For many companies in the hospitality space running smaller operations, having a full-time IT person on staff may not be an option. Other companies may have an IT manager on staff, but outsource the cybersecurity responsibilities to a company that specifically focuses on the increasing dangers pertaining to cyber threats. There can be multiple reasons why a company would decide to outsource cybersecurity; therefore, companies must know how to traverse finding the company that is the right fit for their organization.
First, hospitality businesses need to look at what functions they want to outsource. Typically, mechanical processes such as security monitoring are the easiest to outsource. Each company needs to assess its capabilities and determine which process are the best to outsource. According to EY’s 19th Global Information Security Survey 2016-17, which interviewed 1,735 global executives and information security managers, 41 percent of respondents outsourced security monitoring. Companies in the survey also outsourced company-specific security activities (56 percent), vulnerability assessments (52 percent), development of their information security management systems (33 percent), IT security help desk (21 percent), and self-phishing exercises (21 percent) (Meek, 2017).
Rather than fully outsourcing a function, companies can also look at co-sourcing. This type of arrangement is often used in clubs, restaurants and spas where it often is not feasible to have a full-time IT person on staff. In co-sourcing, “contractors work at least part-time on-site so they can collaborate seamlessly with in-house staff” (Meek, 2017). In this type of arrangement, the contracted cybersecurity professional can gain pertinent information from staff members while on onsite to help develop the best programs for the organization. This arrangement also tends to build synergy and trust between the two groups.
Once the organization has determined the functions to outsource and the type of outsourcing, then it is time to select the correct contractor. Since the contracting company will be dealing with securing the organizations systems, they must be fully reviewed before being hired. Club managers should talk to other clubs and receive recommendations. The same goes for spas, restaurants and hotels. One of the best ways to investigate possible vendors is through fellow members in trade associations, such as HFTP. HFTP creates multiple networking opportunities for members both online and offline enabling them to share experiences on various vendors. Make sure to interview the customers of these companies and do not be afraid to ask the difficult questions. Other methods used to evaluate vendors include: certifications, self-assessments, audits, site visits, questionnaires and testing (Meek, 2017).
Once the vendor review process is complete, it is time to negotiate contract terms. The following are a few items which should be considered when designing the contract. First of all, organizations will be tempted to ask for guarantees that their systems will not be compromised. Unfortunately, there is no way for the contracting cybersecurity company to make this guarantee. Instead, focus on the procedures if there is a breach, which leads us to the next point. Clients should ask their contractor to alert them within a specific time frame after discovering a serious incident, but need to avoid asking contractors to resolve an incident within a certain number of hours (Meek, 2017). Another important item, when working with a new cybersecurity contractor, is to set a short time frame for the contract, somewhere between six and 18 months. This will allow the company to determine if the contractor is the right fit before getting locked into a long-term contract (Meek, 2017).
As mentioned earlier, HFTP members are provided many resources to assist in finding contractors, consultants and vendors as part of their membership benefits.
- HFTP Consultant Directory
- HITEC Buyer’s Guide
- Community@HFTP Online Discussion Forum
- Conferences and Events
- GDPR Resources
- Meek, T. (2017). Outsourcing cybersecurity: when and how to bring in contractors. Retrieved October 1, 2017 from https://www.forbes.com/sites/eycybersecurity/2017/03/27/outsourcing-cybersecurity-when-and-how-to-bring-in-contractors/#6ae9d656ca15.
Tanya Venegas, MBA, MHM, CHIA is director of customer success at HotStats based in Houston, Texas USA. Tanya served as executive director at the HFTP Americas Research Center at the Conrad N. Hilton College of Hotel and Restaurant Management at the University of Houston for more than 15 years.