Will You Risk IT?

Source: Outsourcing 101

With the dynamic growth in information technology at present, a lot of business opportunities and threats have also surfaced.  These emerging forces have changed the IT landscape over time, forcing businesses to cope with new trends and adopt new techniques to bolster internal controls.  One issue that is very significant for businesses today is the decision whether to outsource IT security or have it managed by an in-house IT team.

The answer to that would depend on the following factors, among others:

• Size of the company

Small companies may do well without outsourcing IT security.  Some companies may become self-sustaining while maintaining only a small number of IT staff.  For relatively small companies with less automated business processes, the cost of outsourcing IT security may not outweigh the incremental benefits that the company may get.

• Nature of the business

Businesses with highly automated systems such as banks, airlines, etc. are better off with tapping outsource IT for areas that prove tedious for an IT staff or would require specialized machines which are impractical for the company to acquire.

• Sensitivity of the information involved

When a business process involves the accumulation of significant and confidential data in the system, security needs to be stronger in order to prevent theft.  A company’s system is home to a lot of meaty information regarding the business and its stakeholders.  A customer master list is an important business advantage of a company.  It is kept confidential as it contains valuable information on networks and contacts from which the company’s revenue are derived.  Once information like this leaks out to the public, a threat to the business may ensue as customers may be able to compare the confidential prices, special sales agreements, etc. being offered to other customers.  The same is true with the information held by a company’s financial reporting system.  Results of operations, the release of which may be withheld by a company for specific reasons may be released without passing proper authorization level and harm the company’s reputation.  Worse is the devious override of system controls in order to perpetrate fraud.

• Availability of service providers that will meet the specific needs of the business

Given the above conditions, the key to a successful plan to outsource is the availability of outsourcing vendors in the market who can properly cater to the specific needs of the business.  The next dilemma would be choosing the right company to handle IT security.

To fully trust the whole IT security in the hands of third parties may be a wrong business move especially if you have precious data to protect.  However, you may need to reconsider that the company may be deprived of the new trends available in the market which could boost efficiency in how the company carries out its business.  The refusal to look outside the box may be harming the company through lost revenues due to inefficient operations.

Source:  Global Vision Technology

 

The best approach would be a combination of outsourced and internally-managed IT security. This will help maintain proper check-and-balance within the IT processes.  A company may identify certain processes that are routine and deals with voluminous transactions (e.g., daily checks of invalid log-in attempts to ATM accounts of depositors in a banking company).  Processes like these may already prove to be burdensome for the company’s IT team thus, the need to outsource.  Company-employed IT staff may take on other roles that are not mission-critical.  This may prove successful just as long as roles and responsibilities of both internal and external parties are clearly defined.

However, outsourcing is not a walk in the park.  When a company decides to go with outsourcing, the following concerns may arise:

1. Breach of data security and confidentiality of information. More eyes pry on company information making the business vulnerable to security attacks.  The level of solicitude to the business by an employer is most of the time greater than a third party contractor.  Although you may reasonably expect quality service from a specialized IT company, still there exists risks that company information may be exposed to.

2. IT cost becomes variable. More costs are incurred for every additional job tasked in an  outsourcing vendor compared to employing IT staff.  When IT staff are employed, any additional jobs become compensated in the form of salary, however, trade-offs may exist in relation to meeting specific user and business requirements, as well as the time it would take to complete the tasks.

3. Quality problems. It is difficult to control the quality of work of outsourcing vendors due to differences in interpretations of the plan.  Proper communication may be hindered by language barriers or location issues.

4. Going concern issues. The continuity of business of the outsourcing vendors is never assured.  When the time comes that the third party contractor goes out of business, a problem will arise as to how they will do about the turnover of the IT security to the client company.

In order to mitigate these risks, a company may push that stipulations on the contract should be provided regarding subcontracting, backup plans and options, application of the intellectual property rights policy in the country where the third party contractor is doing business, and of course, clear-cut roles and duties of each party, among others.

Source: TechTrendsIT

Above all else, proper planning and communication is key.  If an organization wants to grow, then top management should just kick the box to obtain a view of what greener pastures lie outside the status quo.

So is it worth the risk? As nicely put by Geena Davis, “If you risk nothing, then you risk everything.”

 

 

References:

http://www.computerweekly.com/feature/Best-practice-in-outsourcing-security

http://www.infosec.gov.hk/english/technical/files/itos.pdf

 

What IT Takes: Three Key Managerial Skills for Sound IS Decision-making

Managers are often confronted with matters needing business decisions that are not directly in line with their regular scope of work.  One very significant example are decisions regarding the information system (IS) of the organization wherein general managers are required to participate.  IS plays a vital role in determining the success of an organization as it encompasses almost all business processes, earning a significant chunk in an organizations budget in order to sustain the use of such technology.  Because of this general managers are often consulted in order to ensure business-value from this investment. 

For a general manager, making an IS decision is something new as one is used to seeing things at a different perspective which is that of the process owners.  Just like any management process, decision-making regarding a company’s information system can benefit a lot from the following essential basic management skills as formulated by Robert Katz:

Source: www.linkedin.com 

Technical Skills

The type of IS decision-making that a manager needs to make depends on the managerial level one is currently in.  Operational managers, being more inclined with the transaction processing systems must be equipped with knowledge regarding the machines, production tools, processes, as well as income targets, and business strategies that the company currently has or has planned to pursue.  Through this, a manager who is to participate in an IS decision-making may be able to contribute insights and streamline these business concepts in the planning for the IS and tailor-fitting them to the Company’s vision, mission, objectives, goals, strategies, and measures.  An operations manager’s participation will be valued if he will be able to bring in ideas which will help an IS team customize the system into the company’s specific needs, thus making the IS decision-making more effective.

Controls will be better put into place through the help of technically competent managers in the design of these controls.  Proper segregation of duties will be considered in the process of structuring the IS system (i.e., assignment of network or systems access to proper persons, avoiding conflicting duties, etc.).

Conceptual Skills

The power of a manager to think beyond the box will help an IS team come up with decisions that will not only cater the needs of those who are involved in the transaction processing but also support the targets of other departments to facilitate the achievement of the overall business goals.  IS decisions will not be focused at one point of the process only but will also cover the senior management’s needs regarding authorization of transactions, facilitating timely reviews by top management of encoded data, and the integration of one system to other business modules within the organization or even with external parties.  A manager’s conceptual skills will help an organization develop or come up with ways to provide decision support systems or efficient network IT such as email accounts, ticketing system for filing of complaints or requests, development of knowledge databases which is accessible to everyone in the organization, among others.

Human or Interpersonal Management Skills

Interpersonal management skills will help a manager determine the right number and the proper persons to assign to various IS functions and with the proper shift schedules as well.  The manager’s ability to work with people will help in motivating employees and assist the company in anticipating threats to the security of the information system due to the manager’s knowledge on human behavior.

 As the company evolves in the aspect of IT, new roles and responsibilities are to be determined by the general managers.  With these changes, new reward systems are also developed as new metrics arise due to additional reports or features available in the company in tracking employee performance and behavior.

Risks may be prevented or at least mitigated.  Information systems being the source and conduit for successful transaction processing or decision supports are highly threatened by  fraud risk factors.  These factors may either be in the form of incentives, opportunities, or rationalizations of employees or even the management which are basic elements from which fraud may spring.  Managers then will need to coordinate with the IS team to enhance the organization’s internal control environment by considering these risks related to human management.

All these facilitate the more effective use of human resources in an organization.

For an organization to have a properly functioning information system, a convergence of managers from all departments and all levels is deemed necessary.  IS experts will need the opinion of every manager whose tasks will be affected by these IS decisions.  Indeed there are other specific skills that may help managers make sound IS decisions, but all these may be simplified into these three basic categories. ★

References:

http://myllurmanagement.blogspot.com/2012/07/three-main-types-of-managerial-skills.html

http://mis.umsl.edu/Why%20I.S./whymis.html