CIOs told 'outsource or die'

Businesses must ditch their fears about outsourcing being a less secure alternative to keeping everything in-house and embrace the trend, according to one leading security expert.

His claims follow a stark warning from a leading CEO who says CIOs must outsource if they want to survive in their jobs.

Joe Martin, information security manager at Royal & Sun Alliance, said of his own outsourcing concerns: "I've got these staff coming in from Accenture and they seem alright but I don't know who they are.

"Then we've got guys in the office who've come in from Spain and they're speaking Spanish and I've no idea what they're talking about. Then there are the people in India and they're too expensive to bring over."

Martin said it sounds "all a bit worrying" but added companies can rise to the challenge of ensuring this situation doesn't undermine their security rather than ignoring its potential.

Martin said: "We've tried to limit very tightly what they can do," adding that CIOs have to work from the assumption they cannot trust their suppliers.

He said: "Limiting and monitoring is what you need to do." As such, Martin said staff in India are forbidden from entering the Bangalore facility with USB drives, mobile phones, cameras or any removable media which could be used to take data or even screenshots out of the organisation.

Likewise Royal Sun Alliance provides locked-down desktops, rather than using the machines already in the facility.

However, Martin said once companies have systems in place to manage the contract with suppliers and outsourcing partners they must then trust their planning: "You can't keep micro-managing your supplier, it just drives up your costs. You have to assume they know what they're doing."

Jay Heiser, research VP at Gartner, said another benefit of outsourcing is that financial incentives tend to motivate suppliers more than in-house staff.

Heiser said: "It's easier to motivate a supplier through economics than employees," adding too few staff are disciplined whereas suppliers normally have service level agreements.

And Martin agreed, saying in-house staff can be ineffective because they have a greater comfort zone. "You've got to sack people," he said of underperformers. Similarly he said businesses must have tightly worded agreements with suppliers in the event an outsourcing agreement does go wrong.

He said: "We've got contractual levers to ensure we can sue the blighters."

And the overall effect, said Martin, is "standards have definitely gone up".

His words reflect the opinion of Philippe Courtot, CEO of Qualys, an outsourced vulnerability management provider who said his company is seeing a great many converts to out-of-house models.

Courtot said many security chiefs within companies have struggled with the notion of ceding any control to outsiders but argues they now have no choice. "The good CIO, the one who will remain and stay in charge is the one who learns how to outsource. CIOs are under significant pressure and they have to cave in," he said.

The bottom line, said Royal & Sun Alliance's Martin is: "If we keep it in-house we are going to make mistakes and do you really want to manage all of this."