Outsourcing IT security: Bane or Boon?

Should an organization outsource its IT security?

There are many issues involved with outsourcing. Although it has a number of benefits, there are a lot of risks associated with outsourcing. Thus a company should weigh the benefits over the risk of outsourcing.

The following must be considered when outsourcing IT security:

  1. Financial – it takes a large portion of budget when a company hires staffs with specialized for IT security rather than hiring someone who can cheaply provide it. That is why outsourcing is cost effective. IT security for some companies need not be present 24/7 so there is no need to hire IT security staff round the clock.
  2. Hiring & Training – an outsourced IT can hire and train easily because they need more employees.
  3. Guaranteed service and system availability – they can also create an infrastructure to support them so that they can monitor new hacker tools, new security product, new software releases even new vulnerabilities.
  4. Broader view of the internet – outsourced companies can learn attacks from one customer and can apply the solution or knowledge to protect its other customers.
  5. Focus – companies or organizations can focus on in its activities by efficient use of its labor resources while paying the outsourced companies in monitoring IT security.

The following are the risks of outsourcing:

  1. The outsourcing provider has access to the intimate knowledge of the people, IT infrastructure, procedures, approval channels and the weaknesses and limitations of systems (including both IT and non-IT systems) of the organization being served.
  2. The provider may be processing and handling critical information, systems and assets, and have access to sensitive or personal information;
  3. The provider may have valid user IDs and passwords with authorization to access certain highly sensitive systems logically and/or physically.

Issues involved when a company turn over its security to an outside organization

  1. Sharing computer resources with other clients of the outsourcer – some outsourcers share the outsourcer’s computer resources to other companies. With shared Direct Access Storage Device and shared tape a device, the outsourcer’s other clients may be able to access the company’s data, even if processing is not shared. Security software should be implemented to prevent such exposures.
  2. Assurance that the company is not paying for another client’s use of resources – A charge-back software product can solve this problem. In addition, information security software should be used to ensure that only authorized log-on IDs use cost centers belonging to the company.
  3. Information security audit rights of the client company – the outsourcer should give the client’s information security staff the ability to review and update its log-on IDs and access rules.
  4. Outsourcer’s access to client’s data – to ensure the availability of the client’s data, some of the outsourcer’s staff need to access the company’s data. The challenge is to determine what the outsourcer needs to know and what is the appropriate level of authority for data access.
  5. Determining who owns the data and programs – although the client owns its business data; the outsourcer is a mere custodian of that data. The client should determine which data actually belongs to the company and which data requiring the company’s access belongs to the outsourcer.
  6. Data retention, destruction, and backup – Responsibility for data backup should be clearly defined. This decision should take into account the most efficient and cost-effective method of backup.

Security and General Management Issues

    1. Physical security – It should be verified that the outsourcer has adequate physical security to meet the client company’s needs.
  • Change control – the client company should always be informed of any hardware or software changes that could affect it.
  1. Disaster recovery – the outsourcer should have an adequate disaster recovery plan and a contract with a reputable hot-site vendor that has a configuration that will meet the client company’s needs.
  2. Regulatory requirements – the outsourcer should be able to handle any special regulatory requirements the client company may have.
  3. Service-level agreements – the client company and the outsourcer must know exactly, in writing, what to expect from each other.

Stipulations needed to include in service level agreement with an it security outsourcer

  1. When preparing an outsourcing service contract, the organization should clearly define the security requirements of the information systems to be outsourced, such as how all personal and sensitive data should be handled throughout the contract. These requirements should form the basis of the tendering process and become an integral part of the performance metrics.
  2. The outsourcing contract should include requirements for all staff of third party service providers and vendors to sign non-disclosure agreements to protect sensitive data in the systems. The contract should also include a set of service level agreements (SLAs). SLAs are used to define the expected performance for each required security control, describe measurable outcomes, and identify remedies and response requirements for any identified instance of non-compliance. In addition to defining SLAs, the contract should include an escalation process for problem resolution and incident response, so that incidents can be handled according to a pre-defined process to minimize any impact on the organisation.
  3. When engaging IT service providers, an organization should ensure that the vendor employs adequate security controls in accordance with their own organizational IT security policies, wider regulatory requirements or other industry best practices.

To ensure an effective and comprehensive review, inventory detailing

  1. a list of servers and systems within the scope of the project, and which servers / systems are storing sensitive or personal information,
  2. a list of support staff from third party service providers as well as the user ID and access privilege granted to individual support staff,
  3. a list of data, especially sensitive or personal data, transferred to the third party service providers

the same information security requirements and have the same information security responsibilities as those specified for internal staff.

  1. The security control compliance of service providers and users should be monitored and reviewed actively and periodically. The organisation must reserve the right to audit responsibilities defined in the service level agreement, and have those audits carried out by an independent third party.
  2. The organisation should ensure the adequacy of contingency plans and back-up processes provided by the service provider.
  3. The security roles and responsibilities of the service provider, internal staff and end-users pertaining to the outsourced information system should be clearly defined and documented.
  4. It is essential to ensure that all data to be handled by the outsourcing party are clearly and properly classified, and security privileges for access should only be assigned on an as-needed basis for the performance of their work or the discharging of contractual obligations.
  5. Although an information system can be outsourced, the overall responsibility and liability of any breach to sensitive or personal data remains entirely with the organisation.

The Job Interview

Last week, I went to a job interview for an Assistant Branch Manager position in a consultancy agency. I already had a job offer from my “dream” company however I decided to go through this final interview because I have already committed to meet with the General Manager prior to the job offer. I always hated job interviews. Some interviewers don’t know how to bring out the best in their interviewees. Most of the time, it sounds like a police interrogation of what happened and what did you do. But this time, it’s different. I learned a long lost lesson.

Let me recount what had transpired during the job interview.


GM:                  “So can you tell me something about yourself.”

Me:                    Interesting. I’m going to sell myself to a stranger again. More than that, I need to impress him. But I answered him anyway.


                        “Well, I am fondly called as Cris by my families, friends and colleagues. I am 31 years old and a graduate of Business Administration. I can say that I am a self made person. I supported my way from high school to college through scholarships and part time job in fast food restaurants. I value hard work because of that. And that’s why I don’t believe in short cuts as well. After my graduation, I started working as an Account Management Assistant in a local advertising agency in CDO. (The job                     title may seemed fancy at first glance, but really, all I ever did was to make coffee for my spinster boss/owner (who was always stressed out and who thinks her job is the most important job in the world, I added to myself.)  But no matter how menial I thought my job was, I learned to do things right for the first time. (It was a simple task as brewing a cup of coffee, but if I do it right, my boss’ mood will shift from stormy night to beach perfect sunrise. Hence, I will save my colleagues asses as well). Then I have a short stint working as a Medical Representative assigned in Mindanao. I decided to go back to Iloilo to be near to my parents (actually, I moved back to get married at a young age) and got a job as a Store Manager of a big retail store at the age of 24. I started out as a Store Supervisor and was promoted two years after as a Manager. The biggest challenge for me at that time was how to motivate people who are minimum wage earners. I mean, what’s in it for them if they work hard or not? At the end of the day, their paycheck will only reflect the amount that DOLE will           require to employers to pay. But ofcourse, I had to be a good example in order to motivate them. I have to show them that I love my job because it supports me and my family. Make them realize that the pleasure of fulfilling an honest days’ work is beyond monetary measure. It allows me to inspire people as well, which is what I loved the most. Coming from a humble beginning, I want to inspire people to dream big as well for it is not an impossible dream. It really felt good when I walk in                    the malls or some random streets in the city, seeing them smiling at me and asking me how I was. I can’t remember their first names anymore but they sure remember me. (Well, ofcourse, I didn’t have to tell him that my job was a dead end. There were no more growth at that time. And to be honest, I hated my gay boss who was a big a**hole, molesting some of our male clerks.)


                        “I resigned from X retail company because I got an offer from a host family in Norway as an Au Pair. Not quite lucky, my visa was disapproved because I was married. You know, Sir, the time when you were young and you wanted to do a lot of things, always looking for the greener pasture?”

GM:       “Ah, yes, ofcourse.”

Me:        So I decided to join the pharma industry again and joined a French company this time. I stayed there for almost over a year when a friend of mine asked me to join another mulit-national company because there is a vacancy in Visayas and she thinks I have a great chance of being assigned in Visayas. So I joined XYZ company and stayed there for a little more than  4 years.”

GM:       “Yes, I see it’s a very big company. So why did you decided to leave?”

Me:        “I understand your predicament to the situation. In fact, it was one of the hardest decision I ever made. (of course, I cant tell him I wasn’t happy anymore, there were a number of retrenchment from time to time and I eat hateful emails for breakfast everyday, etc, etc.). The industry is quite challenged at this time due to several government restrictions and there was no room for me to grow at the moment. So I decided to make a big shift. Aside from that, my health is quite challenged at that time so I decided to take a break and concentrate on my rehab.”

 GM:      “That was quite impressive. I didn’t know that the pharma industry was quite challenged as well.”

                And he proceeded to ask a few more questions that I find not quite relevant in this blog.


                        “Before I proceed, I’d like to let you know what you are getting into. Im quite surprised a lot had responded to this job posts.”


                        (I can see that. Guessing from the number of interviewees outside, there are about 6 candidates including me for the final interview. Most are in their middle 40s when I made my quick survey. Some are coming from big communications company.)


                        “Let me first tell you what our company is all about. It is definitely not as big as your previous companies but we came from humble beginnings too. I started out our first branch in Cebu and now, with hard work, it is now a total of 5 branches all over the Philippines in 3 years. I guess, our key success areas are being able to work with utmost honesty with our clients. We are making their               dreams come true of being able to migrate and live abroad. It entails risking their lives as well as their finances and families. There are a lot of short cuts in this industry if we’d like to permit it, but I believe that truth will surface in the end, hence more than losing our reputation, I can’t afford seeing broken dreams, wasted time and mismanged finances of our clients. I cannot allow that to happen. So I am                     looking for someone who has both the heart and the skill. The heart to help people achieve their dreams in the most honest way possible, and the skill to help them make it.”


                        “If you remember Mr. D who did the initial interview, he was one of my sales agent at first. After 3 years, I saw that he was ready so I decided to gave him one of my franchise here in Western Visayas. I was so happy when he fetched me in the airport this morning driving a Sorento. I am really proud that I was able to help him achieve his dreams as well. How I wish I could do the same for all                       my other employees.”   


                        “ I am impressed by your experiences. You seemed confident and able to do the job. Im sure you can handle difficult personalities and situations based on your previous job and you do have the skill for the technical aspect as well. In my opinion, you are spontaneous and sincere in what you are saying. You could                 represent any company very well. I always assume sales people to be a bunch of tattletales and a  master of flowery words. But in  your case, you seemed different. I am really going to have a hard time deciding who will I consider in this post. I will be more than happy to see you on board during your training, if ever you’ll be chosen…” (blah, blah… the rest is about the benefits and other details of the job.)


To be honest, I’m not really interested with the job offer. As I’ve said, I already had a job offer from my “dream” company. But what struck me the most is how he sees me and his employees. I care less if what he said was true or not. I realized for the first time that Mr. GM doesn’t only look at what these people can do to his company but AT WHAT HE CAN FOR THEM. Most companies I’ve been with (sorry  to say this but this is my opinion) is only as good as what numbers you can give them. True, I am compensated (even beyond my honest days’ work) but that’s just it. You celebrate your little or big successes in the most coveted Salesman of the Year Award in your designer gowns for some years and mumble some people you want to thank about. Or perhaps share with your listeners some tricks and tips of the trade. Some monetary and travel rewards too. But when you are not delivering the figures, you’re not their kind of person anymore. It’s       a little too harsh bit you are deduced to someone who are just paid to work.


This blog is meant to thank Mr. GM as well for helping me see who I really am. Those job interview answers just comes out of my mouth as an automatic response based on “some twisted” truth and as of what I perceived to be as a good answer. The truth is, he really helps me see who I really was. I neglected the fact that although I may not be the perfect salesman who brings home the trophy every year, I work with passion. I sacrifice a lot of things too for my work. I may have some bad decisions, but don’t we all? I am a human employee, not a robot. I see my work as my extended self, I am very much affected with my company’s “health” as well. I defended my company when opportunity asks me to do so not because I do not want to bite the hand that feeds me but because my company is a reflection of myself. Infact, it  is not my company that chose me, I chose my company the moment I decide I applied to it. It depends on them how they see me to be a good fit in their mission and vision. My only wish is that they may have the eye to see me or their workers as not just as a paycheck but their lifeblood. Small or big effort, employees are reason where it is right now.

 One thing is for sure: if someday, I’ll be given a chance to manage, lead or own a business, the lessons I’ve learned today will be applied. I will chose to inspire people. I will chose how to help people more than consider what they can do for me. After all, in my tombstone, I will not be remembered by my achievements or titles, but by the lives that I’ve touched.


                        Thank you so much for the lesson and for your inspirational story, Mr. GM. Live long and prosper!  


A Drugpusher’s Diary

Cris' Blogs

6:00 am

My alarm scandalously woke me up. I have to chose a “scandalous” tone for my alarm because if I don’t, I may not be able to wake up.

I am still sleepy (I only got 4 hours of sleep) because I decided to stay late last night, doing a very unproductive thing — “facebooking”. I’m tempted to hit the snooze button but my inner self is reminding me to move my lazy ass ASAP. I can’t afford to be late, six times of recorded late in our EBM (Early Bird Meeting every Monday) per semester means suspension from work. I firmly believe that late is the most undesirable reputation I could possibly reflect in my 201 file. Well, lucky me, I didn’t experience such shame in my almost four years of service in this pharmaceutical company.

With the speed of Flash, I have taken a bath, dressed for…

View original post 4,949 more words

The World is Too Big For Me, Mom

Mom, why is this world too big for me?

Are my dreams just too small?

or my hopes just too high?

Mom, why is the world too big for me?


I’m confused, Mom.

Isn’t it that dreams are suppose to make human better?

But tell me why I’ve seen people being destroyed by their very own dreams?


I’m hurt, Mom.

With the kind love I loved and gave freely.

Because I trusted it’ll be a love like yours.


I’m afraid, Mom.

That I’ve ran out of bravery.

Coz I haven’t carefully chosen the battle I’m supposed to fight.


I’m sad, Mom.

I can’t hide the sadness.

When all you ever ask is my happiness.


Im lost, Mom.

Lost somewhere between my dreams and reality.

Pray, tell me, is the world just too big for me?


God, I am scared.

I do not know what the future holds for me.

I can’t see past all these trials and mixed signals.

My emotions and ideas are confusing me.

Please hold my hand, don’t let go of me.

God, I am scared.