By Will Sturgeon, 22 September 2006 17:00
NEWS
Businesses must ditch their fears about outsourcing being a less secure alternative to keeping everything in-house and embrace the trend, according to one leading security expert.
His claims follow a stark warning from a leading CEO who says CIOs must outsource if they want to survive in their jobs.
Joe Martin, information security manager at Royal & Sun Alliance, said of his own outsourcing concerns: "I've got these staff coming in from Accenture and they seem alright but I don't know who they are.
"Then we've got guys in the office who've come in from Spain and they're speaking Spanish and I've no idea what they're talking about. Then there are the people in India and they're too expensive to bring over."
Martin said it sounds "all a bit worrying" but added companies can rise to the challenge of ensuring this situation doesn't undermine their security rather than ignoring its potential.
Martin said: "We've tried to limit very tightly what they can do," adding that CIOs have to work from the assumption they cannot trust their suppliers.
He said: "Limiting and monitoring is what you need to do." As such, Martin said staff in India are forbidden from entering the Bangalore facility with USB drives, mobile phones, cameras or any removable media which could be used to take data or even screenshots out of the organisation.
Likewise Royal Sun Alliance provides locked-down desktops, rather than using the machines already in the facility.
However, Martin said once companies have systems in place to manage the contract with suppliers and outsourcing partners they must then trust their planning: "You can't keep micro-managing your supplier, it just drives up your costs. You have to assume they know what they're doing."
Jay Heiser, research VP at Gartner, said another benefit of outsourcing is that financial incentives tend to motivate suppliers more than in-house staff.
Heiser said: "It's easier to motivate a supplier through economics than employees," adding too few staff are disciplined whereas suppliers normally have service level agreements.
And Martin agreed, saying in-house staff can be ineffective because they have a greater comfort zone. "You've got to sack people," he said of underperformers. Similarly he said businesses must have tightly worded agreements with suppliers in the event an outsourcing agreement does go wrong.
He said: "We've got contractual levers to ensure we can sue the blighters."
And the overall effect, said Martin, is "standards have definitely gone up".
His words reflect the opinion of Philippe Courtot, CEO of Qualys, an outsourced vulnerability management provider who said his company is seeing a great many converts to out-of-house models.
Courtot said many security chiefs within companies have struggled with the notion of ceding any control to outsiders but argues they now have no choice. "The good CIO, the one who will remain and stay in charge is the one who learns how to outsource. CIOs are under significant pressure and they have to cave in," he said.
The bottom line, said Royal & Sun Alliance's Martin is: "If we keep it in-house we are going to make mistakes and do you really want to manage all of this."
Comments
There are 9 comments. Join the discussion
1. anonymous
ROTFLMAO - I've read some rubbish in my time but.....
2. Alistair Thomas
So it's OK to use foreign (or outside) workers so long as you expect them to lie, cheat and steal from you but put in place robust enoug systems to prevent them dong so?
Oh, and in the absence of traditional motivators like team-work, company loyalty and service ethic, it's OK because outside workers respond much better to financial incentives than inside ones?
When people say thet IT has to get closer to business to survive it doesn't mean that we have to become accountants who understand the cost of everything and the value of nothing.
Good business has always been about the customer (internal, external - no matter), being good insiders and the search for excellence. Yes you've got to have a good head for finance but everything in its place.
A good outsorcing service provider will have their own corporate loyalty, service ethic and there's nothing to say they will be dishonest or untrustworthy, but their delivery is limited by the quality of the specification they are provided. If the spec is all about money and has lost the ultimate customer somewhere along the way then the final solution will fail or will be mediocre.
This article paints a dismal picture of the future. I for one will hope that we can do a lot better than this.
3. Eric the Disillusioned
Joe Martin sounds like an idiot to me. If they're not performing, sack 'em? Firstly, this is ethically questionable. Secondly, performance is often related to training and effective in-house communication. I do hope that in an attempt to come across as more 'business-savvy' CIO's do not forget the basics of business - including having a happy, well-trained and enthusiastic work force.
4. Charles Smith
If you can't manage a process the solution is to outsource. Is this what is being said here?
So you can sue if it goes wrong? Have these pundits ever actually been involved in such a court case?? At the most suing after business failure allows you the funds to eventually buy a headstone for your career. If you fall out with your outsource supplier your company is left with no skilled resource and the business knowledge now owned by an adversary.
Remove the MBAspeak surrounding outsourcing and admit that you are "selling the family silver" in terms of skills asset and replacing them with imported goods.
5. anonymous
I have come across some 'good CIOs' - now 'Consultants', and I just wish there was a way to outsource them.
When the going gets tough, these are the people who sell/melt down the family silver, put in place 'water tight' contracts which tie the supplier down!, walk out with the golden handshake and then not having done enough damage, start to preach the stuff as well.
Outsourcing a problem can work, but usually the problem was lack of investment (time/resources/money) from the top, and yes things do change, but at many times what it would have cost. We're into the bubble, when no-one dares ask the question of what will happen after the honeymoon period, and most the press has no reason to deflate it. Just waiting for the crash, but just hope that we still have the skill to pick these companies off the floor with!
6. anonymous too
I'm appalled that a senior Exec would admit that he can't handle his company's business problems by any other means than "outsourcing". My god, how did we ever manage before someone “invented” outsourcing.
If they didn’t hold the power of life and death over people’s jobs it would be funny, as it is, it’s pathetic.
Maybe the amusing plaque on every Exec’s desk should be, “I’ve got a CIO problem, outsource me out of here!”.
7. R. Scott Smith
Typical CEO tough talk. This is so short sighted and devoid of any critical thought and reason. These blatent directives show a lack of understanding of the industry and what it takes to make it technology work. I've had experience with 3 outsourcing companies, all of which were a waste of money and time and not necessarily because they were incompetent (although some were), but because they were CONTRACTORS and contractors don't care about what they do, they care about getting paid. Money doesn't produce the best product. Passion and self motivation does. Any software engineer will tell you this because they've seen it and experienced it.
8. Is it just me ?
Working under threats of outsourcing for a decade is no 'comfort zone'.
The day I see a CFO outsource their finance department, that's the day I'll seriously consider outsourcing my IS department.
The loyalty of my internal staff is to our company. The loyalty of my external suppliers is to their shareholders. Who cares most about my company? Go figure.
9. anonymous
So CIO's are admitting they have no clude how to get the best out of IT and want someone else to do it for them?
Why not get rid of the CIO too, and just let Finance sign the cheques to the supplier? I can't see what the CIO is adding to the equation here...