Home arrow Sections arrow Regulations and Compliance arrow IT Outsourcing: Men Plan, God Laughs 21 November 2008  
Security Process Professional .......... Resources for IT Audit & Security Improvement
HomeSectionsWeb LinksResourcesNews and EventsWho Am IComment
 
IT Outsourcing: Men Plan, God Laughs E-mail

Washington State legislature today (3/21/2005) passed HCR 2257 on a vote of 61-35, a bill that directs the state to examine whether offshore outsourcing of government procurement of goods and services is in "the best interest of the state and nation." Concerns center not only around loss of domestic jobs, but potential loss of control on private information, and other avoidable risks. While CIOs have been restructuring to obtain outsourcing cost advantages, the tide is swiftly turning back toward home...

Washington state joins another 29 states considering such legislation which, if enacted, would seriously curtail government's procurement and service options--likely increasing its costs (see State and Local spending on outsourcing levels off). On the other hand, increasing concerns over privacy issues and national security as well as loss of technical jobs oversees will inevitably win out.

Adoption of state measures like these can influence federal government and, by extension, how corporations choose to do business in the global talent trade. The people are speaking and at least at tier 1, they are being heard. Emboldened at the state level, a displaced workforce will use security concerns as the tipping straw that will accelerate tech jobs back to the US. 

That the pendulum has reversed course should come no surprise to CIOs. An article in E-Week last fall, IT Labor Market Boomerangs Back Home noted that only less than a third of companies surveyed who were engaged in outsourcing obtained satisfactory results and return on investment. Several indicated the difficulty of ensuring fast fixes after a project was over as a key reason why offshore outsourcing of coding work did not make sense. The trend is also supported by the second IT Toolbox Outsourcing survey for 2004 which indicated a radical increase in the fear of "Loss of Control" as a factor against outsourcing. This factor increased more than 300%, to 24.5% in 2004 from 7.9% the year before.

New security directives have certainly played a key role in this. California 1386, GLBA, Sarbanes-Oxley and HIPAA cast a long shadow on outsourcing any IT activity that allows third part access to sensitive systrms and data or that stores or manipluates private customer identity and health data, or financial performance information beyond national borders. Even intra-national outsourcing has its risks, but at least parties are protected on both sides by a shared legal basis. Bluntly put, if a company is so financially challenged that it must outsource such activities beyond the border to companies that are not subsidiary or partnership owned by the parent company, they probably shouldn't be in business. The risks are simply too great due to the immaturity of international trade law.

There are some areas of IT however that can--and even should--be outsourced. It makes no sense for a company to conduct its own penetration testing. Results will be tainted by the fact that the tester will know too much about the internal workings of the infrastructure to give a true picture of external hacker risk. IT security audit and assessment, too, should be outsourced for the same reason, but precautions should be taken to ensure the professional is certified, bonded and trusted by their colleagues. It is also possible to outsource Business Continuity/Disaster Recovery planning and quality and security process analysis and remediation. These activities do not require direct, unsupervised access to production systems, and implementation is usually handed off to internal resources. Test automation and performance testing, too, are candidates for outsourcing. These are specialty skills that require a high level of technical proficiency and usually significant investment in mastering high cost commercial vendor tools of the sort not usually attractive to your typical hacker. Besides, as any scripter or load tester will tell you, they barely have time to think a malicious thought when on the job, let alone enact one. Intrusion Detection--which had been a strong area of security outsourcing--has declined recently due to the effect of zero day attacks which have shifted this activity away from things like manual log inspection and alert services to automated inspection appliances that can be purchased and installed within the infrastructure.

Outsourcing is on the decline, and security concerns are simply accelerating the process. In general the costs savings for outsourcing are rapidly declining due to the added costs that security imposes. These costs will take the form of more rigorous vendor selection process, verification of vendor security posture and trust level, legal fees for more difficult contract negotiations centering on liablity, greater attention to security controls on project personnal and on channels of communcations, and deeper inspection of source code and project and operational processes. Such costs will swiftly overtake outsourcing costs savings, leaving us right back where we began. And God laughs

Copyright 2005 Bar Biszick-Lockwood/QualityIT

More Regulations & Compliance

Home

 

 
Last Updated ( Saturday, 26 March 2005 )
 
< Prev
[ Back ]
Top of Page