Tuesday, April 10, 2012

Business IT vs IT Supplier Fun#1 - who should set security expectations?

IT Demand vs IT Supply

Business IT bloke: Security? I thought you as our IT Supplier supposes to provide all this security protections by default. I paid you guys lots of money!
IT Supplier chap:  Security? We only provide the basic one. That project manager of yours didn't tell us he wanted more. Furthermore, it's not in the SLA. So, we are not obliged to do so.
Information Security lad:  <*smirking....and having fun inside*>

Deja vu! Right? I'm sure, many of you as a CISO, Information Security Manager, Consultant or Professional have had the luxury to witness this kind of argument within your organization, especially when you are working for a conglomerate that adopt IT Demand and IT Supply model (yeah...Mckinsey's stuff).

Now, as a season Information Security Professional, what would be your advice? What would be the best practice (ain't we all infosec guyz like to quote best practice?)

Information Security lad: Business IT should clearly specify all the requirements, information security included, to IT Supplier and insist that all these requirements are written in the SLA
IT Supplier chap: See.. I told you so....
Information Security lad: Don't fly to the moon yet. That doesn't mean you as a IT Supplier shouldn't do the due diligence to advice your customer accordingly.

Hence, the best practice (ITIL) in a nutshell:
Business IT: Should clearly specify the requirements.
IT Supplier: Should do due diligence to advice Business accordingly.

Ain't security fun? ;)
Acknowledgement: Picture taken from http://www.flickr.com/photos/jdhancock/4539257241/ 

1 comment: