At a recent European IT Procurement Conference, Chris Argent was part of a panel discussion that explored how technology changes require sourcing processes to be adapted. In particular, the shift towards digitalisation (in customer service and operational delivery) has introduced increased risks for business and customer data.
In our in view, there are three key steps the procurement and IT functions can take in order to manage these data risks.
1) Organisations should seek vendors that excel and innovate in the control and security of customer services and data. However data security is a collective responsibility that includes vendors so it is imperative that within the organisation security is embedded in the design of information systems. Our insight discusses the ‘Secure by design approach’ in further detail.
2) It is essential that the IT procurement team addresses data security as part of the sourcing programme. Some of the specific contract terms should ensure:
- You maintain control of your Businesses and Customers data and where it is stored. Know where your data is processed and stored and that you can access it under any circumstances.
- Every element of the vendor supply chain is subject to your approval. For example if a vendor subcontracts cloud storage to a new supplier.
- You have rights to audit any aspect of the service. To ensure the vendor is compliant and continually prepared against the latest threats.
- Focus on security and data protection technology innovation. Ensure that technical controls and policies are under constant development to stay ahead of the latest threats and test them frequently.
- Alignment with latest industry and EU regulatory practice. Regulation of the digital world is in continuous development.
3) Finally it is critically important to carry out due diligence after the negotiations have taken place and before agreeing the contract. This is to assure that the vendor has the relevant experience to meet the terms they have agreed to in the contract.
A rigorous sourcing process that follows these three steps will manage the data security risk and enable the organisation to embrace the opportunities presented by innovation and digitalisation.