The Bedel Security Blog

Managing Your Outsourced IT Provider

Written by Stephanie Goetz | May 22, 2020

Many banks have the need for IT expertise, which these days is difficult to attract and expensive to find in a full time employee.  The answer to finding the talent needed at an affordable cost has come in an outsourced IT provider, however many banks struggle to properly manage their IT provider to maximize the value of the relationship.  Here are 5 tips to ensure you are maximizing this relationship to its full potential.

  1. The bank still owns the IT risk.

Some banks fall into the trap of believing that because the execution of their IT program is now the responsibility of a third party that it no longer requires their attention or management.  This couldn’t be further from the truth!  The responsibility of the outcome of their work, including achieving goals, maintaining systems, passing exams, etc. still lies with the bank’s management and the board of directors.  If bank management cannot answer questions about the processes, controls and status of these in your IT environment, this is a red flag that perhaps they have fallen into this common trap. 

How do we manage this relationship and risk?  This is similar in many ways to managing a typical full time employee, in that it will require a point of contact for the IT provider, devoting some time to getting them up to speed and managing performance.

  1. Monitoring service levels

It is common practice that at the outset of this relationship, requirements are defined, due diligence is performed, and a contract was signed.  These requirements and contracts are basically the IT provider’s job description.  If these have not been defined, include them in the next contract renewal or work with your provider to begin defining and monitoring these requirements. 

Similar to a full time employee, performance to meet these requirements should be monitored, and feedback given based on the outcome.  Many banks fail to monitor this performance and take action to improve performance where it is falling short of the requirements.  Most IT providers have a process defined where they can report on these levels through a periodic report and/or meeting, take advantage of these and if they don’t meet your needs, deliver the needed feedback so it does.  A best practice we commonly see is to include a representative in the monthly IT Committee where they can weigh in on projects, discuss pain points and answer questions.  They can also deliver monthly reports to keep the bank up to speed on their progress. 

  1. Plug them into processes, plans, policies and procedures

Another common mistake we see is not plugging IT providers into the banks environment, specifically processes, plans, policies and procedures.  IT is an enterprise wide concern; it is how the banks services are delivered, how the work gets done and because of this, living with a failing system can literally become a disaster.  In that light, why would it best suit the bank to let this important concern live in a silo?  Why would it best suit the bank’s interest to let an outside company dictate its requirements?  This ends with the tail wagging the dog as the IT providers are then left to doing the best they can with little to no direction. 

Most IT providers have dedicated time and effort to onboard their services in the bank’s environment.  Take advantage of that time to introduce them to the processes, plans, policies and procedures that they will perform or need to know about to work best in the bank’s environment.  They may not always be able to effortlessly plug in, there may need to be compromising or flexing to make it work but that is better than it not working at all. 

Also, do not forget to prepare for the worst and make sure that they are included in your incident response and business continuity plans.  Include them in exercises as well to prepare for how the team will work together in those situations.

  1. The need to meet or exceed the bank’s security controls

Speaking of plugging into the banks environment, all of the above points apply to the IT provider’s relationship to the security program.  Often overlooked and, if not, a point of confusion, is the IT provider’s role in the security program.  The points above in 1-3 apply to their role in both handling the bank’s data and maintenance of the level of security in the IT environment.  The IT provider’s level of controls in its own environment and their ability to maintain the banks controls should meet or exceed the banks requirements. 

  1. Relationship with the CISO

The IT provider and the CISO need to work closely together as the cooperation level can make or break the success of the security program.  The CISO is responsible for managing the security program and associated risks, while the IT provider is responsible for maintaining and implementing that program in the bank’s systems.  This requires communication, cooperation and commitment on both ends. 

However, the IT provider should not play the role of CISO, nor should the CISO play the role of the IT provider, there must be independence between these two roles.  This is stated multiple times in FFIEC guidance (Information Security Booklet section I.B and IT Booklet (I.A.2c).  Plus, I’ve lived this personally in my career and found the same:  lack of independence does not support the foundation for a successful security program.  Setting the stage and tone for success begins with bank management and the board of directors, who own the program and responsibility for the risk.

 

I hope that these lessons, which come both from best practice and the school of hard knocks, help to set you on the path to maximize the relationship with your IT provider.  If you have more questions or need help in your security or vendor management program, we would live to help you! Email us at support@bedelsecurity.com.

 

Additional Resources:

Assessing Risk: Outsourced Service Providers
https://www.bedelsecurity.com/blog/assessing-risk-outsourced-service-providers

The Simple Vendor Management Program Quick Reference Guide
https://www.bedelsecurity.com/lp-simple-vendor-management-program-quick-reference-guide 

Assessing Risk: Email with Business Partners
https://www.bedelsecurity.com/blog/assessing-risk-using-email-with-business-partners

Controlling Sensitive Files Outside Your Institution
https://www.bedelsecurity.com/blog/controlling-sensitive-files-outside-your-institution

Surviving The Post Pandemic Landscape: 12 Technologies That Every Community Financial Institution Should Be Thinking About
https://www.bedelsecurity.com/lp-surviving-the-post-pandemic-landscape