We’ve had a few customers come to us with horror stories about grey-line responsibility division with their previous supplier – where neither party has been sure who is responsible for what. So I thought a quick blog might help raise awareness of this issue.
It’s good to talk
Depending on the service, there might be some things you as a customer want to retain control of, or you might want to wash your hands of the whole lot in exchange for a bit more OpEx. No matter which option you choose, clearly setting boundaries of who is responsible for what is vital to creating and maintaining a good working relationship and, more importantly, a good service. At ServerChoice we’ve always been of the opinion that a relationship between a customer and a service provider should be a two-way street, and it’s particularly important where high-security and PCI-compliant service are concerned.
Not my problem...
Unfortunately, problems with who-does-what often won’t become apparent until something goes wrong. You might not be too fussed about the nitty gritty when everything’s running smoothly, but what about when a fault occurs? Precious time that could be used to get your service back on its feet gets wasted with pointless back-and-forth on finger-pointing, both for blame and for whose job it is to get actually get fixing.
You can’t always rely on the contract, either. Language can be vague, assumptions made (on both sides) and you’ll find that the black-and-white division between ‘infrastructure’ and ‘management’ suddenly becomes a hundred shades of grey, especially when dealing with the complex minutiae of technical issues.
The key to compliance
Definition of responsibility is vital for maintaining good security and, in particular, compliance: notably for standards such as PCI DSS. Very clearly defining who does what is the only way to ensure that all systems, processes and policies are defined and understood in enough detail to be made secure. In fact, it’s something that the PCI standard mandates.
In short, when choosing a service provider it’s always a good idea to make sure they’re clear on who’s responsible for what. If they’re keen on outlining division of responsibility then it’s a good sign that they take themselves and their business (and your business!) seriously. When it comes to high-security services, in particular PCI DSS, it goes beyond ‘a good idea’ and becomes ‘a vital component’.