By Rui Feio, Senior Security Consultant, RSM Partners
Many IT organizations see outsourcing as a viable solution to the problem of declining skills in their mainframe team. The outsourcer will take the responsibility of managing, maintaining, and upgrading the mainframe. On paper, it’s the “perfect solution!”
As an added value for the outsourcee, organizations assume it improves the business landscape, increases shareholder value, increases dividends, and guarantees higher bonuses to the “architects” of this change. Let’s be practical and honest, it all comes down to money.
What does the outsourcer deliver?
For a short period of time, the outsourcer usually delivers everything that was initially promised. However, not long after, the organization starts to realize that maintaining and managing, or even upgrading, is not exactly the same as improving. The outsourcer is not a charity and they have targets to meet. Their goal is to make money. After all, they too have shareholders, dividends, and bonuses to pay.
The scope of the outsourcing deal usually includes all aspects of mainframe security. “Let someone else deal with that. After all, that’s why we’re outsourcing.” The outsourcer therefore is now not only responsible for the platform that runs the organization’s core business applications, but also has full control of its security. The outsourcer controls how the technical resources on the mainframe are protected, who or what can access them, and also all of the business resources residing on the platform.
This is when a strange dichotomy of belief systems becomes apparent. The minds behind the decision to outsource the mainframe’s security sometimes believe that the outsourcer has responsibility for ensuring that the mainframe is secured. They clearly didn’t invest much time in reading the fine print of the outsourcing agreement, or ask the right questions. The outsourcer may believe the opposite: that security is the responsibility of the contracting enterprise.
There are many statistics that detail the percent of breaches committed by individuals internal to the organization (employees, contractors, third parties). The Insider Threat report is an interesting read and has plenty of detail. What will be the impact to an organization if the mainframe platform is compromised?
When this happens (yes, because it’s a matter of when and not if), blame culture kicks in. The organization blames the outsourcer because they were supposed to be responsible for the security on the mainframe. The outsourcer responds by saying that they were only responsible for maintaining the security they inherited when outsourced. Any improvements were to be agreed to outside of the realm of the outsource agreement.
And what about the clients of the organization? Yes, those individuals or businesses affected by the security breach? Who will they blame? Should it be the outsourcer, with whom the client has had no interaction, and knew nothing about their involvement? Or should it be the organization, the entity they’ve entrusted with their private data and their business?
Ultimately the situation will involve law enforcement, regulators, lawyers, courts of law, and…the media. Yes, the “evil” media who will publish news emphasizing the breach, the number of individuals and businesses affected, the financial impact for them, and how this will affect the profits of the organization.
The organization will be fined, and will be associated with a security breach, a financial loss, and a negative impact on many lives. Its name will have an adjective next to it: irresponsible.
There are countless examples of organizations that have been affected this way. Every day a new name comes into the spotlight. So, let me ask you a question: If you’re thinking of outsourcing, how carefully have you looked into whether and how you would outsource your mainframe security, and what would be the consequences?