Yesterday we shared some background observations on the most-wanted, state-secret-stealing fugitive, Edward Snowden, and why his actions – along with similar though less dramatic cases, such as the recent scandal involving McKinsey and Company – will shine the corporate spotlight on contractor and service provider compliance like never before. We’ll continue this analysis today, sharing thoughts from one of our team members, Pierre Mitchell, on some best practice elements he’s observed in his work with large services providers over the years.
“I won't comment on this case [Edward Snowden], but as a practical matter though, one services firm has a very robust process for vetting contractors in their "contractor exchange" that tailors the contractor due diligence and permissioning to grant differing levels of access of the contractors to physical assets and different firm IP, including customer systems and IP. This included client-specific requirements too – very similar to supply risk techniques for critical components affecting key products. This is classic supplier management stuff to peg workflow back to hard requirement from a customer, a regulation, or a "smart regulation" that is hopefully designed thoughtfully and reviewed periodically.”
The firm to which Pierre refers is no doubt ahead of the contractor, consultancy and BPO curve. And no doubt it’s had a competitive advantage in helping the organization with business. But the broader question in this case is this: How much responsibility should firms have for processes versus internal procurement and HR organizations – not to mention managed services providers (MSPs)? Moreover, it raises a key potential value proposition for non-vendor neutral MSPs that can prove their own staff have gone through a rigorous screen and are already mapped internally on a systems-basis based on specific client, industry, functional and security specific application levels. Such a model would be like a living, breathing “security” clearance for potential contingent workers or teams a provider might bring in to staff an assignment.