Outsourcing of IT Security – What do you need to think about?

I’ve been involved in IT Security since 2000 and, in that time, I would suggest that 95% of my work has been done through Outsourcers. I’ve worked for or with EDS, HP, Accenture, Wipro, Atos Origin, CSC, IBM, Fujitsu, Cap Gemini, and others. And there are common traits that all Outsourcers have, some of which lead to successful outsourcing agreements and some of which will lead to a bad relationship.

The main thing to remember with all Outsourcers is that they make their money with two approaches; base services which are in the agreement, and additional project based revenue that they get because of insights into the infrastructure that they are supporting.

Let’s talk about the “base services” component of the agreement. Base services are something that are going to be written into the agreement to support the Enterprise. The more clear those agreements are written, the better the relationship will be simply because, when a disagreement occurs (and that will occur often, trust me!), the two partners will turn to the agreement for clarification of how to handle the disagreement.

This leads to the trait of an outsourcing agreement that are signs of a “bad” relationship. The more often the partners refer to the agreement, the higher the chance of a poor relationship. Remember that there is the core agreement that has been documented, and there is the “intent” of the agreement. The more the partners work towards the “intent”, the better.

With IT Security outsourcing, it’s important to remember that you aren’t just asking for a partner to manage “boxes”. It’s not just about managing Firewalls or IPS’. It’s also all the processes that Security professionals are involved in. There’s Incident Response, there’s risk assessments, there’s mitigation of vulnerabilities found. And that’s just to name a few (I have documented these processes in my Reference Security Architecture).

The agreement should really remember to document the technology, the people, and the processes that the Security team need to be involved in. This goes back to how you think about ALL solutions (and outsourcing is a solution to a business problem of reducing costs) – that solutions contain technology, people, and processes. And I am coming to believe there is a 4th component to solutions; Governance.

At the end of the day, base services will only save an Enterprise something in the 3% – 4% range. CIOs tend to think that outsourcing will provide a large savings (eg. 20%) and it just doesn’t happen that way. Remember, most of the people that are staffed up by Outsourcers are the former employees from the Enterprise or the previous Outsourcer that have been moved over to the new Outsourcer and, as a result, bring the mindset of “that’s how we’ve always done it” to operations.

Let’s now look at the second approach to revenue generation which is Project based revenues. The smart Outsourcer will look at the environment that they are now managing and make suggestions to the Client on how to make things more efficient. Often, it’s focused on technology but there are often process changes that are suggested. The Enterprise will also be looking for the Outsourcer to bring in their in-house experts (the people component of solutions) to supplement their expertise.

This is where the “icing” comes in on top of the base services revenue “cake” and is typically where the Outsourcer will make most of their profit. They have a higher chance of getting projects simply because of their familiarity with the environment, which then brings a benefit.

For IT Security, often the Enterprise will be expecting the Outsourcer to bring in a portfolio of solutions that can be leveraged in the Enterprise’s environment. With the move to Cloud Services, this can actually be a much better way of leveraging the portfolio simply because of how close the two organizations will become.

But the project side of revenue is dependent on the Security Architect having the ability to create strategies for the Enterprise and then the ability to move that strategy forward using the approved processes. It’s GOT to be a benefit to BOTH partners, not just the Outsourcer. And it’s important to remember that there needs to be the ability to go outside the services portfolio to bring in solutions that benefit the Enterprise.

Hope this helps …

Neil

One thought on “Outsourcing of IT Security – What do you need to think about?

Leave a Reply

Your email address will not be published. Required fields are marked *