SmartAdvice: Consider Commercial Software Or An ASP To Provide A Management System

Off-the-shelf software or an ASP could meet most of your company's needs for a work-order-management system, The Advisory Council says. Also, consider whether you want to outsource your security functions at all, and then whether you want to outsource offshore.

InformationWeek Staff, Contributor

October 1, 2004

4 Min Read

Question B: Under what circumstances, if any, would it make sense for a business to outsource information-security functions offshore?

Our advice: The question is a two-pronged one because it involves making two decisions: Whether to outsource the security function, and; Whether to outsource offshore as opposed to onshore.

What Security To Outsource?
Here are the typical services of a security-services vendor: Intrusion-detection systems that monitor your network for suspicious activity and prevent attacks VPNs that secure the privacy of data communications Strong authentication devices that identify users before granting access to information resources, and permit remote users to securely connect to corporate intranets Virus, vandal, and Web-site-blocking services that filter malicious data and control website access; and Network scanning services that scan your network to identify potential vulnerabilities and recommend fixes.

Any and all of the above may be outsourced for cost savings, increased reliability, and better monitoring.

However, when it comes to moving the security function offshore, several other considerations come into play.

In outsourcing the security function offshore, one can control the incidence of virus attacks, system failures, denial-of-service attacks, Web-site and E-mail intrusion, etc. The greatest cost of security breaches, however, is the loss of confidential data. By outsourcing security offshore, are you opening yourself to the possibility of further loss of confidential data by involving a third party, which could possibly be located half-way around the globe, to "secure" your network and IT infrastructure?

Challenges Of Offshoring Security
The challenges associated with working with an offshore security-services partner include: The geographic distance results in a partial loss of control on the security function. Laws and government philosophies may not be in alignment with what we are familiar and comfortable with in the U.S. It requires additional due diligence, above and beyond that required for onshore outsourcing of the security function. There are currently an insufficient number of qualified information-security resources in offshore destinations.

Overcoming These Challenges There are challenges if you choose to offshore security. Remember, "offshoring begins onshore." Here are some suggestions:

  • Conduct all the due diligence required during the qualification stage, prior to signing an outsourcing contract. Integrate security clauses upfront.

  • Be heavily involved in the initial stages of security technology selection and procurement.

  • Continuously supervise and monitor the security function and related processes. Periodically conduct detailed audits to ensure compliance with corporate security standards.

  • Maintain a close working relationship between onshore management and the offshore provider.

  • Work to mitigate the cultural issues in industry compliance and regulation.

  • Perform background checks on local staff, including checking criminal records.

Conclusions And Recommendations
Under what circumstances does it make sense for a business to outsource the information security function offshore? When there is a well-defined security function within the organization, with clear parameters and standards that can be communicated via the outsourcing service-level agreement. When there's synergy between the business and the vendor, and both have conducted their due diligence to ensure the ability to comply with the information security function. When the business is willing and able to allocate resources to the management and supervision, including periodic audits, of the outsourced security function; and When the business is willing and able to take ultimate responsibility for any possible breakdown in the information-security function, onshore or offshore.

Don't give away the keys to the kingdom, but rather use diligent outsourcing of information security to enable you to focus on your core competencies.

--Sanjay Anand

Beth Cohen, TAC Thought Leader, has more than 20 years of experience building strong IT-delivery organizations from user and vendor perspectives. Having worked as a technologist for BBN, the company that literally invented the Internet, she not only knows where technology is today but where it's heading in the future. Sanjay Anand, TAC Expert, has more than 20 years of IT and business-process management experience as a strategic adviser, certified consultant, speaker, and published author. More than 100 personal clients, large and small, have included companies from a diverse array of industries and geographies, from academia to technology and from Asia to the Americas. Often referred to as a "consultant's consultant" for training and mentoring skills. He is author of books "The Sarbanes-Oxley Guide for Finance and Information Technology Professionals" and "J.D. Edwards OneWorld: A Beginner's Guide."

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights