According to the 2013 Trustwave Global Security Report, based on 450 global data breach investigations, two thirds of breaches were linked to third-party IT system components.
There are a variety of considerations with regards to IT and security management decisions, generally, the person responsible for IT security within an organisation is not involved at the point of making purchasing decisions.
Organisations need to ensure that their preferred supplier will treat security at the same high priority level as themselves, it should not be taken for granted that the preferred supplier will do so.
Also, purchasing decisions focus heavily on cost and SLAs, security really also needs to be a consideration.
Organisations would truly benefit from having the person responsible for IT security included within the purchasing process. This would at least ensure some measure of security that is appropriate to the needs of the organisation, is encompassed within the proposed solution.
The Trustwave report recommends that smaller organisations should look for third-party verification that their chosen service providers are trustworthy and knowledgeable about security measures.