Big banks, hospitals and insurance companies worry about computer security because they handle so much personal information.

Now, in the age of outsourcing, they also have to worry about whether their partner firms are secure. And that’s created a new kind of business consultant: The information security auditor who determines how much security is enough.

Some of these auditors work for big companies. When Evan Francen did security audits for Wells Fargo bank, he asked outsourcing companies to complete a 1,500-question security checklist. (Wells Fargo officials declined to comment.)

Now, Francen has his own security company, FRSecure, that helps outsourcing firms meet the demands of security auditors like him.

“We audited a small bank that was compliant with computer security regulations, but we could have put them out of business in five minutes because of the physical risk,” Francen said. “Their computer server room had no camera surveillance, no records of who came or went, no locked doors, nobody there at night, and it was in a separate building.”

Such a setup represents a business opportunity for the likes of FRSecure.

“We’re in the Wild West period of security compliance,” said Kevin Orth, FRSecure’s vice president of operations. “There are no security standards that are widely accepted.”

The security-auditing opportunities also have drawn the consulting arms of big accounting firms such as Deloitte.

“Every time there’s another computer security breach, these security-audit programs get ramped up quite a bit,” said Matt Marsh, a partner in enterprise risk services at Deloitte. “Because if there’s a breach, there can be costs, loss of reputation and loss of business.”

Driving the latest corporate fear about computer security is a confluence of events. Computer security breaches, such as the massive email leak this year at outsourcer Epsilon, have become common. Cloud computing, which saves companies money by letting them use remote data centers, poses security risks about which little is known. And big companies are under more regulatory and legal scrutiny.

“All of those factors are converging and are putting a lot more pressure on banks and other big companies,” said Avivah Litan, an analyst for research firm Gartner Inc. “Security audits have definitely taken a big upward tick.”

For IT consultants, this is a boon.

“Performing security audits is now a specialty within information technology consulting,” said Isaac Cheifetz, an IT recruiter with Open Technologies Consulting Co. Security “is no longer simply about making sure the network firewall is up.”

Added Marsh, “That whole space of security and privacy is a growth area for us.”

That can drive consulting prices up.

“We see many IT consultants trying to dabble in information security, and they set their prices at what their clients are used to paying,” Orth said. “We make more, but we’re specialists. So there’s no such thing as standard pricing.”

These days, consultants are called in when outsourcers find it difficult to meet confusing and sometimes excessive security demands of big companies for which they handle data.

“A lot of these security rules were written by non-IT people, and they aren’t specific enough to give IT professionals a clear idea of how to set up security, and there are a lot of different ways to do it,” said Aric Bandy, CEO of Agosto Inc., an IT outsourcing company that does work for Goodwill Industries, the Minnesota Wild professional hockey team and Dunn Bros. Coffee.
Ads by Google

Security Solution for SMEIn 60% faster response time at 20% discount! Apply Now. www.tatacommunications.com/sme
Business Development EMEAYour European Business Development Services. No fixed costs… www.proteksol.eu/BusDevelopment

“One client wanted us to ensure we had control of who was physically able to access a computer server in our data center,” Bandy said. “We already had card access to the data center, personal identification numbers for data access and a guard. But that wasn’t enough. They wanted a camera focused on that server, and we had to do that.”

Some outsourcers try to spare themselves that kind of anguish by launching a pre-emptive strike: They hire a company such as FRSecure to do a security assessment and develop a plan to help ward off some security demands of big clients.

“We’ll do a security assessment so the vendor can push back on the security demands of the big company,” Orth said. For example, if data encryption is too expensive, an outsourcer should develop a less-expensive alternative, such as surveillance cameras or documented procedures to destroy old disk drives, he said.

That worked for FRSecure customer Action Inc., a direct-mail company that works with banks, health care institutions, insurance companies and schools.

“The first time you get audited for security, it can be a bit onerous,” said Tony Zirnhelt, Action president. “But now we’ve taken a proactive approach to data security, such as employee training, cameras, data access control, even hiring someone to try to break in through our computer security. We now use our data security in our pitch to prospective clients.”

That may be the most practical solution at a time when data security is so ill-defined, said consultant Marsh.

“You could encrypt and secure everything to the nth degree, but that would cost a lot of money,” Marsh said. “So there’s a balance, and each institution has to figure out what that balance is.”

Source:http://articles.chicagotribune.com/2011-11-14/business/ct-biz-1114-tech-outsourcing-20111114_1_computer-security-security-audits-security-standards

Desire for global coverage and the ability to retain control have made reference data management a top function for outsourcing, according to experienced industry practitioners and survey respondents

Reference data management has become one of the most popular functions for firms to outsource, according to outsourcing vendors.

Washington, DC-based Elena Christopher, vice president of financial services at Mobius Knowledge Services, a content and data service provider, led a panel discussion on outsourcing at the FIMA conference in London this week, and told Inside Reference Data that firms are turning to outsourcing to meet the higher standards now being expected of data. Survey results published by data process and analytics firm eClerx this week also showed that senior decision-makers in financial services consider outsourcing to be most relevant for reference data management.

“Outsourcing is becoming more significant for reference data management,” says Christopher. “I have been in the outsourcing industry for about 20 years at this point, and that time span lets you see the peaks and troughs, and when it is in favor and when it is not.”

She continued: “Data has become elevated, which means it is more visible and there is perhaps more budget given to it. You quickly get to the question of, ‘How do we actually achieve all of this?’ and part of it is technology and part of it is in-house, but part of it is through the use of partners – hiring that expertise to come in and assist you in achieving these new goals.”

During the panel discussion at FIMA, delegates gave their views on outsourcing, offshoring (the use of a captive partner in a geographically remote location) and nearshoring (using an internal or external provider in a location that is close to the main organization). Christopher said there was no definitive answer on which is best: “Any of them can be successful provided you have done a very good job of defining exactly what it is you are trying to achieve, making it measurable and having it well defined.”

Christopher emphasized that cost is not the most important benefit of outsourcing, and that many firms are turning to outsourcing to have greater global coverage: “Now there is more of a follow-the-sun approach, where you have a partner or a captive in India, you retain a few people in London and then you have some folks in New York or Chicago. There is that driver too to have local market coverage.”

New York-based Alberto Corvo, managing principal of financial services at eClerx, said reference data management is a popular function for firms to outsource because they are still able to retain a high level of control over it: “If you set it up the right way and with the right partner, you can have a lot of control. In a sense you can say, ‘Ok, this is the type of data we need, go find it, clean it and normalize it and get back to me.’ You don’t need to give an outsourcer access to your system, so it’s much faster to do. You can have a very tight SLA. You can do the checking before you use the data. So it is a very good way for people to dip their toe into outsourcing.”

Source:http://www.waterstechnology.com/inside-reference-data/news/2124444/outsourcing-eclipses-cost-reference-management-criteria-vendors