Outsourcing Security During Tough Times
BackBy Carmi Levy — November 2008
Security always has been a dicey proposition for companies. And thanks to the tanking economy, it just got worse.
It’s only a matter of time before the frightening economic news that’s sweeping the planet hits you personally. As daily headlines scream about tumbling stock prices and massive job losses, it’s inevitable that your company soon will begin battening down the hatches — if it hasn’t already started.
Assuming you’re lucky enough to keep your job, you will, in all likelihood, be challenged to cut costs any way you can. Although outsourcing always has been a reliable alternative, should you go there? If you’ve got your hands on your company’s security planning and operations, does it make sense to hand over the reins to a third-party provider?
There are a lot of good reasons to say “yes.” Outsourcing lets your company focus on its core competencies as it off-loads functions to specialists capable of leveraging services across a larger base of clients. In theory, it allows for more cost-effective delivery and reduces the risk of losing focus because you’re trying to do too many things.
Security-specific services can be particularly beneficial because of the brutal pace that new threats and tools present themselves. The average company often is hard-pressed to continually train staff and reinvest in capital-intensive security infrastructure projects. Your business is either making widgets or delivering services: Your business plan never said anything about fending off black hat attackers. It may make more sense to let someone else worry about it, right?
Not so fast. Security still is the soft underbelly of any company, and you can’t just toss your entire security infrastructure over the outsourcing wall without opening yourself up to a world of risk. When the first significant wave of outsourcing swept through IT a decade ago, there were some hard lessons learned:
- Service was delayed, or never delivered, thanks to a persistent lack of communication between IT employees and outsourced teams.
- Billing disputes arose from incomplete or nonexistent service-level agreements.
- Business goals were missed because the planning process failed to involve business-unit leadership.
- Large waves of layoffs that preceded many outsourcing deals resulted in human resources challenges that doomed many initiatives before they launched.
There’s no such thing as a magic solution in IT, and outsourcing is no exception. Proceed with caution if security is on your cost-cutting list. Consider the following key steps:
- Decide what you will and will not outsource. Security isn’t a monolithic function. It encompasses a wide range of activities, from policy planning and anti-virus monitoring to penetration testing, patch management and incident response. Decide which pieces you want to retain and which ones make the most sense to outsource, and revisit the list at least once a year to ensure the dividing lines remain valid.
- Assess your potential partners. Not every managed security service provider is worthy of the title. Those that maintain their own secure facilities rank above those who simply hang out a shingle. If prospective providers won’t proactively connect you with current customers, look elsewhere.
- Inventory your own skills. Most organizations don’t fully understand the capabilities of their own security staffs. This is a critical step in building partnerships with third-party providers.
- Don’t go anywhere without service-level agreements. Outsourcing without service-level agreements for every aspect of the proposed relationship is akin to jumping out of a plane without a parachute. No detail is too small when negotiating terms, as anything not baked into these contracts will potentially lead to misunderstanding, higher costs and unacceptable risks.
- Involve your business partners. To build trust with internal clients, ensure they’re active participants in any outsourcing discussions and negotiations at every stage. Business-unit and end-user buy-in is critical to the success of any third-party relationship.
- Remember basic HR principles. Few things scare employees more than the prospect of losing their jobs in a wave of outsourcing. Communicate thoroughly and frequently to keep your best people from heading for the exits.
Bottom line: Working with third-party specialists to bolster your security capabilities could make sense in these days of uncertainty. But do your homework long before you hand anything over or risk exposing your organization to even more pain. That soft underbelly demands careful planning.
Carmi Levy is a technology journalist and analyst with experience launching help desks and managing projects for major financial services institutions. He offers consulting advice on enterprise infrastructure, mobility and emerging social media. He can be reached at email@example.com.