Companies need to take a hard look before they leap into outsourcing agreements, Pershing's IT security director said Thursday.
When reviewing a potential business partner, do not just accept a company's word about what they do for their customers - do an in-person site review, Warren Axelrod said in a keynote at the CSO Interchange in Chicago.
"More and more, you have to kick the tires and see for yourself," said Axelrod, who handles global infosec for Pershing LLC, a subsidiary of The Bank of New York Company that provides brokerage execution, investment and other services to financial organizations.
Many of the security breaches this year have been failures on the part of third parties, such as the recent massive credit-card exposure at payment card processor CardSystems Solutions, he noted. But while companies may blame third parties for a breach, they are still responsible in the eyes of regulators, he said.
Axelrod told the audience of about 60 security professionals that they need to get involved whenever their companies are contemplating any IT-related outsourcing arrangements.
"Push into that process. Make sure you're in the assessment of third parties... There is a piece of security in every outsourcing arrangement," he said.
Before entering a business partnership, companies need to undertake due diligence, which includes a site visit, checking the potential partner's financials, and getting references not provided by the company, Axelrod said.
Businesses also should beware of "function creep" - when an outsourcer winds up doing more services and having more access than agreed upon, he said.
"Only disclose information on a need-to-know basis."
The CSO Interchange was organized last year by Qualys CEO Philippe Courtot and Howard Schmidt, former White House cybersecurity adviser, to provide security professionals with a forum for exchanging ideas. The previous interchange event was held last December in New York.