The Importance of Human Factors when Assessing Outsourcing Security Risks
ABSTRACT
The word is becoming increasingly interconnected and ways of doing business are evolving rapidly. Communications technology is ubiquitous and reliable and businesses are continuously seeking ways in which systems can be exploited to improve resilience, become more efficient and reduce costs. One way in which organisations seek to achieve this is by concentrating their efforts on core business processes and outsourcing non-core functions. However, outsourcing - and particularly off-shoring - presents many security issues that must be considered throughout the lifetime of contracts. The scale of outsourcing and increasing technological and security complexity is making this task more difficult. Often neglected, or given low priority, are factors relating to the people who will be working on the contract. These factors will be driven by regional and cultural differences and will manifest themselves in differing security threat and risk profiles and risk management frameworks must be designed to recognise and cater for these variations.
This paper is based on BT’s extensive global sourcing experience and describes some of the key human factors that can impact significantly on the success, or otherwise, of secure outsourcing. The application of technology alone will not provide solutions. Security controls need to be workable in a variety of environments and need to be designed, implemented and maintained with end user behaviour in mind. New approaches need to be considered for building and maintaining trust and secure relationships between organisations over time. Ownership of security is required, as is a means of building understanding and empathy with the customers’ need for security; this may only be effective in the long term rather than short term – and this in itself presents a major challenge in the outsourcing world with its high churn of personnel.
AUTHORS
BT Design Security Risk & Compliance,
United Kingdom
Carl Colwill is a Principal Consultant in BT’s Security Risk and Compliance team and specialises in security risk management and information assurance with a current focus on global sourcing activities. Carl leads security studies and compliance reviews for BT in collaboration with the UK Government and third parties; his consultancy role is certified under the UK CESG Listed Advisor Scheme (CLAS). Carl joined BT in 1980 after gaining a BSc(Hons) in Computer Science from the University of Warwick. Carl was a founder member of BT’s Information Assurance team established in 1997 to assess emerging threats and risks with a national infrastructure perspective. Carl gained an MBA in 1992; other professional qualifications include Chartered Engineer, Chartered IT Professional, Member of the British Computer Society, Member of the Institute for Risk Management, Member of the Association for Project Management, ISO27001 Lead Auditor.
BT Security Research Centre, United Kingdom, Adjunct Professor, Edith Cowan University
Australia
Dr. Andrew Jones. During a full military career Andy directed both Intelligence and Security operations and briefed the results at the highest level, and was awarded the MBE for his service in Northern Ireland. After 25 years service with the British Army's Intelligence Corps he became a business manager and a researcher and analyst in the area of Information Warfare and computer crime at a defence research establishment. In September 2002, on completion of a paper on a method for the metrication of the threats to information systems, he left the defence environment to take up a post as a principal lecturer at the University of Glamorgan in the subjects of Network Security and Computer Crime and as a researcher on the Threats to Information Systems and Computer Forensics.
At the University he developed and managed a well equipped Computer Forensics Laboratory and took the lead on a large number of computer investigations and data recovery tasks. In January 2005, he joined the Security Research Centre at British Telecommunications where he is currently the head of information security research. He is the author of five books on the topics of Information warfare, information security and digital forensics, and holds a Ph.D. in the area of threats to information systems. Andy is Adjunct Professor in the School of Computer and Information Science at Edith Cowan University and part of the SECAU Security Research Centre.
Published In
Journal of Information Warfare
The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.
Quick Links
Archive