Don't lose control with outsourcing

Two or three years down the road, would you like to see your enterprise IT security go out of control? Would you like protection to be almost completely reactive, expensive, always responding to emergencies and fraught with surprises?

Try outsourcing .

I'm not talking about a limited-scope project such as outsourcing benefits. I'm talking about the big kahuna - outsourcing the entire IT-network computing environment.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Two or three years down the road, would you like to see your enterprise IT security go out of control? Would you like protection to be almost completely reactive, expensive, always responding to emergencies and fraught with surprises?

Try outsourcing .

I'm not talking about a limited-scope project such as outsourcing benefits. I'm talking about the big kahuna - outsourcing the entire IT-network computing environment.

There have been a few very large organizations that turn major applications - or all the network except for applications - over to third-party operations, provisioning and help desk. Outsourcing can save companies a lot of money, but it can also cause them to lose control of IT security .

We have seen many problems over the years. Most come down to the organizational walls that outsourcing erects and the difficulty of anticipating all the contingencies in a contract.

Frequently, outsourcers low-bid their offer to get the business and then try to make it up in change orders. But running IT security two or three years from now the way you ran it last year isn't going to cut it. Threats, vulnerabilities and consequences evolve. You must be able to adapt the architecture.

One company's outsourcer was good at responding to incidents but wasn't helpful in the post-incident review. Again, adaptability erodes. Another company had some business units that had outsourced and some that had not. Confusion over whether a worm had traversed "in scope" or "out of scope" locations complicated its response.

Service-level agreements (SLA) could rebound against security. Modern organizations can no longer rely on a single firewall; large networks generally need to be divided up into zones of trust that separate systems with different connectivity requirements and risk levels. But an outsourcer with an SLA that's based only on performance will resist creating new perimeters after the contract's been inked. A lack of zoning could leave your network wide open to emerging threats.

A company can give up control over IT, but it cannot transfer its responsibility to the shareholders for the potential consequences. If secret formulas or other intellectual property fall into the hands of competitors, or if material deficiencies turn up on a Sarbanes-Oxley audit, blaming the outsourcer is cold comfort.

Be sure that security is considered when you're planning outsourcing or trying to bring an already-outsourced environment back under control. Define security-related roles and responsibilities clearly and completely. Specify clear security objectives in the SLA for integrity, confidentiality, availability, accountability and use control; demand sufficient redundancy; and require sufficient separation of product functions and staff duties to prevent common mode failures. Retain the ability to monitor and audit the outsourcer's environment to independently verify fulfillment of the objectives. Require the contractor to support post-incident review and strategic adaptation of the protection architecture in addition to day-to-day operations and response.