Four steps to smarter outsourcing

Whether you're new to outsourcing or an old pro, William Benn offers advice to make your deals the best they can be.

Whatever IT services you outsource - desktop support, network maintenance infrastructure management or software integration - there are seven critical factors to the success of your outsourced service: security, reliability, scalability, performance, elegance, performance, future-proofing and relationship management.

We always put security first on the list. Why? What about cost or simply meeting requirements?

Well, a low-cost but unsecured outsourcing arrangement will ultimately be more expensive - in remedial work, reputational damage, and worry. And I'd argue that no service will meet your requirements if it does not offer the necessary standard of security.

There are four stages to ensuring that your outsourcing arrangements will meet the required security standard: knowing your requirements; specifying your expectations of the outsourcer; ensuring that the outsourcer can meet those requirements; and staying up-to-date.

I've put together a detailed explanation of each of these stages - a primer of sorts for any organisation looking to outsource or to improve its outsourcing practice.

Know your requirements
Your requirement for IT security will depend upon the nature of your business, regulatory considerations, the sensitivity of the data and the consequences of loss or misuse.

For example, a hospital will have very different data to worry about when compared to a bank - but both must ensure rigorous data security to meet regulatory standards.

Even when data or systems are not subject to external regulation, the needs and expectations of users and stakeholders will influence the security standards of any IT service (whether outsourced or not).

You might want to consult with outsourcers on your likely security requirements but you can't outsource this stage of the plan.

Specify your expectations
Having determined the required standard of security, it's critical that the outsourcer can understand and implement an appropriate security strategy. Given the wide range of terminology used in IT and IT security, it's inevitable that confusion will arise during the contracting and transition phase of outsourcing unless both parties can converge on a common set of terms for IT security.

As a starter, the family of ISO/IEC 27000 series standards offer an effective framework for security - and these may be relevant and sufficient for your outsourced IT needs. The ISO 27000 family has evolved over many years of development and provides a deep and broad set of standards to cover most common IT outsourcing arrangements.

Other frameworks would include sector-specific requirements (e.g. in financial services), the globally recognised SAS 70 standards for internal controls, or the best practices from industry groups. The key point is to eliminate confusion in the management of your IT security.

As the 'owner' of the system (even if you don't build or operate it yourself), you will have a statutory duty to protect any personal data that is held - and a professional duty to protect any commercially sensitive intellectual property within the outsourced service...