Can I Trust You with My Most Precious Asset?
September marks the beginning of a new school year in the UK, and for many young people, it’s the first time they’ll be in a new environment, surrounded by new faces. This moment represents the culmination of a months-long application process, with parents hoping to secure a place for their child at their first-choice school. Now, imagine how this compares to an organisation outsourcing its critical IT systems and services for the first time.
What’s the connection? Let’s dive in.
Your Child Is Your Most Valuable Asset
As a parent, your child is your most precious asset. You’ve been their primary influence, responsible for shaping their experiences and making all their important life decisions. Up until now, you've had complete visibility into their day-to-day activities, knowing exactly how each experience has contributed to the person they’re becoming.
But now, things are changing. The time has come to entrust part of that responsibility to someone else—someone you don’t know, someone whose methods you have little visibility into. It’s a big leap of faith, isn’t it?
How Can You Make a Confident Decision?
There are many ways for parents to gather information and feel more confident about this decision. They can review reports from school inspectors, look into past exam results, and seek advice from other parents whose children already attend the school. But many parents won’t stop there. They’ll want to visit the school, talk to students, review their work, speak to staff about their approach to teaching, and listen to the head teacher discuss the school’s strategy and values.
This hands-on approach is very similar to how any organisation should seek assurance of security and compliance when outsourcing a major business process. Are you willing to hand access to critical information and IT systems over to a third party without really knowing them? Probably not.
What Should You Look for in a Service Provider?
Just like choosing a school, organisations should look closely at the outward-facing presence of potential service providers. What are their mission and values? Do these align with those of your organisation? What do market analysts say about their products or services, and how do they perform against competitors? And what are current customers saying about them?
Go beyond the surface. Look at their public-facing Internet presence to understand how well they perform vulnerability management and maintain their applications. After all, if they’re not safeguarding their own assets, how will they protect yours?
Security and Compliance Assurance: It's More Than a Checklist
When seeking assurance during the procurement process, understanding the security controls a provider has in place is essential. This includes evaluating people, processes, and technology.
In the past, it was common to visit a supplier’s operational site, tour their data centre, and see first-hand where your IT service would be hosted and how it would be protected. However, in today’s world of virtual and geographically dispersed services, that’s not always possible—or even useful.
So, how do you get the assurance you need in these modern times?
Don’t Rely on Certifications Alone
Just as a school inspection report can provide some comfort, certifications and accreditations can show that a company takes security seriously. But be cautious. Both a school inspection and a certification audit are snapshots of the past. They’re often well-prepared for and may not reflect the day-to-day reality.
To truly understand a provider’s capabilities, you need to dig deeper. Speak to the people who run and deliver the service, not just those who sell it. Ask them to demonstrate how things work and what actions they take in specific scenarios. Find out how they intend to communicate and share information on a day-to-day basis.
Who’s Handling Your Most Sensitive Data?
Another crucial factor to consider is the people behind the service. How does the provider train, motivate, support, and retain their staff? These employees will have the highest level of access to your critical data. How can the provider assure you that their staff are qualified, experienced, and ethical?
Additionally, ask how the provider ensures that your requirements are passed on to any other third parties they may work with. You need to understand what might be lurking further down the supply chain.
Taking the Right Steps Gives You Confidence
Taking these actions upfront will give you a much clearer view of the service provider. While there’s no guarantee of future performance, this level of scrutiny can give you the confidence to proceed—or indicate that this may not be the right fit for your organisation.
But you might be thinking, "Can I really do this for every third-party and supplier?" The answer is no, and you shouldn’t have to.
The Key Is Knowing What’s Critical
Not every vendor or supplier requires the same level of due diligence. One of the fundamental principles of security is knowing what your critical processes are and identifying the systems and data that require the highest levels of protection. This way, the level of scrutiny you apply is proportionate to the value of the assets at stake.
Applying This Approach to Real Life
Coming back to our analogy—how much effort would you put into choosing the school where your child will spend the next several years? Quite a bit, right? After all, it’s not just about educational outcomes; it’s about shaping their personal and social development.
Now think about a different scenario. If you’re a pet owner, you might not put quite as much time and effort into choosing a place to board your pet while you’re on holiday, but you’d still want to visit a few facilities and ask about food, exercise, and interaction with other animals.
However, when it comes to choosing a dry cleaner for your suit, would you be as thorough? Probably not. Unless it’s an expensive or sentimental piece of clothing, you might just choose the nearest one or go by a friend’s recommendation.
What You’re Really Doing: Risk Assessment
What you’re actually doing is a risk assessment. You’re evaluating the importance of your asset and determining how much time, energy, and scrutiny are necessary. The higher the value of the asset, the more attention you’ll give to ensuring it’s in good hands.
So, when it comes to outsourcing critical business processes, don’t be afraid to ask the tough questions and dig deep into how a service provider operates. You’ll be safeguarding your most precious assets—just like you would for your child.
About the Author:
As Director of Resilience Insights, Matt Gordon-Smith specialises in delivering cyber security leadership and advisory services for clients globally. With over 20 years of experience in information security, he has held senior leadership roles, including Chief Information Security Officer (CISO) and Director, across industries such as civil nuclear, mining, and aviation.
Starting his career in 2000 as an IT Security Architect at IBM, his expertise spans enterprise security architecture, consultancy, and IT managed services. This broad experience has provided a solid foundation for guiding organisations through complex security challenges.
Since 2022, Resilience Insights has been providing tailored services, including fractional CISO support, regulatory compliance strategies, and interim leadership. The consultancy focuses on helping organisations strengthen their security frameworks, address new challenges, and meet evolving regulatory requirements.