How Unmanaged Services Procurement Increases Security Risk in Data Centres.
In always-on Data Centre environments, the weakest link in your security posture is rarely your own team. It is the consultancy that just walked through the door with no screening, no governance, and full access to your critical infrastructure.
The access problem is hiding in plain sight.
Data Centres are built for resilience. Redundant power, multi-layered physical security, rigorous change control processes. The engineering discipline behind a Tier III or Tier IV facility (as defined by the Uptime Institute's data centre standards) is formidable (Uptime Institute, 2023). Yet for many CISOs operating in this environment, there is a recurring exposure that sits outside the scope of those controls: the unmanaged procurement of project-based services and specialist consultancies.
Third-party service providers come in across every phase of the Data Centre lifecycle. Fit-out contractors. Mechanical and electrical consultancies. Network infrastructure specialists. Security system integrators. Low-voltage cabling teams. Commissioning engineers. Each one brings people into physical proximity with critical systems. Each one represents a potential breach vector. And in most cases, they arrive through procurement routes that operate entirely outside the security governance frameworks the CISO has built.
That is not a criticism of procurement teams. It reflects the structural reality of how service buying works in complex capital programmes. The problem is the gap. Between the supplier relationship being formed and the first operative walking onto the raised floor, how much security governance has been applied? In most organisations, the honest answer is not enough.
Why does service procurement carry a different risk profile?
Permanent hire recruitment has matured significantly as a governance process. Most Data Centre operators now apply background screening, reference checking and access vetting to the people they employ directly. The same level of rigour rarely extends to the people who come in through the supply chain.
Services procurement is episodic and fast-moving. A fit-out programme accelerates, and a subcontractor brings three additional operatives on site at short notice. A consultancy replaces a named specialist with a colleague from another project. A managed service provider subcontracts a specific capability to a third party you have never heard of. In each case, individuals gain access to sensitive environments through an intermediary relationship that your security function had no direct sight of and no process to intercept.
The threat model includes insider threats from individuals placed by service providers with insufficient screening (NPSA, 2024). It includes social engineering of site personnel by individuals who have built access and familiarity over a project period. It includes the inadvertent introduction of compromised devices into environments where air-gap discipline is essential. And it includes the reputational and regulatory consequences when a breach is traced back to a supplier relationship that should have been governed but was not.
The people who matter most to your security posture are not always the ones you hired. Sometimes they are the ones your suppliers sent in without telling you who they were.
Where the governance gap typically lives.
Most CISOs already know the high-level answer: third-party compromise: gaining access to a target's environment not through its hardened perimeter but through the less-protected systems of a supplier, consultant or service provider (NCSC, 2024). But in Data Centre environments, the specifics matter. The governance gaps that create the most exposure tend to cluster in predictable places:
- Project-based consultancies engaged directly by construction or facilities management functions with no CISO involvement in supplier selection or vetting
- Subcontractor chains where the primary supplier has passed basic due diligence, but their own supply chain has not been assessed against the same standard
- Specialist trades engaged on short programme cycles where the pressure to mobilise quickly compresses the time available for screening
- Managed service providers operating in operational technology or building management system environments, where access to physical control systems is granted as a matter of course
- Legacy supplier relationships where the original vetting has expired or was never formally structured, but access continues because the relationship predates the current security framework
None of these gaps is unusual. Most Data Centres operating at scale will recognise at least several of them. The issue is not their existence. It is the absence of a systematic process to close them at the point where service procurement decisions are made, rather than after access has already been granted.
The compliance dimension that makes this urgent.
For CISOs in Data Centre environments, third-party governance is not a best practice aspiration. It is increasingly a hard compliance requirement. The regulatory and contractual landscape surrounding Data Centre operations has shifted materially in recent years, and the direction of travel is clear.
ISO 27001 certification requires demonstrable supplier security management (ISO, 2022). NIS2 obligations (NIS2 Directive, 2022) extend security requirements to the supply chain and impose incident reporting timelines that assume the security function has visibility of all access pathways into critical systems. Customer contracts for hyperscale and colocation environments increasingly specify third-party risk management as an audit-ready deliverable rather than a policy commitment.
The CISO who cannot demonstrate that service suppliers operating in their environment have been screened, assessed and governed against a defined security standard is not just carrying operational risk. They are carrying audit risk, regulatory risk and the personal accountability risk that comes with a breach that could have been prevented by a process that was not in place.
Knowing who is in your building is not just good security practice. Under NIS2 and ISO 27001, it is increasingly a condition of continued operation.
What governance-first services procurement looks like in practice.
Closing the governance gap in services procurement does not require rebuilding the entire supply chain relationship model. It requires embedding security governance at the point where supplier decisions are made. That means making compliance screening and security assessment part of the procurement process, not an afterthought applied when access is about to begin.
Services Procurement Outsourcing (SPO), designed for Data Centre environments, brings this structure by operating as the governed intermediary between the organisation and its services supply chain. Rather than each supplier relationship being managed through a different procurement route with variable security governance, SPO creates a consistent framework through which every services supplier is assessed against defined security and compliance criteria before mobilisation.
In practice, this means:
- Compliance screening is applied to every supplier engaged through the framework, including subcontractor chains, before access to the site is confirmed
- Security governance requirements built into supplier engagement terms, with audit rights and incident reporting obligations that reflect the sensitivity of the environment
- A consistent vetting standard applied to all individuals working through service suppliers, aligned to the access level and system sensitivity associated with their role
- Ongoing compliance monitoring across the active supply chain, so that changes in supplier structure or personnel do not create ungoverned access pathways mid-programme
- Audit-ready documentation of the entire supplier governance process, giving the CISO evidence of due diligence that can be produced in response to customer, regulatory or certification audit requirements
The strategic value beyond risk reduction.
There is a case for SPO that goes beyond the risk argument, though the risk argument alone should be sufficient. Organisations that operate a governed services supply chain are better positioned commercially as well as operationally.
Enterprise customers and hyperscale tenants are conducting more rigorous security due diligence on the facilities they occupy than they were five years ago. The ability to demonstrate that every service supplier operating in your environment has been screened, governed and audited against a defined security standard is a differentiator in a market where security posture increasingly influences site selection and contract renewal decisions.
It also reduces the operational friction that currently exists in many Data Centre environments between security, facilities management and procurement functions. When the governance framework is built into the procurement process rather than retrofitted by security after the fact, you remove the conflict, the delays and the exception handling that characterise the current model in most organisations.
Governed services procurement is not a brake on programme delivery. It is the structure that lets you move faster with confidence, because the security questions are answered before access begins, not after.
Where to start.
For CISOs who recognise the exposure but are uncertain where to begin, the starting point is a current-state assessment of the services supply chain. That means mapping every active supplier relationship, identifying which ones have been governed against a security standard and which have not, and quantifying the access level each relationship confers.
That exercise usually produces a picture that is sobering in its scope and clarifying in its priorities. The organisations with the most exposure are often not those with the weakest overall security posture, but those where the sophistication of the internal security function has created a false sense of assurance about the risks arriving through the side door of services procurement.
The threat is not always approaching from outside. In many cases, it may already exist within your building, which raises the question of whether the people who arrived with it were properly vetted before they got there.
About Matchtech and InfoSec People
This article draws on research and insight developed in collaboration between Matchtech and InfoSec People. Matchtech brings over 40 years of experience placing professionals across Nuclear, Defence, Energy and Infrastructure. InfoSec People is a specialist Cyber Security recruitment business with an established presence in the cleared and national security cyber community.
