Parham Eftekhari

Abstract: As the Federal IT community moves deeper into the outsourced model, a CIO and their CISO’s security strategy must increasingly focus on contracts and supply chain management in order to mitigate their risk as buyers of commodity services

As the Federal IT community moves deeper into an outsourced model where applications, storage, networks, and services are procured from a myriad of providers and data is stored in a web of clouds and devices, the Federal IT Ecosystem has never been more complex. As a result of this decentralization, the threat of breaches and hacks has grown exponentially and CIOs are finding themselves with less control and reliant upon service providers who they must “trust” with security… a scary scenario for any executive to say the least. While the benefits and logic of this paradigm shift cannot be disputed, the priority of CIOs and their CISOs must now be on what they can do to mitigate their risk as buyers of what are increasingly becoming commodity services.

Contracts are King

As part of this shift, the first thing the federal community must recognize is that the contracts they enter into with service providers who provide/manage their services, networks and data are their most important asset, and potentially their biggest liability. Before picking-up the phone to meet with vendors, agencies must do their due-diligence to identify what their requirements and needs are (be they federal-level regulatory/compliance driven or department-specific), what contract terms will be ‘deal breakers’, and develop a detailed list of questions and demands they will use when interviewing and prospecting vendors. This crucial first-step requires engaging a multi-disciplinary team of IT, contracting, legal, privacy, security, compliance and other officers to ensure nothing is forgotten. Some areas that should be focused on are where the data is located, access to security logs, breach notification processes and exit strategies in the event of bankruptcy or mergers. Perhaps most importantly is to ensure that your contract not only outlines what you expect, but defines clear penalties for solution providers if terms are not met including the ability for you to get out of the relationship with your data structured in a way that you can use it.

Another big mistake a buyer of Cloud based services can make is being afraid to say “no”. As mentioned before, you should come to the table with a clearly defined list of deal-breaking requirements that I suggest includes having access to your cloud provider’s security logs and the ability to add your own monitoring tools on their network to compare their data to yours (yes it is possible and has been done before!). Until the community begins to demand what it truly needs to ensure adequate security and solution providers see a direct negative impact on sales as a result of not meeting the demand, contracts will continue to be written in favor of vendors. This is not to say technology vendors are out to take advantage of the community or rip us off, but they cannot be expected to proactively know our concerns and needs until we tell them what they are, and saying ‘no thank you’ when they are not met is the most effective way to show how serious you are.

Secure your Supply Chain

As our featured article this month titled “Securing the Federal IT Supply Chain: A Mammoth Task? Absolutely. An Impossibility? Absolutely Not.” discusses in great detail, understanding where your technology is coming from and who has had a hand in building it is critical now that most services are being outsourced. Understanding your supply chain requires a common language, consistent standards, and sharing of information… a difficult to achieve yet crucial element to your outsourcing strategy. This capability is quickly becoming one of the most important parts of an IT department’s security strategy and will grow in importance as mission critical data and applications are moved to the Cloud.

Tagged in: Untagged 
Comments (0)Add Comment

Write comment
You must be logged in to post a comment. Please register if you do not have an account yet.