Chapter 02
A secure connection
The BPO industry has evolved significantly in recent years, moving from delivering traditional contact center services to providing an end-to-end customer experience. This change demands a similarly evolved approach to information and system protection.
Even with the right references and security rating, an organization still needs to provide evidence of security by design: its people, processes, and choices of tools and technologies should be working together to proactively increase protection, remove inherent risk and minimize residual risk.
What is security by design?
A partner that is dedicated to security by design makes strategic decisions that aim to maintain and at best further reduce its existing risk profile (and in doing so, improve security posture). It will have ensured that it can deliver any combination of CX services and solutions specific to any individual organization across any combination of territories, without any shortfall in system and information security.
This delivery level is only possible when security measures are integral to the design and development of a process, system, tool or application and, by extension, an organization’s approach to using them. When security and risk mitigation aren’t central aspects of business operations, it’s impossible to develop and maintain a robust, end-to-end approach to information and system security.
When security and risk mitigation aren’t central aspects of business operations, it’s impossible to develop and maintain a robust, end-to-end approach to information and system security.
Organizations that subscribe to the philosophy make security a key consideration for each new commercial engagement. They should actively identify potential weaknesses and vulnerabilities that already exist or that could come to fruition throughout the lifecycle of a new business relationship and, in partnership with that business, implement security controls and measures to mitigate those risks.
Reach and resources
This best practice approach can be evidenced in hardware and software choices, in the detail of incident response plans and in measures taken to protect and segregate a network or the systems in place for controlling access and authenticating individuals. However, one of the clearest indicators of security being front and center can be found in human resources.
As a discipline, information and system security may have been born within IT, but today, it’s impossible to claim security is an IT issue, or that protection can be provided exclusively via digital means. Cybersecurity is about managing people, processes and technology. Those in charge of security need direct access to and authority over any risk owner at any position within the business. They need independence to act for the greater good of the organization without fear of conflict of interest, and need the reach, recognition and respect to drive potentially organization-wide change management initiatives.
As such, to deliver against your customers’ expectations while actively complying with all relevant security frameworks, a potential partner must have a dedicated overarching security organization that is in addition to, not a part of, the IT department.
Furthermore, that organization needs to demonstrate certified expertise in security assurance, security operations, security engineering, and business information security at both a regional and global level.
An organization with this level of security resources should provide each client with access to a business information security expert from the point of initial inquiry and throughout any partnership. This will not only add an extra level of support and reassurance while facilitating communication, it should also simplify and expedite processes such as contract security and auditing and initiating and reporting on any necessary change management as the business relationship evolves.
Threat intelligence
In addition to viewing security as a function of IT, there is also a misconception that cybersecurity risks and threats are synonymous. A security risk can be quantified and measured in terms of both probability and potential impact, allowing for a clear course of action with appropriate investment and resource allocation. Conversely, a threat represents any potential occurrence that could negatively impact information or system security and is not actionable until identified and assessed.
An emerging best practice in this regard is establishing a cyber threat intelligence team responsible for proactively researching, identifying and contextualizing digital threats. This includes monitoring dark web activities, profiling potential threat actors, analyzing data from historical breaches, and tracking trends in tools and techniques used to breach or corrupt systems.
Threat intelligence teams help qualify and quantify threats as genuine risks. This allows organizations to shift from a reactive to a proactive security stance and enables a wider understanding of the digital threat landscape. This is because threat intelligence teams typically share their resources and findings with other teams within and beyond their industry. The interconnected nature of modern business increases risk and therefore demands greater cooperation and intelligence sharing.
Ready with the right response
Nevertheless, when a threat can be equally defined as ransomware, an employee with malicious intent, organized crime, spear phishing, a lost or stolen device, a zero-day vulnerability, or a rapid geopolitical or even meteorological change in a particular region or territory, nebulous threats can still have a real-world impact faster than they can be identified or mitigated. This is why no security best practice is complete unless it maintains a “when, not if” mindset and is well drilled in the action to take in the event of a system breach.
This means proof of a clearly defined, documented and rehearsed approach to follow in the event of any type of cyberattack pertinent to the technology the organization uses, the industries in which it operates or the vendors, suppliers or partners in its ecosystem. As well as the steps to take, incident response plans will detail actions by department or individual, identifying issue types and the course of action to take following discovery.
If the potential partner has a global footprint, then look for proof of systems in place for managing regional issues, such as 24/7 access to security incident response leaders across different geographical territories and multilingual support.
Similarly, verify that all incident response plans are living documents that reflect the changing nature of risks, the impacts they could have, and contain new or improved measures based on lessons learned from firsthand experience or from similar incidents at other organizations.
Action list
Verify the organization's commitment to a security-by-design philosophy.
Confirm a dedicated, global security function exists, distinct from and complementary to IT
Check for accredited security professionals in assurance, operations, engineering and information security.
Investigate the presence of an in-house cyber threat intelligence team.
Assess the robustness and currency of incident response plans.
Ensure regional employees have 24/7 access to a multilingual incident response team.
Request evidence of learning from past security incidents within their industry or partner network.