed they are of threat vectors to mitigate risk and stay ahead of the problem.
Question No. 10: What is my ability to get out of the contract?
Vendors naturally try and lock clients into long-term engagements that last five years or more. Until a vendor can demonstrate that they take the stewardship of your data and your applications seriously as mission-critical operations, you need to know how you can get out of the contract.
Given the economics of cloud and outsourcing, it is hard to argue against considering such solutions. The hype around cloud can be a little nauseating as it is nothing new from an IT operations perspective. Mainframes had virtualization, workload management and many of the facilities we associate with cloud today. The Internet age found the concept rebranded as "ASP" (application service provider), with many of the UNIX platforms as the primary virtualization platforms. Today, the cloud hype is giving a renewed face to outsourcing and a new commercial model for how IT is consumed.
Outsourcing can be a great method for achieving those financial gains but you can never outsource risk. You should think twice before giving up the keys to the kingdom. Whoever you do decide to trust with your business has the ability to cause catastrophic damage.
The best thing you can do is demand all of the best security controls, and enforce continual diligence and proactive management of your business to mitigate risk. Use PCI as an actionable and prescriptive framework, and then add data loss prevention (DLP) to the requirement of your engagement. Public clouds are more dangerous. Go with personal clouds of isolation and protection and customization to have your very own security profile.
If you don't enforce security and diligence, your vendor will just do the minimum. Then it's only a matter of time before there is a security breach or loss of data.
Rob White is Director of IT Security Services at Fujitsu America. Prior to his role at Fujitsu America, Rob held positions at Fujitsu Technology Solutions and Amdahl IT Services. He can be reached at RWhite10@us.fujitsu.com.