Which is fine. But first a couple of points: From the
earliest days of outsourcing there have always been third parties involved in
processing client information. More to the point, data breaches can and do
happen with in-house operations, too.
Still, the data issue is gaining traction in light of
legislation aimed at protecting financial and medical data. Both clients and
providers are feeling the heat.
The sourcing industry has already adopted safeguards
and best practices to protect information, but the question remains in the mind
of many: Does sourcing mitigate or exacerbate data risks?
Companies are calling us seeking advice on
the capabilities of service providers to help reduce the perceived risks
relating to data protection. At the same time, providers are starting to squirm
at contractual terms aimed at allocated damages due to breeches in data
security policies.
We shall see whether the sourcing industry
is a source of extra risk or solution. But there are two things we already
know: Whether data are processed in country or offshore doesn’t matter, so
don’t believe in headlines about “outsourcing” as a culprit. And the market can
and will play a regulatory role, as it always has, because reputations and
bottom lines will suffer if customers suffer.
« End (to End) Game: Managing the Multi-Provider Service Chain | Main | 2008 – And Beyond »
January 02, 2008
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d834520e4c69e200e54fd02bea8834
Listed below are links to weblogs that reference Unto the (Data) Breach: A 2008 Topic:
Comments
Verify your Comment
Previewing your Comment
This is only a preview. Your comment has not yet been posted.
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Recent Posts
- ADM as a Business Changer, Plus Free ADM Webinar Details
- Put in the Hard Yards to Get the Best Out of Your Sourcing Balanced Scorecard
- Lessons Learned from the 2011 TPI Momentum Geography Report
- IBM Acquires Emptoris: Implications for BPO
- Keys to IT Process Maturity
- SAP Acquires SuccessFactors: Forecast Calls for More Clouds
- Drawing the Line on Facilities Management at Manufacturing Sites
- Reinventing Procurement as a “Go-To” Organization
- Cloud Security: Peeling the Onion
- The IT Consumerization Challenge – and Opportunity
I certainly agree that service providers will see an increasing focus by their clients on assessing their information security risk, given the regulatory and reputational issues fir enterprises. I also agree that whether it is off-shore or onshore isn't the defining factor in whether an SP is secure or not - it's the policies, procedures, technologies, and governance in place within the SP environment being used to perform the services.
As we are building an vendor info risk rating service here at Moody's, I obviously think it is a good thing for service providers to get assessed. Better to be assessed and know where your risk areas might be, than have your clients put overarching, generic contractual terms on you because they don't know your current posture. I also think that clients will look more kindly on service providers who proactively get their security posture assessed versus waiting till they are forced to.
The stick approach is what I see being used mostly by enterprises right now to push service providers to be assessed, but one thing I would be interested in hearing from service providers is what would incent you to proactively get an assessment. Our early observations are that most service providers don't too willingly go out and get assessed until a key client pushes them to.
Posted by: Ed Leppert | January 07, 2008 at 11:26 AM