IT Security: Whose Job Is It Anyway? .

BlogFinancial servicesGovernance and Legal ComplianceItRisk+-

JPMorgan Chase announced yesterday that the customer information of 76 million households may have been compromised. The personal data, which was under its care, was stolen in a hacking attack.

Currently, the bank is undergoing the blame game. Who is at fault? The risk guys? The compliance guys? Procurement?

The disclosure had come at the hands of a long-lasting hack. It was discovered in July, but criminals were accessing the names and contact details of households and over six million businesses since June. In total, they hacked into 90 servers.

JPMorgan had announced earlier in the year its intention to spend $250m a year on cybersecurity, with a staff of over 1,000 specialising in defending against attacks. Clearly, this seems insufficient against the increasingly sophisticated threats offered by modern hackers.

Although this was an internal breach, it highlights the vulnerabilities for the supply chain, and therefore, for businesses everywhere.

Sally Beauty, one of the world’s largest retailers, announced earlier this year that its supplier’s IT network was hacked into, resulting in the theft of payment data for 250,000 customers. Meanwhile, research by Trustwave found that 63% of data breaches were caused by poorly designed outsourcing arrangements.

This may be attributable to organisation’s (and ultimately buyer’s) over-reliance on contracts as a risk mitigation tool. Procurement Leaders has found repeatedly in our own research and conversations, that procurement sees contracts as sufficient protection to unexpected events.

"We have devolved the responsibility for delivery," runs the thought, "and therefore we no longer have responsibility to ensure data security."

As tempting as a thought at this may be (it certainly lowers costs) prosecutors do not quite see it the same way.

In the eyes of the law, and the general public, there is no fiduciary difference between the organisation and its suppliers when it comes to protection the data that has been provided in good faith.

As such, procurement must tighten up its defensive mechanisms to prevent an increasing threat.

This starts by moving beyond contractual obligation as the panacea for risk management. Security arrangements need to be mandated, monitored and regular tests. This starts at basic security arrangements, such as passwording and encryption, and stretches to the more demanding requirements, such as physical security arrangements and the control of staff interaction.

The latter of these requires a close working relationship with the supplier, but collaboration of some level is necessary when both parties are custodians of personal data. But all of these factors much be overseen directly by the buying organisation and routinely tested.

Undoubtedly, this will be expensive, and will eat into the margin generated by the savings. But surely they won’t be as expensive as a massive data breach. JP Morgan’s share price has dropped by nearly a whole point since the revelation.

As such, it is an opportunity for procurement to demonstrate leadership on an area which is closely aligned to organisational success. Perhaps it’s time for buyers to put their hand up?



As part of #Proctechweek by Procurement Leaders, for more information on technology within Procurement please download our Supporting categories with technology report for our Procurement Strategy members and the Enterprise Software report for our Category Intelligence members.



Subscribers can access:


An analysis of some of the routes businesses are taking to tackle supply chain security.


An interview with Cisco’s chief of value chain security.


Responses from our community on how to approach the security question.

Jonathan Webb
Posted by Jonathan Webb

Want to learn more? Please fill in your details to hear from us.