Fri Apr 8 06:47:16 PDT 2016

Overarching: Outsourcing things: When is information technology outsourced?


Option 1: Outsource commodity goods and services that are easily replaced and cost efficient.
Option 2: Avoid any outsourced arrangement that deeply entangles substantial information technology functions.
Option 3: Only outsource what you can control effectively from a protection standpoint.
Option 4: Only outsource if all regulatory requirements can be met by the outsourcer.
Option 5: Outsource if the costs through the outsourcer are lower than the internal costs.


Outsourcing balances costs with benefits. The main benefits come from reduction in cost and ability to focus the enterprise on its primary functions. The main costs come from the cost of the outsourcing contract, the management costs of running the contract, and the security costs associated with compensating for the reduction in control over the activities now outsourced.

Commodity goods or services that are easily replaced have little security impact in most cases. Paper and ink for printers, most delivery services, office supplies, and many other goods and services can be outsourced with little information security impact.

On the other hand, non-commodity items tend to deeply entangle the enterprise with the outsourcer and this creation of strong interdependency also leads to a high level of risk aggregation. The result is typically failure of business continuity and disaster recovery plans, collapse of the enterprise if the outsourcer collapses or chooses to exit the business, very high disentanglement costs, high security costs to maintain the equivalent security levels, inability to audit adequately, inadequate management controls, and so forth.

Protection that is readily controlled in outsourcing can help to compensate for deep entanglement, but most outsourcing contracts do not allow this in any substantial degree. In cases where the outsourcer has their workers at your facilities and allows you to verify qualifications and retain consistent staff for long periods, low and medium risk situations may be acceptable from a risk management standpoint.

Regulatory mandates
All regulatory requirements must be met by the outsourcer as well, and this creates enormous problems when the outsourcer, for example, possesses enterprise records that are called for in court proceedings. It is the responsibility of the enterprise to get those records, but if the outsourcer fails, the enterprise may be held liable for failure to meet the court order. Many legal obligations cannot be transferred in this manner.

Cost savings
Substantial cost savings by outsourcing must be available or it is not worth doing the outsourcing. In many cases claims that they can do it for less than you can are fictions because the outsourcer is not doing the same things the enterprise would have done from a protection standpoint. The only place these savings really occur is in cases where the outsourced effort is a commodity.

Special expertise
The other reason to outsource is in cases where the outsourced provider has some special expertise that the enterprise does not have or does not need in adequate volume to justify or time to achieve by hiring on a full time basis. A really good example of this is information security consulting.


There are four reasons to use an outsourcer; (1) not enough time, (2) not enough expertise, (3) an objective outside opinion, and (4) lower cost. But these must be balanced against the increased cost of compensating for all of the controls the outsourcer does not have and the risks associated with entangling your enterprise with theirs.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved