How Security in the Cloud Differs from the Traditional Enterprise – and What This Means for IT Multi-Sourcing

Published November 6, 2018

Category: Innovation | Outsourcing

Become A Contributor

Written by: Brandon Curry
Author Image

Brandon Curry

Brandon Curry has worked as an expert in the information technology industry for more than 25 years. During this time, he has held a variety of roles ranging from sales and post-sales account management to operations and solution architecture, on both the IT and network sides of the information communications technology (ICT) business.

Curry brings a unique, out-of-the-box perspective to problem solving, technology strategies and customer solutions. He joined NTT America in 2015 after working for T-Systems North America in several capacities, including Head of Sales and Service Management. In his current role, Curry is NTT America’s Vice President of Solutions, Product and Service Management, leading the end-to-end pre-sales, product management, post-sales governance and account management functions.

Curry is a strong believer in continuous learning, and is a thought leader on new technologies and market trends. He holds an Associate of Science degree in pre-medicine from the University of Kentucky, an MBA from Northwestern University’s Kellogg School of Management, and an MS in security from Carnegie Mellon University. He has earned many advanced level certifications such as CCIE, CISSP and is a Certified Ethical Hacker. In addition, Mr. Curry is a member of the (ISC)2 national and Chicago chapters, as well as the Global IT Architects Association.
Twitter: @nttcom

Read More
Cloud computing has impacted IT in many ways, including (not the least of which) security. One decade ago, in a less “cloudy” world, an enterprise would either manage IT itself or delegate much of it to a large consulting or IT services firm. Either way, one or two persons (the CIO and/or outsourcing firm’s lead) would take charge of security, which typically involved setting up barriers to internal resources.  
 
Today, as technology has permeated all levels of organizations, IT security management has become more distributed. According to a study of 1,800 business decision-makers discussed in NTT Security’s 2018 Risk:Value report, ultimate responsibility for managing an organization’s day-to-day security could fall on any number of shoulders. The CIO remains the leading candidate, with 22 percent of respondents saying the buck stops there. But 20 percent point to the CEO; 19 percent to the CISO; and 15 percent to the IT director. And with nearly anyone now able to spin up a virtual machine (VM) or open a SaaS account, it does seem as though “we are all CISOs now,” as I’ve written elsewhere. 
 
Not only is leadership fragmented internally, but ownership of security has also been extended externally to a large number of third-party IT partners. And along the way, security practices have changed. For many services, workflows now involve both public and private cloud infrastructures. With the rise of hybrid and other cloud models, along with Wi-Fi and mobility in general, the old perimeter-based approach simply doesn’t cover the current landscape of bases. 
 
Reclaim Ownership of Security 
 
Security in the traditional enterprise was not necessarily better, but it was simpler. Risks today are complex and proliferating. Threats may emerge from your software supply chain, or the latest hacking trend, such as crypto-mining malware. And the stakes are high. 
 
The average global cost of remediating a software supply chain breach is $1.1 million. According to the Risk:Value report, the average global cost of recovering from any data breach is $1.5 million. And penalties for failing to comply with new privacy regulations are growing. Damages to customer and brand confidence from breaches can be significant, far-reaching and long-lasting.  
 
Those costs are good reasons to reclaim ownership of security. While it is possible to overstate the changes (some practices such as user access, data protection, documentation, etc., remain constant), we live in a time when threat mitigation involves much more than upgrading a network firewall. In today’s multi-sourced and cloud-infused IT arena, enterprises need to assume control of their overall risk and governance framework. 
 
5 Ways to Make Sources More Secure 
 
Regaining control may require exercising some relatively unused muscles. As my colleagues at NTT Security note in a white paper titled “Managing the risk of IT Multi-Sourcing,” the tendency is for organizations to focus on a provider’s service level agreements (SLAs) and capabilities. But if you’re involved in sourcing IT services, don’t be afraid to collaborate with security leaders and experts, probe your suppliers and build security into your contracts. Here are five steps that NTT Security recommends:  
 
  1.  Assess risk: The first way to get traction with security is to conduct a risk assessment of all your IT service providers. The goal is to identify, and fix, vulnerabilities. Especially in light of mandates such as the General Data Protection Regulation (GDPR) or related Identity and Access Management (IAM) controls, some areas may need more immediate attention than others. And as indicated, some measures may be mandated by law rather than choice. 
  2. Build trust: Once you have identified partners that may be high risk, begin to take steps to embed security within those engagements. Or look for less risky alternatives. Going forward, considerations around cybersecurity should be a key part of making any purchase decision and/or establishing and maintaining trust.  
  3. Establish visibility: As they say, there’s no management without metrics, and no metrics without visibility. Maintain the right to audit your provider’s services. This could include monitoring IAM controls, network and endpoint activity or log analysis. Assuming that your suppliers are properly certified, include compliance requirements within the scope of audit and controls. 
  4. Prepare for incidents: Data breaches of some kind are likely, if not inevitable. This puts a premium on setting up incident response plans as part of ongoing business continuity practices. Be sure to test them. These plans won’t prevent incidents, but can minimize potential fallout, including negative publicity. 
  5. Be ready to walk: An outsourcing relationship is unbalanced if you are not prepared to terminate it. This is not just a matter for the sourcing and legal teams. Security leaders also need to be engaged and aware of termination procedures, including the return of information or assets, confidentiality, handing over services to other vendors, etc.   
Execute the Strategy 
 
There is no going back to the pre-cloud world of doing everything yourself, or using a single IT consulting firm. But one smart way to standardize cybersecurity policies and provide an intermediary between you and your many suppliers is to partner with a Managed Security Services Provider (MSSP).  
 
Regardless of your security approach, take the time and effort to embed security within your contracts and then make sure to follow through and execute the terms. 

You May Also Like…

Adam Smith and outsourcing

What does Adam Smith tell us about outsourcing? The answer is somewhat complicated: Nothing directly, but then again everything. I’ll explain. Obviously, the term outsourcing did not exist when...

SIG|ORG Spotlight Content