I have recently been traveling in Europe, particularly the Nordics - where I have been meeting with customers. The number one topic of discussion at the moment is legislation and how to ensure compliance to some new regulations. The interesting aspect in this debate is around the use of outsourcers - let me explain.

There is no question that outsourcing parts of your IT estate can bring great value to the business. Not only in cost savings, but because outsourcing areas to an expert can leave the internal IT department to focus on the areas where they can add the most value to the business and reduce some expense at the same time.

In the last few years the business of outsourcing, like the rest of IT, has become more complex. In the beginning, it was commonplace to outsource the network, the infrastructure, the desktop etc to one vendor - with the assumption that they would take on the responsibility for security. It soon became clear that this assumption was wrong, and that the client needed to maintain control and retain responsibility for the security of what they were consuming as a service.

But fast forward a few years, and the business of outsourcing is more complex - clients are spoilt for choice with the number of vendors all vying for their business in multiple areas. Today it is commonplace to find a customer who has outsourced their network to one vendor, their infrastructure to another, and then their applications to a separate development company. Globalization and the opportunities around this such as using resources from India or China has made this issue even more complex. If it was difficult to ensure the right security controls were in place for one outsourcing company - how do you begin to approach it with multiple global vendors?

The simple fact is that you can't outsource responsibility. Take for example an outsourcing company who may have highly privileged users who are not based in the EU. How do you ensure that you, as a business, are adhering to the European Data Protection Act? Or how do you ensure that these privileged users are only touching the relevant customer platforms and, how does the outsourcer provide reports to demonstrate this?

The fact is that as a business you will need to enforce solutions which mean that regardless of your outsourcer you do fulfill all regulatory and compliance duties.  This will mean that you enforce separation of duties for privileged users and have fully compliant Access Controls in place. You cannot leave that to your outsourcer - they may not be subject to the same EU legislation that you are. It isyour responsibility to ensure that risks are quantified or mitigated as you move your business forward.

All this may only be top of mind for companies in the Nordics right now because of legislation but, this should be common practice for all!