When considering what should and should not be outsourced in IT terms, organisations really should be driven by three main considerations: what makes economic sense (cost); what can be done securely (due diligence); and risk to the business (a risk assessment).
The starting point for the decision-making process should be a risk assessment internally. This should identify all the types of data which fall under either regulatory compliance or risk to the business: credit card data (PCI-DSS); personal data (the Data Protection Act here in the UK); and intellectual property (IP).
Another aspect to consider in the move to outsource IT should be existing utilisation of hardware resources, and whether on-demand services would produce a cost benefit to the business, rather than a costly over-engineered solution for a limited peak-demand period.
Selecting a supplier with which to host your data, services or virtual hardware, should not be based solely on cost, but also on security – sometimes the former is over-emphasised at the expense of the latter. When deciding upon a framework for selecting your supplier in the bidding phase, you should clearly decide what you are trying to achieve for the business in terms of cost, functionality and security, and then have a scoring system that you will apply to the potential suppliers’ responses.
Read more about IT security outsourcing
- Start with capability gap when outsourcing security
- Outsourcing of IT security is not for everyone
- No one-size-fits-all approach to security outsourcing
- Business cannot outsource accountability
- Effective quality control key to security outsourcing
- IT security outsourcing should be informed and risk-managed
As someone who has been involved in requests for pricing (RFPs) for years, both as a vendor and as a supplier, these tend to vary enormously from industry to industry, and even with the style of the individual author.
In my experience, RFPs are best fit for purpose when they have given due consideration to all the aspects mentioned above. For encryption, for example, RFPs often tend to merely ask what encryption algorithm has been used – quite often to get a chorus of Advanced Encryption Standard (AES) responses, which does little to differentiate suppliers.
Dig a little deeper, by asking which method has been in the encryption implementation. As always, the devil is in the detail: the more thorough you are, the more likely you are to sort out the secure wheat from the insecure chaff.
Phil Stewart is director of communications ISSA-UK and director at Excelgate Consulting.
This was first published in May 2012