Security Standards for Cooperation with an External IT Service Provider

Perhaps many people have come across this notion or taken advantage of services of this type, being provided by external enterprises. Arguably, the circle of readers of my article will include both outsourcing opponents and the ones who see it as an alternative and a chance for strategic development of an enterprise. However, in order to face the starting topic in as an objective way as possible (without effectively stirring the recipients) and provide the readers withan opportunity to confront themselves with the topic of this article, this broad issue should be placed in an appropriate context and its boundary conditions should be established. Without an action of this type, all pros and cons would be a graphic abuse on my part, thus reducing the topic to a multi-faceted polemic that adds nothing profitable to the issue.

Assumptions

In the first part of my article, I would like to focus your attention on the assumptions I have made, i.e. on the elements that will contribute to an assessment of the service itself and the reasonableness of its use. While writing this text, I am making use of my own experience, which I have gained during many years of cooperation with clients (partners) in international markets, as well as in our local Polish market. As a person who manages outsourcing cooperation, having completed a series of projects with a highly diverse scale of undertaking, I think I can venture to single out a recurrent aspect that can be observed before any decision leading to the beginning of outsourcing cooperation between a potential provider and a potential customer is made.

The sourcing strategy of a given enterprise

A sourcing strategy requires a holistic approach to the issue of using IT outsourcing services. Therefore, it will naturally force one to find the answers to the key issues inside the enterprise, i.e.:

– setting of business goals of the enterprise (including financial performance strategy and data sheet),
– an analysis of the internal potential of the enterprise (maturity, resources, core business, etc.),
– estimation of the possibilities and market potential in a given area (the fact that we wish to outsource does not mean that the market will have a valuable proposal forus in this regard),
– alternatives and sourcing models (contrary to what is believed, there are quite a number of possibilities and an outsourcing contract may not be the best solution in all cases),
– sourcing management (analysis, selection of the tenderer and the negotiation of the contract are most often only the beginning – drawing on our own experience, we observe that only 50 per cent of client-enterprises implement governance structures defined in the contract, which results in the contract diverging from the original assumptions).

Inappropriate use of outsourcing

The components of the sourcing strategy of an enterprise, which I have presented selectively above, lead to a rather not too original conclusion that the disadvantages of outsourcing often result from an inappropriate use of an outsourcing service and the opportunities that appearin a cooperation of this type. Reckless getting rid of functions that may prove important for the activity of the enterprise and delegating them to external entities may result in losing the competitive advantage in the market. Too much involvement into the reduction of the enterprise’s expenditures may lead to balancing on the border of profitability for the contractor, which naturally has an influence on the quality of the service provided. Both examples show that a significant factor which classifies outsourcing as a dubious form of service, is an inappropriate approach to the issue or, in other words, a bending of requirements that condition the success of using a solution of this type.

Client – provider

As a representative of a software engineering and technological outsourcing enterprise, I am very often being invited to (or take part in) seminars, panel discussions and conferences, where the main subject is IT outsourcing process management, as well as risk minimisation and performance maximisation during cooperation with the provider. Conclusions drawn from confrontations of this type between a client and a provider are interesting observations that allow understanding the issue to a considerable larger extent and specify the advantages and challenges that await potential beneficiaries. There are recurrent opinions that define IT outsourcing as a significant elementof an enterprise’s operation, where such aspects as: focus on business, access to a specialised group of professionals and technology, as wellas expenditure planning and control, are just some of the advantages of cooperation withan outsourcing partner.

Mutual trust

It is no accident that I use the phrase ‘outsourcing partner’ here, for partnership, just as sincerity and trust, is a basis of every business (or it should be, at least), hence outsourcing proper is a symbiosis between the customer and the provider, which relies on mutual trust. Both parties begin an act of cooperation, having become thoroughly acquainted with the scope of activity of each party beforehand. The best outsourcing enterprises are those that participate in the relation as a partner and notas a service provider. If we are perceived as a partner in our relation, we will soon become worth as much as an internal IT department that operates directly on the ordering party’s premises. Otherwise, would Polish branches of international corporations have been providing outsourcing services to the largest Polish enterprises and institutions for so many years? Certainly not. Owing to their status of partners, they are able to safely position themselves and develop their business in a stable, mutual relation.

Security and know-how

A significant element that has been gaining importance in recent years is the broadly defined security of cooperation and data protection during cooperation with an external service provider. Increasingly often, enterprises looking for outsourcing partners strongly prioritise information security. The very process of ensuring security is highly complex and requires several factors to be synchronised: appropriately adapted technological systems, tight infrastructure and, first and foremost, competence. The dynamics of IT technology development makes the classic security paradigm – everything is stable and tight as long as I have control over it – grows out of date. Therefore, it is so important for the notion of security in the cooperation between a client and a partner to be defined properly. According to the majority of reports on outsourcing, over 70 per cent of enterprises decide to cooperate with an external provider precisely because of the access to specialist knowledge about security and know-how. A key requirement for an enterprise that provides outsourcing services is to employ someone as an information security administrator. Such a person takes full responsibility for supervising and observing data protection rules. Particular emphasis within the scope of security should be put on such aspects as: detailed clarification of SLA contracts with the partner, data encryption (which involves appropriate software and equipment) and the use of an external hosting centre (which compensates for all kinds of network and equipment failures). Another significant security factor is also the awareness of the staff and clearly defined rules of operation in both the area of the enterprise and beyond it. It should be remembered that the weakest link in relational business is a human; therefore, the awareness of the value of information and its security should constitute the fundamental aspect of operation of every enterprise that defines itself as a service provider. To exhaust the topic related to the use of IT outsourcing services, as well as to security standards related to this type of business activity, on several pages is little short of miraculous. However, I hope that I have managed to provide at least some basic insight into the significant elements that may prove useful during the verification of actions aimed at starting cooperation with a potential partner – service provider.