This post is solely about what I perceive to be the biggest problem with outsourcing. It is not an anti-outsourcing article, but a source of information, you as an outsourcing director, project manager, busines owner, etc should be aware of and also have the right strategic arsenal to overcome…

The biggest problem: The biggest problem with outsourcing is the perception from organisational owners that they can outsource their systemic problems. This, I would state too be a stupid and most pernicious illusion. Unfortunately it is far more common situation than most security professionals would hope to see.

Who does this impact: Everyone. This includes, Business Process Outsourcing (BPO), Information Technology Outsourcing (ITO), Knowledge Process Outsourcing (KPO) and any other acronym you come up with to cut “internal” jobs in order to achieve strategic advantage, cost savings and process improvements.

Solutions:

Awareness – Have the project managers build information sessions early on in the process where the owners (ie, business and system) are made aware that they are not outsourcing their systemic issues. That is, any issues are still their issues, as they are still the owners. Have the owners sign up.

Register – Operational Risk should at this stage work closely with the businesses to document all known system risks and also audit the current process in order to discover the unknown issues. Again, have the owners sign up.

Maintain Control of your Controls- Do not outsource your controls. In fact, you can’t, this is an illusion too. At the end of the day it is still part of the company no matter which way you dice and slice it. Therefore, keep the management of security internal. Note, you can outsource specialised skills but make sure you segregate this task to a separate 3rd party and not the 3rd party you are already outsourced to.

Monitoring – Perform regular ongoing auditing, monitoring and remediation of issues. With the owners taking responsibility of the issues and a Solid Governance Model you greatly reduce the inherent risks.

Closing Comments: I guess the key point to take away is accountability. If no one within the organisation takes ownership of the issues, even with the advantages of cost savings and possible process improvements, how long before one of these internal systemic issues results in signifcant impact to the company (e.g., brand damage), and then not only do the savings go out the window, but worst case the organisation as well.