Support 100 years of independent journalism.

Advertorial feature by Cyber
  1. Spotlight
  2. Cyber
9 March 2016updated 09 Sep 2021 1:31pm

Threats and opportunities

Involving a third party in your IT infrastructure carries its own risks and rewards, says Malcolm Marshall, global leader for cyber security at KPMG

By Malcolm Marshall

While technology may be developing faster than ever, in many cases today companies have IT functions that are capable of supporting their business ten years ago rather than for what their needs will be in ten years’ time. A fear of being left behind has created a huge industry of outsourcing companies willing to take the strain of keeping up with innovation while also allowing their clients to focus on what they do best – selling their product.

As a consultant working in the technology industry for many years, I have seen swaths of industry hand over their IT – whether it be their accounting functions or data centres. And this is a good thing. I believe that 95 per cent of a company’s technology can and should be outsourced.

Outsourcing companies can generally do things more cheaply and also have the benefit of being able to provide top-level talent to clients. KPMG has conducted many surveys looking into the cyber skills gap in the UK and it is a recurring theme. When using an outsourcing company, clients can also tap in to a wider network of potential learning through client forums and events.

But as with any business decision, there are pitfalls, which is why I am emphatic about 95 per cent rather than everything. Companies need frameworks and safeguards in place before they take this important step.

In recent years, a number of global companies have been reversing previous outsourcing decisions. One major financial services provider, for example, was well known to have been one of the most innovative and enthusiastic in recognising the benefits of sharing the load – outsourcing nearly 80 per cent of its IT work at its height. But fast-forward to 2014, and the new chief information officer talked openly of outsourcing having “gone too far” and how the firm was now insourcing work that it recognised to be of strategic importance.

Sign up for The New Statesman’s newsletters Tick the boxes of the newsletters you would like to receive. Quick and essential guide to domestic and global politics from the New Statesman's politics team. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. A handy, three-minute glance at the week ahead in companies, markets, regulation and investment, landing in your inbox every Monday morning. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A weekly dig into the New Statesman’s archive of over 100 years of stellar and influential journalism, sent each Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy

What it recognised was something other businesses are now realising – you cannot outsource that 5-30 per cent of your company’s IT requirement when it is of critical importance to your business. Not only could you risk losing intellectual property, but clearly it would be very possible, certainly in a smaller business, to be reliant on technology that nobody within the organisation understood.

As a personal example of this, my first experience of the Internet of Things was 15 years ago, when an infrastructure operator called me in when they had a new safety system installed. I couldn’t understand why they needed me, until I realised the system was internet-enabled and the company was in a mild panic about what that meant. While it makes me nostalgic for the days when equipment was operated with big yellow levers marked “on” and “off”, it does make the point that it is quite easy for a company to sleepwalk its way into a situation where it has a lack of control over critical parts of the business.

It was interesting that this year’s Davos summit was about the Fourth Industrial Revolution. Many companies still struggle with the Third, and are still learning lessons from being hacked and having suffered other data breaches.

Only in recent years have chief executives started to realise the importance of IT and they are creating governance systems around their accounting systems and putting in risk controls around data and assets. Companies such as retailers and banks, which have close customer engagement, have been under intense pressure to deal with this.

What is bizarre is not that these companies are leading the way in dealing with this but that so many others remain relatively blasé about being hacked when even a humble vending machine is now internet-enabled and transmitting a constant stream of data.

That is not to say that nothing has changed. I have seen companies become more prescriptive about how their security is managed. Typically, businesses will retain a security function, but we have also seen cases where companies will choose to outsource part of that to an independent supplier so that they still get the comfort of there being thirdparty oversight of the outsourcer, but without having to have a large in-house team themselves. For large companies, it is not uncommon to have anywhere between five and ten supplier relationships or even more, for various parts of the technology infrastructure, including apps, back office and front office.

But what makes this whole ecosystem work is contract flexibility and a collaborative culture. It is vital that both customer and supplier work hand-in-hand to ensure a constant flow of information, as it can quickly become a nightmare when things go wrong.

A few years ago I was in a situation with a major customer-facing brand where the US-outsourced IT security was going swimmingly but relationships had all but ground to a halt in Europe. What quickly emerged was that the European division had negotiated the supplier down so hard that it had had to cut dangerous corners to keep the contract in profit. It just doesn’t work. Like anything in life, you get what you pay for and the best outsourcing relationships are delivered from close and flexible working where everyone understands what is expected of them.

Now clearly this takes planning. Cyber security issues can sometimes sit at the end of a larger contract, or end up being rushed through after a hack or where an internal audit has uncovered a weakness. Again, this can lead to misunderstandings and therefore a breakdown in communications.

It is vital that the in-house team takes the time to take suppliers through a detailed walk-through of its requirements and processes, so that any issues can be identified in advance and expectation gaps are kept narrow.

What is also vital is that everybody – all suppliers, and not just IT – is covered by the same rules. All suppliers need to understand where weaknesses can occur. For example, there was one high-profile attack where the hackers got into the business from the air-conditioning supplier – nothing to do with IT, one might think, but still a bridge to highly sensitive data. The point is that one can have the best IT outsourcing companies in the world but if one has weak processes, passwords or small suppliers who simply don’t understand what is expected of them, data, and therefore money, can go missing. And the best contracts in the world will not stop that happening.

We live in an era of vastly changing IT and one in which fraudsters are innovating. While outsourcing can and should absolutely benefit an organisation, it needs to be handled in a thoughtful way, particularly when it comes to security. The best scenario is where companies and suppliers work closely together to resolve issues and where learning is shared. For some, more forward-thinking organisations, they are already leading the way – by hosting seminars for smaller suppliers, for example, to help them understand what is expected of them. This is a fantastic and collaborative approach that should be welcomed and copied. Clearly others will find their own way, but make no mistake: the pressure is on.