Companies of all sizes are outsourcing some part of their IT and concentrating on their core business activities and strategic IT plans. Even where IT operations are retained in-house, some activities will still be performed by external providers.
But while an IT outsourcing deal can put tremendous stress and time pressure on the IT and IT security team, it is also an opportunity to take stock of a business' security strategy, processes and posture.
Having a working framework is an essential requirement for an outsourcing relationship. What used to be internal and sometimes informal processes are now running through a commercial interface. As a result, processes become more controlled, roles and responsibilities better defined and new audit trails developed.
Retaining in-house a solid base of multiple skill sets that can manage the supplier, the business' interests, as well as legal and regulatory compliance, is good practice, and something many organisations are starting to adopt.
The newly defined teams on both sides of the fence will take some time to adapt to their new roles once details of the outsourcing contract have been agreed. Both retained and outsourced teams will have to put focus on developing and training their staff and managing their new responsibilities. This will include guiding them through the psychological change process and allowing them to become a member of the new organisation.
The role of those being outsourced changes from an overhead, to providing value add to the core business of their new employer. Of course, they will still have to face the challenge of moving into a new HR management system that may be wholly incompatible with how their skills were managed previously.
In this instance, it is helpful if they have already acquired recognised standard qualifications, such as the IT Infrastructure Library, project management or security certifications, such as Certified Information Systems Security Professional (CISSP) or Systems Security Certified Practitioner (SSCP).
Recognised qualifications will help staff sharpen their profile and give them an opportunity to take aim at a more clearly defined career path. It can also provide an opportunity to add skills using the knowledge and training base that is more likely to exist within the service provider's organisation. Responsible employers will include this type of development opportunity into their selection process, as it is a key requirement for staff retention.
It is also likely that there will be more stringent personal development for those IT staff with security skills, as well as the IT security architect or the security manager who is looking for a new career path.
This is great news for security best practice, since better trained and developed IT staff is one of the easiest ways to reduce security vulnerabilities. So, far from being a core objective of outsourcing, this can be an unexpected and potentially unexploited benefit.
The retained team will undergo a similar, although less visible change. They will have found a new home within their old enterprise, and being seen as visibly removed from IT operations may open up new perspectives in the area of service and risk management.
Outsourcing is sometimes seen as a threat by those affected, however, its positive potential for career development should be noted by staff, IT and HR managers alike. It is part of the overall trend towards more clearly defined roles, which in turn contributes to the momentum of growing the IT security and risk professions.
about security zone
Security Zone is a bi-weekly series in Computer Weekly covering all aspects of IT security management. Each article will be written by a member of the International Information Systems Security Certification Consortium (ISC)2.