Loss of Control
By far and the foremost inherent risk of outsourcing is the “Loss of Control” on the outsource process. While outsourcing the IT Security processes, this at times can prove to be the worst nightmare for the organization’s management.
The most common of the concerns, triggered by the decision to outsource lies with the concern of overriding the sense of relief about the day-to-day operations. This may actually be a resultant trend stemming from the difference of perception of internal and external personnel towards the service orientation. Whatever be the case, but at the end of the day it boils down to commitment and dedication to work and the organizational goals.
It is certainly great to do everything IT related in-house. You control access and you control how and when things get done. On the other hand, any smart businessperson knows it's practically impossible for one department or person to do everything and do it well. This certainly makes Outsourcing a trend and a Business Practice involving the transfer of control to the Outsourced Company specializing in the job being outsourced. But while doing this is the organization also realising the fact that the control is being transferred to a complete stranger? This question needs to be answered thoroughly for the outsourced model to be a success.
It is a fact that an employee aligns more to the vision, mission, goals and culture of the organization as compared to the third party or the outsourced staff.
Whatever may be the case, the outsourcing decision can’t just be negatively affected by this factor. At times in the scenario, where the Internal staff may compromise and go with a business decision that might have adverse impact over a period of time, stringer SLA’s would always force the outsourced service provider to stick to the guns and make the organization’s management understand the inevitable.
But still this is a concern that always possesses a risk and this always would give rise to a debate of what and why to outsource.
This is another concern that hounds the decision of outsourcing. For a large organization with huge operations, it is not of much significance, but for the medium and small size business this is quite a concern to be addressed.
After dealing with the question of losing control and deciding to go ahead with the decision of outsourcing, the organization faces this challenge of availability of quality service.
For medium and small sized organizations, outsourcing might be a concern as they, from a vendor’s viewpoint, may be one of the many as serviced by the vendor and in many cases may account for a small percentage of the total workload and income. This certainly would be associated with the availability and quality of the desired services at the time they are required. In most of the cases the smaller organizations may suffer as the service provider may address the concerns of the larger customers and make the smaller customers wait until the support staff gets free.
For a large customer it is easier to assert the dominance and dictate terms by the sheer size of its order value, but for the smaller organization it becomes an issue. Moreover if the smaller customer is in contention with a larger client, the issue complicates further. In such a competitive battle for preferential availability and quality service, even a smaller customer can gain priority by making the most noise and escalating the issue to the upper management at the service provider, but there is a word of caution that this may not always be fruitful.
To deal with such scenarios, the smaller organizations mostly resort to escalations, stringer time based SLA’s, special relationship and rapport with the senior management etc.
The smaller organizations making the hue and cry at times should also understand that at times, the larger organizations might even be subsidizing for the services being availed by them. At the same time with the same staff servicing the larger and smaller organizations, the smaller organizations tend to be at benefited with the knowledge and expertise of the support staff who has worked at the larger organization.
Yet another aspect that needs to be considered in the event of outsourcing the IT Security Processes. It has become very important to ensure that third parties who have access to personal and confidential information are protecting that information from inappropriate disclosure and from misuse.
With the ever increasing responsibilities for security breaches on the senior executives of the organizations from the law and regulatory enforcement bodies, this issue has taken a giant leap from just being another issue. With more and more compliance related concerns, the organizations have to be more alert on the trust aspect from the viewpoint that the vendor might also be providing services to its competitors and in this aspect any leakage of business sensitive and crucial information would turn to be futile and loss making.
The complication in this aspect is multi-fold with the cost of satisfying the regulators and the board of directors that the due care has been taken and the difference of the regulations and the laws that might exists due to different geographical locations of the organization and the service providers.
It is however a good practice to test whether the vendor’s stated policy and procedures are enforced and implemented. Either the customer organization or the service provider may hire third-party auditors or security assessment consultants to perform security and control assessments. Such specialty assessment firms are likely to do a more orderly, structured, and complete evaluation than an in-house staff might achieve, because they perform so many more assessments over a period of time than an in-house group.
This is an area that is mostly untouched or overlooked during the due-diligence exercise. This could be attributed to the fact that at times its just difficult to quantify certain costs or to certain the probability of their occurrence.
Some of the hidden or uncertain costs may be related to vendor’s financial viability and sustainability or the presence of adequate infrastructure to survive and sustain in the business in case operations at its primary facility are adversely affected due to one or other reason.
There might be cases where the vendor faces a financial crunch situation and this might lead to it being merged with some other larger organization or may even with a competitor. In such cases though most of the business of the vendor gets transferred to the acquiring party, but this is not the right approach to follow and for this the agreements should follow a stringer approach to include the clause of termination of services in any such case with ‘No Liability’ for the outsourcing organization.
In the event of availability of infrastructure and continued support the outsourcing organization must conduct a due diligence at the vendor to assure the management and the regulators that the selected vendor has adequate infrastructure for continued service and support in even the adverse situations of war and terrorist attacks.
But there is a word of caution associated - Even during analysis, some costs might be hidden or excluded altogether, either unintentionally or through the analyst’s ignorance or inexperience.
One of the key aspects of the outsourcing and that needs quite an attention of the management and the decision makers. The issue here is more the functions and roles outsourced, lesser the chances that the internal staff would be able to address them should they be moved back in-house.
To address this issue however, the SLAs are drafted in a manner that the vendor would be conducting trainings and would be liable to keep the internal staff up-to-date, but do this actually happen? If yes, then in how many cases and to what extent?
The cost of not maintaining a up-to-date and knowledgeable internal staff might prove to be costly and can add to the hidden and uncertain costs of outsourcing. The impact can include loss of negotiating power or movement to an alternative service provider.
One decision that is of prime importance and that is to select the right option of getting a dedicated facility at the outsourced agency or to go ahead and utilize the shared operations. Certainly the cost of dedicated operations at the vendor facility is higher and most of the MSSPs charge a premium for such service, but the overall security and risk of exposure of confidential business information is relatively lower.
But with tighter budgets for IT Security operations and Security operations still being seen as the Cost Centre, most of the organizations opt for Shared Operations. This certainly increases the exposure of the information and can certainly add to the hidden costs.
Compliance, to what? Their regulatory and statutory requirements, the likes of Banking Regulations, SOX and HIPPA, International standards like Cobit and ISO 17799 etc. More we drill down more we identify the likes of FISMA, GLBA, CASPR etc. Why are they doing this? and what is the need for this?
The requirements are not set upon by the organizations themselves, rather they are imposed, imposed upon them by the concerns of cyber crimes that are increasing day-by-day and as is the extending regulatory periphery of the respective authorities, be it the Government or the Regulatory Bodies for the industry verticals.