Companies of all sizes areoutsourcingsome part of their IT and concentrating on their core
business activities and strategic IT plans. Even where IT
operations are retained in-house, some activities will still be
performed by external providers.
But while an IT outsourcing deal can put tremendous stress and
time pressure on the IT and IT security team, it is also an
opportunity to take stock of a business' security strategy,
processes and posture.
Having a working framework is an essential requirement for an
outsourcing relationship. What used to be internal and sometimes
informal processes are now running through a commercial interface.
As a result, processes become more controlled, roles and
responsibilities better defined and new audit trails developed.
Retaining in-house a solid base of multiple skill sets that can
manage the supplier, the business' interests, as well as legal and
regulatory compliance, is good practice, and something many
organisations are starting to adopt.
The newly defined teams on both sides of the fence will take
some time to adapt to their new roles once details of the
outsourcing contract have been agreed. Both retained and outsourced
teams will have to put focus on developing and training their staff
and managing their new responsibilities. This will include guiding
them through the psychological change process and allowing them to
become a member of the new organisation.
The role of those being outsourced changes from an overhead, to
providing value add to the core business of their new employer. Of
course, they will still have to face the challenge of moving into a
new HR management system that may be wholly incompatible with how
their skills were managed previously.
In this instance, it is helpful if they have already acquired
recognised standard qualifications, such as the IT Infrastructure
Library, project management or security certifications, such as
Certified Information Systems Security Professional (CISSP) or
Systems Security
Certified Practitioner (SSCP).
Recognised qualifications will help staff sharpen their profile
and give them an opportunity to take aim at a more clearly defined
career path. It can also provide an opportunity to add skills using
the knowledge and training base that is more likely to exist within
the service provider's organisation. Responsible employers will
include this type of development opportunity into their selection
process, as it is a key requirement for staff retention.
It is also likely that there will be more stringent personal
development for those IT staff with security skills, as well as the
IT security architect or the security manager who is looking for a
new career path.
This is great news for security best practice, since better
trained and developed IT staff is one of the easiest ways to reduce
security vulnerabilities. So, far from being a core objective of
outsourcing, this can be an unexpected and potentially unexploited
benefit.
The retained team will undergo a similar, although less visible
change. They will have found a new home within their old
enterprise, and being seen as visibly removed from IT operations
may open up new perspectives in the area of service and risk
management.
Outsourcing is sometimes seen as a threat by those affected,
however, its positive potential for career development should be
noted by staff, IT and HR managers alike. It is part of the overall
trend towards more clearly defined roles, which in turn contributes
to the momentum of growing the IT security and risk
professions.
about security zone
Security Zone is a bi-weekly series in Computer Weekly covering
all aspects of IT security management. Each article will be written
by a member of the International Information Systems Security
Certification Consortium (ISC)2.