Demo Free trial Request quote Contact me
Outsourcing & vulnerability assessment – a perfect combo
More than 70% of all organizations outsource their IT to a greater or lesser extent and it’s continuously increasing. Outsourcing gives many advantages, but also new challenges for the IT organization. One challenge is the security assurance in the delivered service. Many times, the function is in focus and the requirement regarding security is secondary. However, this trend is changing and there are effective tools to take control of your own security even if you just order IT from organization.
By Stefan Thelberg Topics: GDPR, Penetration testing, Vulnerability assessment

You’re still responsible when outsourcing

A common misconception is that outsourcing means that the liability for, as an example, personal data in relation to GDPR is wholly or partly in the outsourcing partner's responsibility. But the legal responsibility is still yours, in being the owner of the data. Whether you outsource or not, you have the same responsibility towards authorities, laws and recommendations. If you would leak personal data as a result of neglected security, it is your organization, not your partner, who will be held responsible.

The SLA is not a guarantee

Today a part of the outsourcing partner's offer is an SLA that describes the level of service and security to be delivered. But how do you ensure that the SLA is adhered by your partner, as the SLA does not imply any warranty. An SLA should be considered as a guideline for how your partner should work – and not a guarantee.

Don’t evaluate your own security

A rule of thumb in IT security is not to evaluate your own security. This should be wholly or partly made by an independent party or product, or a combination of the two. Research clearly indicates that those who evaluate their own IT security, without the help of independent parties or tools, does not get the complete comprehensive analysis and they miss out on important details. One common example is that systems that you think are safe, or systems that will be retired, are skipped. These systems might just be the ones with critical vulnerabilities today or in a near future.

Vulnerability assessment - an objective way of analyzing security

Automatic and continuous vulnerability assessment ensure a good basic security in your outsourced IT environment. The vulnerability assessment provides you with an objective overview, and also provides effective methods for communicating information about vulnerabilities, both current and over time. The reports are adapted for both non-technical and technical savvy. For example, the person who is responsible for the personal data, the Data Protection Officer (DPO), can get a tailored report automatically once a month, that clearly states how vulnerable system holding personal data are.

Collaborate – don’t monitor

In Holm Security's platform, you can work together with your outsourcing partner. You can both access to the Security Center (our control panel) and be able to prioritize and discuss about vulnerabilities. The platform then becomes a tool that promotes the cooperation with your outsourcing partner and enables you to work more efficiently with your IT security.

5 tips when outsourcing your IT:

  • Ensure that your partner maintains a high level of security in their delivery.
  • Remember that SLAs and other agreements does not guarantee that your outsourced IT environment is secured.
  • Outsourcing does not reduce your responsibility over e.g. personal data from a legal perspective.
  • Require SLAs to be followed with continuous and automated vulnerability assessments.
  • Require that you as a customer automatically get weekly or monthly reports with a clear overview of the vulnerability status in your IT environment.
About the author
Founder and CEO of Holm Security. Stefan is one of Sweden's most prominent cyber security entrepreneurs, previously founded the Swedish Webhosting Group and Stay Secure. Stay Secure was the largest email security provider in northern Europe. He has worked with sales of IT security products towards the private and public sector for close to 20 years.

Stefan Thelberg
+46 (0)739-99 33 12