We Can’t Outsource Accountability, but We Can Calculate the Risk
I was inspired this week by some lengthy contractual conversations we had with a client regarding liability and risk associated with a data breach. In this particular case, it was a scenario where we would be taking over management of some legacy systems. Now, one might ask, why on earth would you do that? Well, to quote my esteemed colleague Mr. Kiilsgaard in his previous post, “My Information Technology Environment Is NOT an Ugly Baby,” the technology works. And quite frankly, this is what we do. We take it all, the good, bad, or ugly, and we manage it quite well, if I do say so myself. Most often, better than our clients can. But what does that mean for liability, security, and risk?
The first thing we do in these initial phases of contract negotiations is try to understand what we are dealing with, so we ask the following questions:
What is the data set (PHI, PII, regulated data, confidential data, etc.)?
Where is the data?
What controls do you currently have in place? This is the fun part – there is a reason the clients want to outsource the technology and hand it all over. I’ll just say security might be a part of that and leave it at that.
What is the contract value?
How many systems, records, etc. are stored?
Based on the answers to the above, we calculate the risk factoring in the cost of a breach, the potential regulatory fines, the contractual implications, breach insurance, etc. We then review the contract to determine what the clients security requirements are (contractually) as compared to our security policies, and redline appropriately.
What is fascinating throughout this entire process is that typically our biggest concern is related to the client preventing us from implementing best practices and the fact that our policies and practices are more stringent than what is currently in place at the client. The least of our concerns are situations where the client is contractually obligating us to implement SECURITY CONTROL X. Usually our response is, “Great! We welcome that!”
Why is this important to the client? Because I, your trusted outsourcer, am here to tell you that you can’t outsource accountability and risk. You’ve heard it a million times before and it is true. We can’t absorb the accountability or responsibility if a system is breached. What we can do is help determine the areas of risk, offer advice in remediating the issues, and collaboratively do our best to prevent such an occurrence. We can offer clients a hands-on keyboard to do the work in a skilled manner. We can offer mitigating controls such as additional network segments, host based controls, additional monitoring, etc. We will do all that we can to protect systems in a collaborative fashion, working closely together to reduce the risk, but we do need the client’s commitment to help us achieve that.