The world of outsourcing, off-shoring and cloud computing

Regular readers of this blog might have noticed a distinct lack of activity this last month. That’s been largely down to the fact that every hour of my available time has been occupied in completing my new book on security in outsourced and off-shored environments. It’s a big relief to finally complete this task, especially as it’s a fairly dry subject, certainly not one that you can get excited about. 
But it’s a hugely important subject, as well as a fascinating one. It’s full of contradictions and non-intuitive conclusions. If I was a CEO, for example, I’d definitely outsource, even though I know it’s far from the best strategy for delivering IT services. Why should this be? The answer is that it fits my mental model of how I think a company should be run.
Recognising and understanding this difference in perspective lies at the heart of understanding how to govern IT and security. CEOs are motivated by a different set of incentives than the mere desire to manage services efficiently. That’s why the future lies in Cloud services, even though we know it presents risks and problems that do not appear reasonable to a security professional.  
Business leaders view the world differently from technologists and security managers Outsourcing, off-shoring and cloud computing all hit a spot that in-house IT and security services fail to reach. In the same way a moth will always be attracted to a flame, so CEOs are inevitably seduced by a business model that offers the prospect of a slimmed-down executive team that focuses on business strategy rather than service delivery. It’s a triumph of management style over common sense, but one that is impossible to resist.