F12 Blog

Why I am embarrassed that the IT industry has no oversight body.

Every day, the IT industry serves remarkable leaders in mature professions, many of which must abide by ethical codes of conduct outlined by their professional governing bodies. Lawyers must answer to their Bar Association, Physicians and Surgeons to their Colleges, Engineers and Surveyors to their Boards, Certified Professional Accountants to oversight councils, and so on.

In contrast, the Information Technology industry is dangerously immature. There is no central body checking qualifications, enforcing standards of conduct, or disciplining bad actors. IT professionals talk about “best practices,” but that is merely an expression of opinion.

Unfortunately, stories abound in my industry of IT professionals who have willfully stolen company data, exposed confidential material, crippled business operations, held access to data and systems hostage, read confidential HR information, hosted illegal file sharing servers and committed financial fraud; not to mention the incalculable business losses that have been incurred due to mere negligence or ignorance. Regardless, the companies and individuals responsible do not lose the right to continue peddling their IT services.

IT support has unfettered access to all of your most sensitive data: intellectual property, legal documents, HR files, financial applications, executive email, etc. It is astonishing that businesses carefully secure and segregate files and mailboxes from their own trusted 10-year employees, but they will give the keys to the kingdom to a kid with marginal professional experience and history or an IT company found on the internet.

What can be done?

At a minimum, ensure that your IT provider has undergone criminal background record checks and has sufficient errors and omissions insurance. Furthermore, check your provider’s status among organizations that uphold standards of business conduct, such as the Better Business Bureau, your local Chamber of Commerce and the Trust-X Alliance of IT providers. However, be aware that these oversight groups are not responsible for actually checking your IT provider’s internal processes and controls. Fortunately, our friends in the Accounting Industry have stepped in to fill this embarrassing void.

The American Institute of Certified Public Accountants (AICPA) has developed SOC 2 reporting tailored to IT managed services, data centres, cloud computing and other technology businesses.

SOC 2 reporting is based on five trust services principles:

  1. Confidentiality of the information that the organization processes or maintains
  2. Privacy of personal information that the organization collects
  3. Security of the organization’s systems
  4. Availability of the organization’s systems
  5. Processing integrity of the organization’s systems

Of note, there are two levels, or types, of reporting. Type 1 reviews the service organization’s systems design and controls. Type 2 reporting goes deeper, actually auditing the operating effectiveness of those controls.

Some in the IT industry feel such certification is only necessary for data centres and software-as-a-service providers. This is a mistake. Investors, boards of directors and customers are starting to demand that their IT providers also undergo annual SOC 2 reporting. We expect cyber risk insurance and public listing requirements will eventually push others in this direction as well.

And that is a very good thing. It’s well past time our industry grew up.

Devon Gillard
F12.net, Inc.
Director of Client Relations, Managing Partner

Vancouver Office

200 – 17577 56 Avenue, Surrey, BC V3S 1C4
View Location >

Nelson Office

A – 1016 Seventh Street, Nelson, BC V1L 7C2
View Location >

Courtenay Office

917C Fitzgerald Avenue, Courtenay, BC V9N 2R6
View Location >

Edmonton Office

13555 156 Street NW, Edmonton, AB T5V 1R9
View Location >

Toronto Office

220 Markland Street, Unit A-2, Markham, ON L6C 1T6
View Location >

Victoria Office

329 – 1095 McKenzie Avenue, Victoria, BC V8P 2L5
View Location >

Vernon Office

101 – 1325 Polson Drive, Vernon, BC V1T 8H2
View Location >

Calgary Office

11 – 3110 14 Avenue NE, Calgary, AB T2A 6J4
View Location >

Red Deer Office

8 – 4699 61 Street, Red Deer, AB T4N 7C9
View Location >