IDC predicts that the number of companies specifically outsourcing IT systems will continue to increase rapidly. Outsourcing is a strategic business decision and offers compelling benefits. However, it also carries risks and problems in terms of security, and unless thorough planning and preparation is in place, these may undermine the long-term success of any partnership.
The decision to outsource has always been made at board level and is driven by the need to reduce costs, change the profile of expenditure and remove 'peripheral' activities so that organizations can focus their energy, time, money and resources on their core business.
However, these benefits depend on thorough planning and preparation throughout the outsourcing negotiating process. This is particularly true in terms of security, where there is a risk that organizations who outsource IT will wash their hands of security issues, believing it to be no longer their responsibility and to be safe under the control of someone else. In reality, unless organizations work with their outsourcers to plan, manage and maintain security strategies, security will be left in a no man's land of confusion, exposing organizations to increasing security threats. Planning must determine where the responsibility lies and how the outsourcer's security team is to work with the organization. Openness and communication are critical to success.
Both parties must be confident that they will be made aware of any security incident. It is counterproductive to impose punitive damages on an outsourcer for every security breach; better security results from a culture in which problems can be aired, investigated and resolved in true partnership rather than a culture of blame.
Every organization must also have a comprehensive knowledge of which systems are outsourced. One company, for example, which did not outsource the totality of their systems, suffered when they discovered that their R&D functions were not covered by the security clauses in their outsourcing contract. Thus, when a breach occurred, the outsourcer did not have resources or plans to tackle the breach, nor did it have the authority to actually intervene. Valuable time and money was wasted while the contract was changed to include the management of those areas.
Drafting clear contracts that give security proper consideration can mitigate problems. Discussion of potential security problems should be encouraged during contract negotiations, since determining the problems beforehand will ensure a happier relationship. From the outset, responsibilities must be delineated. A manager within the organization must be appointed to own security, to introduce the outsourcer's own security specialists to the right people in the organization, to review the security proposals from the outsourcer and to take responsibility for investigating any suspected security incidents.
The most important issue is ensuring that someone who understands the core needs of a business, has access to the senior team that owns the security plans. One solution would be for a security manager from the organization to transfer over to the outsourcer. This enables the individual to broaden their working experience and also brings cost advantages to the organization, as the outsourcer absorbs staffing and security training costs, and releases companies from issues of staff motivation and incentives to security.
Understandably, some companies can be apprehensive of this arrangement as they fear that their employees' knowledge will be lost to another company. Furthermore, there is the concern that over time, individuals could lose their intimate understanding of their original company, which negates their reason for having been transferred in the first place. This is a very real problem and can lead to the outsourcer failing to manage business changes and new projects. Furthermore, when internal developments take place, people become unsure about who should manage security. As a result, it slips, overlooked, into the background, until a security breach highlights the flaws. By then an outsourcer may refuse to handle the problem because they have not been involved in security from the outset.
Communication is vital for a successful outsourcing partnership. It is imperative that channels of communication remain open between the two companies, with the security representatives acting as mediators through which information flows regularly. Trust between parties needs to be built and nurtured, for example, by creating a relationship that allows security issues to be investigated without the threat of harsh penalties. Such an open relationship is often achieved with the intervention of human resources that help companies to establish a channel of communication with their outsourcer.
Security is not a static issue that can be implemented and then ignored. Security threats change weekly and companies need a dedicated resource to ensure that they react to those changes and protect their changing business from those threats. It is this flexible, progressive attitude to security that must be mirrored by the outsourcing company. Rather than the outsourcer simply taking over the current security situation and maintaining it, they must work with their customers to ensure security plans engage with the changing business and continue to evolve as it develops. When they do, they can reap all the rewards of outsourcing and none of the worry.
John Alcock is managing consultant at Fujitsu Services' security practice (services.fujitsu.com).