Source: Outsourcing 101
With the dynamic growth in information technology at present, a lot of business opportunities and threats have also surfaced. These emerging forces have changed the IT landscape over time, forcing businesses to cope with new trends and adopt new techniques to bolster internal controls. One issue that is very significant for businesses today is the decision whether to outsource IT security or have it managed by an in-house IT team.
The answer to that would depend on the following factors, among others:
- Size of the company
Small companies may do well without outsourcing IT security. Some companies may become self-sustaining while maintaining only a small number of IT staff. For relatively small companies with less automated business processes, the cost of outsourcing IT security may not outweigh the incremental benefits that the company may get.
- Nature of the business
Businesses with highly automated systems such as banks, airlines, etc. are better off with tapping outsource IT for areas that prove tedious for an IT staff or would require specialized machines which are impractical for the company to acquire.
- Sensitivity of the information involved
When a business process involves the accumulation of significant and confidential data in the system, security needs to be stronger in order to prevent theft. A company’s system is home to a lot of meaty information regarding the business and its stakeholders. A customer master list is an important business advantage of a company. It is kept confidential as it contains valuable information on networks and contacts from which the company’s revenue are derived. Once information like this leaks out to the public, a threat to the business may ensue as customers may be able to compare the confidential prices, special sales agreements, etc. being offered to other customers. The same is true with the information held by a company’s financial reporting system. Results of operations, the release of which may be withheld by a company for specific reasons may be released without passing proper authorization level and harm the company’s reputation. Worse is the devious override of system controls in order to perpetrate fraud.
- Availability of service providers that will meet the specific needs of the business
Given the above conditions, the key to a successful plan to outsource is the availability of outsourcing vendors in the market who can properly cater to the specific needs of the business. The next dilemma would be choosing the right company to handle IT security.
To fully trust the whole IT security in the hands of third parties may be a wrong business move especially if you have precious data to protect. However, you may need to reconsider that the company may be deprived of the new trends available in the market which could boost efficiency in how the company carries out its business. The refusal to look outside the box may be harming the company through lost revenues due to inefficient operations.
Source: Global Vision Technology
The best approach would be a combination of outsourced and internally-managed IT security. This will help maintain proper check-and-balance within the IT processes. A company may identify certain processes that are routine and deals with voluminous transactions (e.g., daily checks of invalid log-in attempts to ATM accounts of depositors in a banking company). Processes like these may already prove to be burdensome for the company’s IT team thus, the need to outsource. Company-employed IT staff may take on other roles that are not mission-critical. This may prove successful just as long as roles and responsibilities of both internal and external parties are clearly defined.
However, outsourcing is not a walk in the park. When a company decides to go with outsourcing, the following concerns may arise:
- Breach of data security and confidentiality of information. More eyes pry on company information making the business vulnerable to security attacks. The level of solicitude to the business by an employer is most of the time greater than a third party contractor. Although you may reasonably expect quality service from a specialized IT company, still there exists risks that company information may be exposed to.
- IT cost becomes variable. More costs are incurred for every additional job tasked in an outsourcing vendor compared to employing IT staff. When IT staff are employed, any additional jobs become compensated in the form of salary, however, trade-offs may exist in relation to meeting specific user and business requirements, as well as the time it would take to complete the tasks.
- Quality problems. It is difficult to control the quality of work of outsourcing vendors due to differences in interpretations of the plan. Proper communication may be hindered by language barriers or location issues.
- Going concern issues. The continuity of business of the outsourcing vendors is never assured. When the time comes that the third party contractor goes out of business, a problem will arise as to how they will do about the turnover of the IT security to the client company.
In order to mitigate these risks, a company may push that stipulations on the contract should be provided regarding subcontracting, backup plans and options, application of the intellectual property rights policy in the country where the third party contractor is doing business, and of course, clear-cut roles and duties of each party, among others.
Source: TechTrendsIT
Above all else, proper planning and communication is key. If an organization wants to grow, then top management should just kick the box to obtain a view of what greener pastures lie outside the status quo.
So is it worth the risk? As nicely put by Geena Davis, “If you risk nothing, then you risk everything.”
References:
http://www.computerweekly.com/feature/Best-practice-in-outsourcing-security
http://www.infosec.gov.hk/english/technical/files/itos.pdf