Outsourced But Not Out of Mind – Access Governance and Outsourcing

Outsourced But Not Out of Mind – Access Governance and Outsourcing

Outsourcing is a popular way to reduce costs and access new capabilities. Rapidly cutting costs certainly helps the bottom line, but there’s no free lunch in business. When you outsource, you need new management processes to properly oversee that arrangement. If you close your eyes and hope for the best, outsourcing may blow up in your face and hurt your brand.

What Does Outsourcing Success Require?

To win at outsourcing, we recommend using a balanced scorecard approach. Instead of fixating on a single metric such as cost, consider 3-5 essential types of performance indicators. For example, use the following metrics to guide your program:

  • Cost optimization: Review the pricing and volume you’re using through outsourcing on a monthly basis. Does your consumption contribute to your company goals? This item is particularly important if users of the outsourcing service are unaware of the cost.
  • Customer service: Give the outsourced provider a green (good), yellow (acceptable with some problems), or red (major problems) customer service rating each month. For the best results, meet with your account manager from the outsourced company regularly to discuss these ratings.
  • Risk management: If you operate in a risk-sensitive industry such as defense, finance, or health, proactively monitor risk issues. In fact, we recommend giving a priority weighting to risk. Customers and regulatory authorities are unlikely to tolerate multiple security incidents. Specific areas to review include access governance KPIs (e.g., some privileged users), response time to close cybersecurity incidents, and training.

How exactly do you improve risk management? We recommend focusing on cybersecurity since the cost of failure is high. According to SecurityIntelligence, data breaches in 2017 cost organizations over $3 million on average. For a small fraction of that amount, you can reduce your cybersecurity risk by using the assessment process outlined in the next section.

Assess Your Outsourcing Arrangement for Cybersecurity

A full-blown cybersecurity assessment requires several weeks of effort. For outsourcing service providers and software, such an assessment is overkill. Instead, focus on the following four items.

  • Cybersecurity strategy: Does the outsourced company have a broad strategy that defines its approach to security? A simple one-page document with areas of focus is often sufficient.
  • Cybersecurity training: At a minimum, check whether the company provides annual cybersecurity training to employees. Effective training programs also include testing and follow-up to help employees minimize risk. For example, equip employees by providing employee password training.
  • Incident response: What programs are in place to respond to a cybersecurity incident? If this capability has never been tested in practice or through simulation, regard this capability as weak. Response capabilities may include offering fraud protection to customers and on-call security crisis management.
  • Cybersecurity talent: How many staff members are dedicated to cybersecurity? What are their qualifications? Scale down your expectations for smaller companies as they have a less complex environment.
  • Access governance: What systems and processes does the company have in place to oversee access? In many cases, this is a weak area for small and mid-sized companies.

Improve Access Governance for Outsourced Services

To improve access governance in your outsourced relationships, you need to be methodical. We recommend adopting the following high-level project plan.

  • Define your risk tolerance: What’s your appetite for cybersecurity failures and incidents? If you have a “no tolerance” attitude, you’ll need to spend significant resources on access governance. Review your risk tolerance assessment annually to ensure you keep up with changes in your industry.
  • Identify relevant outsourcing providers: Some service providers pose a minimal security risk because they have no access to confidential data. Other providers – such as IT consultants – require access to most of your systems. At first, focus your efforts on the highest risk outsourced providers, meaning those with access to mission-critical systems containing customer data and financial records.
  • Evaluate their access governance risk: There are two ways to approach this step. You could send a self-assessment document of questions and review the responses. Alternatively, you can take a more time-intensive approach by interviewing key people at the outsourced provider. We recommend starting with a self-assessment and dig deeper if you receive minimal responses.
  • Recommend access governance improvements: Based on your risk tolerance and data from the outsourced provider, recommend improvements. For instance, if the organization is struggling with too many passwords, implementing a single sign-on solution will help.
  • Test access governance compliance: After a few months, test whether the outsourced provider has tightened its systems. Did it implement an access governance solution? Is it controlling privileged user access? These are key areas to check.
  • Transition to continuous improvement: Now that you’ve implemented improved access governance, you can’t give up. Ongoing monitoring such as quarterly reports and annual tests are needed to verify that access governance continues to be managed well.

What About Your Access Governance Challenges?

As you go through the process of evaluating and improving outsourced providers, some doubts will probably come to mind. Would your organization withstand this level of scrutiny? Do you have a robust process to detect access governance problems? If you answer with “no” or “I don’t know,” then you need to act proactively to make improvements.

Not sure where to get started in improving your access governance program? We have three suggestions for you:

Neglecting access governance today is like fitness. You may not suffer tomorrow, but you’ll put yourself at increased risk over time. Don’t wait until you experience a cybersecurity incident to make improvements.

Written by Nelson Cicchitto