Houston We Have A (Security) ProblemPosted: June 17, 2013
Whether you are a member of Board of Directors, an Officer of the company, senior or middle management, you have probably dealt with IT security issues in the past few months. A recent survey by the AICPA and Chartered Professional Accountants of Canada showed that four of the top six technology initiatives in North America are related to security. From privacy to secure access to preventing fraud, dealing with the risks of IT seems to be overtaking the excitement of the potential productivity enhancements from the use of IT.
And the increasing prevalence of outsourcing IT and using the cloud is not solving these problems as many might have thought. Certainly there are benefits to outsourcing including being able to rely on the “experts” instead of fighting to keep the right talent in-house. The problem is that, as COSO pointed out in its revised framework, you can outsource activity but you can’t outsource responsibility. In order to handle that responsibility many companies include security terms in their contracts outlining what the outsourcer must do so that the companies IT infrastructure is secure. Those terms may be the latest and greatest when the contract is signed, but what happens when the contract is three years old?
In the IT security world time works like dog years. It may be three years on the calendar, but it’s more like twenty-one years in terms of virtual age. Three years ago no one had even heard of a denial of service attacks, day zero viruses or spear phishing just to name a few of the latest IT security concerns. As an outsource provider, you certainly don’t want to be contractual on the hook for unknown future security requirements that can change at the whim of new customer management, but as a customer, you can be left feeling very vulnerable if your security protections are old and outdated.
I don’t know what the solutions to these problems are, but I do know that until we come up with a few, IT security issues will continue to take up more and more critical time from everyone in business.