Tag Archives: What your software vendor hides from you

Information Security

The most probable thing you & your vendor never discussed

Security of Information. Information Security.


It is not surprising that during all outsourcing discussions which happen, couple of things are always discussed because those are considered to be the key elements of success – communication, pricing, work hours, deliverable, timeline, holidays, culture and others in decreasing order of priority. Each of these play a vital role in the process. And you feel the emphatic ‘Yeshh!’ feeling when you have weighed in all of them. There is another factor which needs to be factored in as well – Information Security.

I know you must be silently feeling happy and clenching your fists with that Yeshh! feeling if you had touched upon this topic in your discussions. And you must be. After all,  Information Security Services continue to grow– dramatically yet quietly.  It is not just about your data being securely used by the IT Services vendor you employed, it is also about your customers refusing to use your software product if it does not assure them of data security. Think of the financial reminder app you are planning to create for your target market. If the app does not usher faith from the data security signatures, not too many takers would even be saving their account numbers within. This might be a lame example but what I am trying to hint at is – Unless your app keeps my data secure, I ain’t gonna buy it for Free! Period.

The Guardian, UK recently reported that half of the Clearswift survey respondents were concerned that social media channels could pose significant risks to their IT security.  In addition, the UK government has identified information security as a key priority for the current year – 2013.

Information security does not just mean data breach or unidentified and fraudulent access to your confidential and proprietary data. Accidental data loss is perceived to be the biggest information security globally.  In the event of a data leak, the greatest worry is about reputational damage to the organisation (31%), followed by financial consequences (20%), with policy or compliance issues coming in third (18%) as per the survey.

John Oltsik, a Principal Analyst, NetworkWorld recently shared his estimate that about 0.60 to 0.70 cents of every security dollar is spent on either endpoint or network security.  While vendors scramble to establish positions or defend customer bases, users benefit from a much-needed wave of information security innovation and architectural integration.

Yup, there are lots of reasons like this why organizations are consuming more and more security services worldwide.


So what should businesses do when it comes to implementing information security strategies? What should they do when they are dealing with outsourcing partners?

It is clear that information security lapse can be harmful if not disastrous to the reputation of the company and possible financial losses as well. Hence promoting training and awareness within the organisation is clearly one way of dealing with it.

And the next step would be to adhere to a set of globally bench marked policies which help you avoid the risks because of information security. An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of ISO 27001. The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

The next step would be to hire a custom software development services vendor who is ISO 27001 certified. And if your vendor does not have a Infrastructure Security Management System certification from ISO, you will mostly get evasive answers to your queries on information security. Go ahead and ask your vendor the following questions as suggested by Bill Mathews, Hurricane Labs.

  • What secure development lifecycle (SDL) do you use?
  • What type of regression testing do you employ with bug fixes?
  • What type of security training do you provide to your developers?
  • What sort of logs will this application generate?
  • How will the application handle authentication?
  • How will the web application handle credit card payments?
  • Has an application you’ve written ever been “hacked” or breached?
  • Can you tell me 5 good reasons why this application will never be hacked?

By this time, you would realize that you can not risk your product and your data with someone who is not ISMS certified. Go ahead and talk to someone who is ISO 27001:2005 certified.

What do you think?  Do you agree Information security should be cared for?

Author – Subhendu Pattnaik

Spread the love