IT OUTSOURCING has worked well for some companies, but the outcome hasn’t lived up to expectations for others and, for a small number, it has led to business-damaging disasters. According to a survey we conducted at InfoSecurity 2011, a staggering 77% of IT professionals said that their outsourcers had made up work to earn extra money. The problem is that there is little margin for error when you choose an outsourcer. If the outsourcer fails, you’re left holding the baby without the resources to care for it. Here are my five golden rules to ensure your outsourcing lifeboat doesn’t sink mid-stream.
Make a transition plan and stick to it
You should expect IT outsourcing to disrupt your entire organisation in ways you may not have anticipated. Your plan should include a change management module, a detailed and well-argued case to your staff that outlines how you intend to make a smooth transition, and a well-documented process to let your customers know that you have the outsourcing process well under control.
Get your outsourcing plan in writing
Outsourcing horror stories range from corrupt general managers with conflicts of interest (such as service providers getting kickbacks from landlords on the leased space) to projects torn apart by huge project team turnover rates. You might have a good team in place, but three-quarters of the team could have transitioned to another project a month later.
Ask to see your outsourcer’s plan in writing, particularly its crisis management plan. In the written report, make sure you add capital asset budgets for the acquisition of software to improve operational efficiency and provide better coverage of security. Make sure there are disincentives for contractors that would help avoid using or impairing the usage of software tools in order to improve things, even if they reduce billable hours. Make sure you allow for the adoption of better tools for labour-saving.
Have transparent security practices
Outsourcing is not for the faint of heart. When things go wrong, they tend to do so rather dramatically. The companies who’ve lived through outsourcing horrors have two things in common: lack of preparedness going into a new relationship and lack of communication once the project gets underway.
You will have to place special emphasis on choosing an outsourcer that has a proven track record of delivering quality security services to a similar range of industry sectors over a long period of time. They will need the ability to accurately correlate, analyse, and interpret large volumes of network security inputs in real time, and be able to separate legitimate threats from a welter of false starts.
An outsourcer should have multiple security operations centres that are always online. Having two or more datacentres allows for redundancy and may ensure constant compliance with security standards. Your outsourcer should have security experts in place to monitor and analyse data from customers on a global basis. This level of intelligence will help your outsourcer issue real-time alerts and recommend fast reactions to unforeseen events.
Anticipate security breaches. You will have to plan for emerging threats and for the need to purchase both software and hardware to respond to threats, as well as to improve compliance and security. Don’t allow the outsourcer to select its own tools as it will pick those that maximise its own revenue, not your security. You cannot predict the future, so provide slack to change your contractor’s mission as business and security landscapes change.
Know the outsource’s financial status, compliance standards, history, and audit points
What is your future security partner’s financial status? For publicly traded companies, Gartner estimates that annual run rates of more than $40m (£25m) per year in managed security services contracts indicate a sufficient base of revenue to support growth and enhancement of services.
For the biggest outsourcers, management experience should include defence, government, and a range of industrial sectors. This is an important consideration because it indicates an outsourcer’s ability to meet wide security management needs, including the monitoring of all industry-standard security products.
An outsourcer should be able to provide documented standards and policies for handling typical and atypical operations and threats. It must be able to show that it employs security specialists with certified expertise across a broad range of security products from a variety of vendors. This allows a company the freedom to select best-of-breed solutions.
Download our Whitepapers
The outsourcer must also have facilities, processes and procedures in place that are validated and certified by a third-party auditor. Compliance can be a side effect of good security, or a gigantic make-work scheme for the outsourcer. Put yourself in the outsourcer’s position: why fix the problem on thousands of machines in an hour using a security management tool when it could bill for months of reimaging systems? The organisation should take ownership of its own security and not outsource its direction.
Pick best-of-breed security solutions, do not use checkboxes to select solutions, and do not allow purchasing to select your security solutions. You don’t pick a doctor by the lowest price; you find the one with most expertise and history of success. You should do the same for your security: don’t allow it to be selected by your contractor or low-level employees.
Find experts in the areas you need
In the role of subject-matter expert and experienced implementer of systems, the right outsourcer can be a godsend if you can find that organisation. The key is to know how much specialised value your outsourcer can add to your organisation and how quickly it can do it.
Outsourcing as a means solely to reduce costs is a fraud as these cost reductions are achieved by gutting the organisation of its talent and providing its customers with the poorest possible support at the lowest cost. Ultimately, outsourcing for cost savings alone leaves a company weak and ill-prepared to respond to emerging threats and opportunities.
On the other hand, outsourcing to gain unique talent that is otherwise unavailable or impossible to train can provide your company with distinct competitive advantages. Outsource when there’s expertise to be gained (through contracting of specialists), not lost (through abandonment of loyal staff).
Philip Lieberman is president and CEO of Lieberman Software