Security in an Outsourced Environment

May 22, 2015

The Nordic Chapter of the IAOP met earlier this week and the topic was Security. More specifically, the discussions centered around how to identify and implement security standards; contracting for security; and what aspects of security could be managed by a vendor.


Allan Bjerre, Director, KPMG kicked off the program with a look at their recent study on Unknown Threats in the Nordics-A Study of APT and Malware. KPMG has looked at Finland (2013), Sweden (2014), Denmark (2015) and soon, Norway (2016) to establish a thorough and nuanced picture of security in the Nordics. One interesting trend Allan focused on was the move to monetization of security breaches, that is, the growing role that organized crime has as a broker of stolen data and compromised security. In Allan’s words, “this is market driven and not necessarily a tech thing.”


Rasmus Kærsgaard Theede, VP Group Quality and Security, KMD, contributed with observations about the role that the press and media play in controlling where companies put their focus resulting in a distortion of resource allocation vs. actual need. Rasmus backed this up with details on the actual occurrence of, for instance, cyber espionage at 0.8% vs. accidental disclosures at 29.4%; and that 50% of data breaches in the public sector were due to human error or employee snooping. Key to Rasmus’ message about rational resource allocation is that by complying with ISO 27001, 90% of errors and issues will be able to be addressed.


Rasmus and Allan also raised the issue of why companies might wish to outsource some aspect of security. Among the issues raised were that the proper competencies are hard to find; security is typically not part of a company’s core business which makes it challenging to secure appropriate resources; companies typically lack the critical mass to accumulate rock-solid expertise; and infrastructure costs can be daunting for a single organization. Yet, although it might make great sense to use partners to deliver on some aspects of security, Rasmus hammered home the principle that, “you can not outsource security accountability.” Allan echoed that by emphasizing that organizations must be deliberate in acknowledging their risk appetite in order to properly invest in security.


Ole Horsfeldt, Partner, Gorrissen Federspiel, contributed to the discussion by noting critical aspects of contracting for security, perhaps summed best up by his comment that, “you get what you pay for and what you measure.” Ole focused on the central issue of implementation and predicted that the future will bring security SLAs that will accommodate for a constantly changing security picture.


The program concluded with a panel discussion including the day’s presenters and moderated by Stiig Wæver, Partner, Praesidio. Among the interesting points raised by the panelists were the need to distinguish needs and trends among various industries and the fact that so much of the work to be done to increase security involves changing behaviors and mindsets.


Our next IAOP Nordic Chapter meeting will be held on September 15. We hope that you will join us.