Every day, the IT industry serves remarkable leaders in mature professions, many of which must abide by ethical codes of conduct outlined by their professional governing bodies. Lawyers must answer to their Bar Association, Physicians and Surgeons to their Colleges, Engineers and Surveyors to their Boards, Certified Professional Accountants to oversight councils, and so on.
In contrast, the Information Technology industry is dangerously immature. There is no central body checking qualifications, enforcing standards of conduct, or disciplining bad actors. IT professionals talk about “best practices,” but that is merely an expression of opinion.
Unfortunately, stories abound in my industry of IT professionals who have willfully stolen company data, exposed confidential material, crippled business operations, held access to data and systems hostage, read confidential HR information, hosted illegal file sharing servers and committed financial fraud; not to mention the incalculable business losses that have been incurred due to mere negligence or ignorance. Regardless, the companies and individuals responsible do not lose the right to continue peddling their IT services.
IT support has unfettered access to all of your most sensitive data: intellectual property, legal documents, HR files, financial applications, executive email, etc. It is astonishing that businesses carefully secure and segregate files and mailboxes from their own trusted 10-year employees, but they will give the keys to the kingdom to a kid with marginal professional experience and history or an IT company found on the internet.
What can be done?
At a minimum, ensure that your IT provider has undergone criminal background record checks and has sufficient errors and omissions insurance. Furthermore, check your provider’s status among organizations that uphold standards of business conduct, such as the Better Business Bureau, your local Chamber of Commerce and the Trust-X Alliance of IT providers. However, be aware that these oversight groups are not responsible for actually checking your IT provider’s internal processes and controls. Fortunately, our friends in the Accounting Industry have stepped in to fill this embarrassing void.
The American Institute of Certified Public Accountants (AICPA) has developed SOC 2 reporting tailored to IT managed services, data centres, cloud computing and other technology businesses.
SOC 2 reporting is based on five trust services principles:
- Confidentiality of the information that the organization processes or maintains
- Privacy of personal information that the organization collects
- Security of the organization’s systems
- Availability of the organization’s systems
- Processing integrity of the organization’s systems
Of note, there are two levels, or types, of reporting. Type 1 reviews the service organization’s systems design and controls. Type 2 reporting goes deeper, actually auditing the operating effectiveness of those controls.
Some in the IT industry feel such certification is only necessary for data centres and software-as-a-service providers. This is a mistake. Investors, boards of directors and customers are starting to demand that their IT providers also undergo annual SOC 2 reporting. We expect cyber risk insurance and public listing requirements will eventually push others in this direction as well.
And that is a very good thing. It’s well past time our industry grew up.
Devon Gillard
F12.net, Inc.
Director of Client Relations, Managing Partner