IT outsourcing. Pros, cons, pitfalls

Short description

Outsourcing information security can provide many advantages for businesses, including easier access to qualified personnel, cost savings, and access to a wide range of competencies. However, there are also potential drawbacks, such as service provider dependency and an inability to fully control all processes. Many companies are hesitant to outsource information security due to objections and fears caused by a lack of experience with professional contractors. However, with the right preparation and agreement on all the nuances, outsourcing can be an effective solution for ensuring a company’s information security.

IT outsourcing. Pros, cons, pitfalls

We consider the main advantages of transferring the function of ensuring information security to professionals “from the outside”. We tell you what to expect when concluding an outsourcing contract for its maximum effectiveness

The illusion of security of personal and corporate data “by default”, which until recently reigned in the minds of the majority, is gradually beginning to dissipate. More and more often, news about another hack, “leak”, successful computer attacks appear in the media:

Managers of large and small companies increasingly begin to ask: “Is everything protected with us?“. And it happens that in response IT service specialists shrug their shoulders and shyly look away. Or deliberately loudly declare: “It cannot be otherwise!“, although the thought hovers in the head: “I have no idea…“.

The task of ensuring the company’s information security is not trivial. There are several approaches to its solution:

  1. The “elusive Joe” method.

Compared to Microsoft and Google, we are small, which means that no one will attack us. Therefore, there is no need to invest in information security. Moreover, he does not bring money“. Approximately such a logical chain is lined up in the head of many business owners. This approach to the IS of the lion’s share of organizations is understandable and it is difficult to challenge it. But you can. The problem is that it does not meet modern security threats.

In today’s world, a company will be hacked not because anyone cares, but simply because of a critical vulnerability on the external perimeter or a simple password of a remote user. The issue of monetization of such hacking is also resolved: information on computers, 1C databases and network directories is primarily valuable to the owner, so the hacker simply encrypts it, leaving a message demanding ransom.

  1. Adding tasks to the IT service.

As if there are computers here and there – so they will manage“. Yes, both IT and IS are all about computers, but each service has a different approach to them.

The task of the administrator is to make the system work. And, for example, processing e-mail with administrative rights and the password “qwerty” do not contradict this task in any way. Security knows how a hacker works, and for him such actions are a sure way to disaster. Because he faces a completely different task – to prevent intruders from penetrating the administration system, which is working diligently.

That’s why hackers and security guards will never replace each other. And only the synergy of these two approaches allows businesses to be confident in the reliability of IT systems.

  1. Creating your own IS service and entrusting it with the task of IS provision.

A classic of the genre in its various variations, a really working version. The only problem is that not every organization will have enough resources and, most importantly, competent specialists to completely close all problems related to ensuring information security.

But what we want to discuss in this article is a fourth approach that can work well both independently and in conjunction with the previous two. His name is outsourcingoften undeservedly deprived of attention and overgrown with many unfounded myths, which we will try to debunk.

Outsourcing is the transfer by an organization of certain functions (in this case, information security functions) to another company. Everything can be transmitted (“Make us feel good!»), and there may be specific processes or tasks: setting up information protection tools, monitoring information security events, keeping documentation up-to-date, and others.

If you abstract a little from the name and look more broadly, you can see that any service that a company buys, whether it is car maintenance, refilling cartridges or cleaning a cleaning company – everything is actually outsourced. That is, the performance of work for the organization by qualified personnel from a specialized contractor company.

Outsourcing information security has many advantages:

  1. It’s easier. The problem with recruiting personnel and assessing their qualifications remains a thing of the past. Now it’s the contractor’s problem. In the conditions of an acute shortage of qualified workers in the IS field, this plus was and remains one of the most significant.

  2. Cheaper. The price gain occurs due to the distribution of the outsourcer’s resources among several customers, the absence of capital costs (purchase of equipment, software, etc.), flexible configuration of the service package.

  3. Rather. The contractor has already worked out all the processes – it remains only to implement them.

  4. More professional. Outsourcing provides access to a wide range of competencies. An IT outsourcer has clearly more of them than one full-time employee. Also, we should not forget about the depth of expertise and breadth of experience that have been built up over the years in specialized companies.

  5. More efficient. Access to the outsourcer’s experts is provided “as needed”. For example, there is no need to constantly keep an engineer on staff to investigate computer incidents, you can apply for the service only after the fact of the incident.

Of course, there are also disadvantages. Perhaps it would be more correct to call them “pitfalls”, which can be successfully bypassed with proper preparation:

  1. Service provider dependency. In case of termination of the contract, the company may be left without protection. It is leveled by the early processing of the process of changing the outsourcer company.

  2. The need to set up a service package. As a rule, typical services that are customized for a specific customer are offered. Yes, it will take time to agree on all the nuances. But every day there are more and more offers on the IS services market and they will be able to meet the needs of any client.

  3. Inability to control all processes. The customer has only top-level control within the scope of the contract. But if you pay for the result, then it is not particularly important what is done inside the contractor. And even vice versa – with the correct setting of interaction with the outsourcer, the possibility of delegating part of the routine control functions can be considered a plus rather than a minus.

What stops companies from outsourcing IS? Objections and fears caused, as a rule, by the lack of experience of working with an adequate and professional contractor and irrelevant in practice:

  • It is expensive!“. It has already been mentioned above, due to which outsourcing wins over a full-time team in terms of price. Let’s add some specifics: you don’t organize jobs for the staff, you don’t pay them bonuses, you don’t send them to training, you don’t pay taxes for them. Yes, all these costs are included in the cost of the outsourcer’s services, but they are distributed among many customers. As a result, it is cheaper. According to Jet Infosystems, outsourcing is cheaper than staffing by 20-30% on average, and in some cases by 50%.

  • It is impossible to fully evaluate all processes, whether the outsourcers will cope properly“. The issue of trust is a cornerstone in the field of IS. But it is also impossible to evaluate the doctor who treats you or the teacher who teaches you. In order to be sure of the contractor, you should thoroughly approach the question of his choice. It is not easy to find a reliable company that you trust as yourself, but this game is worth the candles.

  • The outsourcer has access to our confidential information“. This “danger” is mitigated by signing an NDA (non-disclosure agreement), contract terms (what they should have access to, and what they shouldn’t) and fine-tuning the contractor’s access rules. With a competent approach, there will be no significant differences between the outsourcer’s staff and your hired employees. Moreover, everyone has heard the story when the employee, who is being fired, in an image removes (takes away from a competitor) the results of his work, thereby causing some damage.

  • The executor is not subordinated directly, because of this, efficiency is lost“. To perform tasks under the management of full-time employees, there is a special type of outsourcing – outstaffing. You buy the specialist’s time, and he reports directly to you – no loss of precious time.

  • “At first they provide normal service, and then they don’t go to work, and they have to pay money“. To control the outsourcer, there is an SLA (service level agreement), which clearly spells out all his duties and deadlines. Violation by the contractor of the agreements recorded in the SLA means a violation of the outsourcing contract, and therefore removes the payment obligations from the customer.

  • Outsourcers make dangerous remotes“. Here, the very wording hints: if an IT contractor installs dangerous remote connections, he thereby signs his professional unfitness. You should refuse his services and look for a proven company.

  • Our full-time IT specialists are constantly distracted“. This belief is the most difficult to disprove, because the IS process is really closely related to IT. And unless it sounded contradictory, information security is primarily ensured by the employees of the IT service. IS specialists are engaged in control and development of measures implemented by IT. We can safely say that security guards are the head, and administrators are the hands of a single organism that ensures the information security of the company’s systems. So, unfortunately, nothing will work without the “distraction of the IT people”. But so will your own IS specialist. It turns out that this objection does not apply to outsourcing as much as to the work of the IS service in principle.

  • If the contractor leaves, it is difficult to understand on your own what the outsourcers were responsible for.“. If the contractor implements and operates an information security system for you, the outsourcing contract can and should include obligations for him to document the implemented system and create a set of work regulations for employees. It is worth noting that a responsible contractor will advise his client even after the end of the contract and will not leave him at the “broken trough”.

Summarizing, we can say that information security outsourcing is a responsible business and needs the customer’s attention at the initial stage. However, with the right approach, which has a lot of advantages and is more effective in many ways than the content of its own IS service. Especially for small companies. We hope that we were able to convey all the benefits of outsourcing in the implementation of the information security system and debunk the most common fears associated with it. The main thing in this case is to find “your” outsourcer: a responsible expert with whom you and your company will feel comfortable and at ease.

Related posts