As in most of life, with outsourcing you get what you pay for. If you want your outsourced cloud to offer as good or better security than your own data center, you better be willing to write the check.

“You get what you pay for,” says Andy Ellis, chief security officer with Akamai Technologies. “If you move it to somewhere that’s a lower cost, there’s a reason it’s lower cost. Sometimes it’s because you aren’t getting as skilled personnel.”

Ellis was one of a number of people interviewed by NPR at the RSA security conference in San Francisco this week. The report about outsourcing concerns aired Wednesday on All Things Considered. It’s worth a listen.

We need to pay more attention to outsourcing and security, Chris Coleman, a security analyst with Lookingglass Cyber Solutions, told NPR.

Coleman told NPR he audited about 20 subcontractors typically hired by large financial institutions. NPR described what he found as “something startling” and used this quote:

“A hundred percent of third parties showed signs of compromise or indicators of threats,” Coleman says.

NPR seemed surprised by the finding, but Coleman wasn’t. Neither am I.

Ronald Reagan had the right idea about dealing with security issues and third parties. No matter what agreements you sign with vendors, Reagan’s use of a Russian proverb still makes sense: “Trust but verify.”

Who should that apply to? Sadly, everyone you do business with, because you can never tell where a weak link will be discovered and then used by criminals.

Trust no one?

 .

Target, which reported fourth-quarter earnings on Wednesday, has learned (I hope) not to trust the security its vendors provide for their own systems.

Why, after all, would an air conditioning company need big corporate security? Because the company ended up providing the pathway to Target’s network that compromised personal or payment information for as many as 110 million people.

That the data breach has been a nightmare is a considerable understatement. So far, the breach has cost the Target a reported $100 million. It also played a large part in a 46 percent drop in fourth-quarter earnings, thanks to frightened customers spending holiday dollars in other stores. That’s a $400 million drop in earnings that really adds injury to the criminal insult.

Trying to make that sort of loss work with the indemnity clauses commonly included in vendor contracts. Who could possibly indemnify Target against such a loss? And even if the vendor could offer indemnity, the non-dollar cost of the breach, if only to Target’s reputation, is hard to calculate.

While insurance has already paid $44 million, Target faces at least 80 lawsuits from individuals and card issuers. The company still faces federal and state investigations.

• Check for yourself

All because of an air conditioning company whose link to Target provided access for the criminals.

Do you think anyone at Target ever considered this possibility? Have you considered it for your business?

Outsourcing shouldn’t open your cloud or network to criminals, but the threat is very real and you’ve been warned.

photo credit: Marco Bellucci via photopin cc