The rush to embrace the outsourcing model started in the USA with the Insurance Industry’s decision to promote commodity pricing and as everyone knows, when your core product becomes a commodity you have to slash costs. The industry then moved to reduce expenses by outsourcing their IT operations and the trickle soon became a flood that embraced all industries. If you intend to join the risk-takers on the river of no return there are a few things you need to do to ensure your journey doesn’t end in disaster.
Outsourcing has worked well for some companies, but it can also lead to business-damaging disasters. The problem is, if outsourcers fail, you're left holding the baby without the resources to care for it. There is little margin for error in choosing an outsourcer as Lieberman Software found in our recent survey at InfoSecurity 2011. We discovered that 77% of IT professionals surveyed said that their outsourcers had made up work to earn extra money.
This was echoed in a news article about our survey by Lance Whitney, Techzone360.com which reinforced our survey findings . Whitney wrote: “External consultants often don’t have the vested interest in a company that an internal staffer may have. I recall one particular project at my former IT job where we hired an external contracting company to help us with a long-term Windows migration project. The people brought in to assist us were paid by the day. There were sometimes days where their contributions were lacking or they performed simple, almost meaningless tasks that were not at all critical to the project.”
Here are my five golden rules to ensure your outsourcing lifeboat doesn’t sink mid-stream.
1 Make a transition plan and stick to it
You should expect IT outsourcing to disrupt your entire organisation in ways you may not expect. Your plan should include a change management module, a detailed and well-argued case to your staff outlining how you intend to make a smooth transition and a well- documented process to let your customers know that you have the outsourcing process well under control.
2 Get your outsourcing plan in writing
Larry Harding, founder and president of High Street Partners, a global consultancy that advises companies on how to expand overseas, has seen many outsourcing horror stories, from corrupt general managers “with all sorts of conflicts of interest” (such as service providers getting kickbacks from landlords on the leased space) to projects torn apart by huge turnover rates. “You end up with project teams that are hugely inconsistent. You might have a good team in place, but a month later, three-quarters of the team has ‘transitioned’ to another project,” he said.
You need to see the outsourcers’ plan in writing, particularly their crisis management plan. In the written report make sure you add capital asset budgets for the acquisition of software to improve operational efficiency and provide better coverage of security. Make sure that there are disincentives for contractors to avoid using or impairing the usage of software tools to improve things even if they reduce billable hours. Also make sure you allow for the embrace of better tools for labour saving. Do not allow the fox to guard the henhouse.
3 Transparency with respect to security practices.
According to Ephraim Schwartz of Infoworld Magazine: Outsourcing is not for the faint of heart because when things go wrong, they tend to do so rather dramatically. “The companies who've lived through outsourcing horrors have two things in common: lack of preparedness going into a new relationship and lack of communication once the project gets under way," Schwartz said.
You will have to place special emphasis on choosing an outsourcer that has a proven track record of delivering quality security services to a similar range of industry sectors over a long period of time.
They will need the ability to accurately correlate, analyse, and interpret large volumes of network security inputs in real time and be able to separate legitimate threats from a welter of false starts. An outsourcer should have multiple security operations centres that run 24x7x365. Having two or more data centres allows for redundancy and may ensure constant compliance with security standards. Your outsourcer should have security experts in place to monitor and analyse data from customers on a global basis. This level of intelligence will help your outsourcer issue real-time alerts and recommend fast reactions to unforeseen events.
Anticipate security breaches, you will have to plan for emerging threats and the need to purchase both software and hardware to respond to threats as well to improve compliance and security. Don't allow the outsourcer to select their own tools as they will pick those that maximize their revenue, not your security. You cannot predict the future: provide slack to change your contractor's mission as business and the security landscape change.
4 Know their financial status, compliance standards, history, and audit points. What is your future security partner’s financial status? For publicly traded companies, Gartner estimates that annual run rates of more than $40 million per year in managed security services contracts indicate a sufficient base of revenue to support growth and enhancement of services.
For the biggest outsourcers management experience should include defence, government, and a range of industrial sectors. This is an important consideration because it indicates an outsourcer’s ability to meet wide security management needs, including the monitoring of all industry standard security products.
An outsourcer should be able to provide documented standards and policies for handling typical and atypical operations and threats.
They must be able to show that they employ security specialists with certified expertise across a broad range of security products from a variety of vendors. This allows a company the freedom to select best-of-breed solutions.
The outsourcer must also have facilities, processes, and procedures in place that are validated and certified by a third-party auditor. Compliance can be a side effect of good security, or a gigantic make-work scheme for the outsourcer. Put yourself in the outsourcer’s position - why fix the problem on thousands of machines in an hour using a security management tool, when they could bill for months reimaging systems? The organisation should take ownership of its own security and not outsource its direction. Pick the best of breed security solutions, do not use checkboxes to select solutions, nor should you allow purchasing to select your security solutions. You don't pick a doctor by the lowest price, you find the one with most expertise and history of success. You should do the same for your security: don't allow it to be selected by your contractor or low level employees.
5 Find experts in the areas you need.
In the role of subject matter expert and experienced implementer of systems, the right outsourcer can be a godsend if you can find them. The key is to know how much specialised value your outsourcer can add to your organisation and how quickly they can do it.
So those are my five golden rules. But remember - my position is that outsourcing as a means solely to reduce costs is a fraud since these cost reductions are achieved by gutting the organization of its talent and providing its customers with the poorest possible support at the lowest cost.… Ultimately outsourcing for cost savings alone leaves a company weak and ill prepared to respond to emerging threats and opportunities. On the other hand, outsourcing to provide unique talent that is otherwise unavailable or impossible to train can provide your company with distinct competitive advantages. Outsource when there’s expertise to be gained (through contracting of specialists), not lost (through abandonment of loyal staff). Happy outsourcing.