Summary of the Outsourcing Process

Throughout the book, we have looked into various security aspects and compo-nents of the outsourcing decision. In this chapter, we will go through the steps in the process and describe how they relate to one another. This will enable the reader to put the various concepts, evaluations, and decisions into the context of an overall process. The events, tasks, and steps (or phases) that make up the typi-cal outsourcing process are:

1. Observe and respond to a trigger event. Such an event causes someone in the organization (usually a member of the senior management team) to focus on a business or operational need for a particular enhanced or modified function or activity or to enter a new line of business. Simi-larly, in a start-up situation, the initiation of a new business or other form of organization might result in the need to consider outsourcing at the outset rather than establishing certain functions internally. Over time, a growing company determines that, at a certain level of activity, it might make more sense to consider internalizing certain outsourced functions. Typical events might include market forces or regulatory requirements. For example, for financial institutions, the burden of new regulations might make firms consider outsourcing some of their operational and IT functions rather than attempt to comply on their own. Here economies of scale will likely predominate. In other cases, the news that a large firm has outsourced a major function, to an MSSP, for instance, might get other firms’ management teams to think along the same lines.

163

2. Determine the actual business or operational need for the existing or suggested service or function. This first step is important. Before making an outsourcing decision, the function or business must be justified in its own right, usually in the form of a business plan.

There has to be a “leap of faith” in the business plan, since it might assume the use of service providers for various functions prior to actually determining the feasibility and cost-effectiveness of such decisions.

3. Determine the scope, service requirements, and possible means of providing service.This is the next level down from the business plan. If the plan is accepted in principle, the effort necessary to backfill the details is worthwhile. The full range of options for the service needs to be deter-mined, whether internal, external or joint (cosourced), and whether the provider is domestic, near-shore or offshore, small or large, or rela-tively new or established.

4. Perform research to determine the degree to which specific services are out-sourced.Find out about experiences others may have had with specific outsourcers and outsourcing in general. Today, the Internet is a rich source of free information through news and magazine articles, discus-sion forums, and associations. In addition, many conferences, proprie-tary research papers, books, and other commercially available items can be accessed. Through these resources, an organization gains access to the analysis and opinions of experts and, at conferences, seminars, and vendor-supported presentations, one can discuss experiences with peers as well as the speakers and panelists. Today, there are specialty conferences about outsourcing across all lines of business and govern-ment as well as industry-specific meetings. Each has its benefits. I have listed relevant books, articles, papers, conferences, Web sites, and other sources in the Selected Bibliography.

5. Determine whether outsourcing is a feasible alternative as a result of the research. In general, there will be favorable and negative views and experiences. However, changes of opinion are relatively inexpensive in the discovery and analysis phases. Once an organization embarks on the subsequent phases, a measure of commitment results from the investment in time and energy made to date. This alone can greatly influence the decision. After all, if someone or a team has spent months investigating the outsourcing alternative, it would be disap-pointing to realize that it is not feasible or is ineffective, and the effort would appear to have been a waste of time. Therefore, there is a self-fulfilling aspect of the process that should be recognized and removed.

In any event, let us assume that the research has pointed to the

164 Outsourcing Information Security

feasibility and potential benefit of outsourcing, so that we can proceed to the next step.

6. Prepare and send out a Request for Information (RFI) to outsourcing serv-ice providers.While good research can provide substantial information, particularly as to who the major players might be, there is no real sub-stitute for the more detailed information that can only be obtained from the service providers themselves. Nevertheless, the cost of issuing and analyzing an RFI is not always justified. Depending upon the size of the potential service contract as well as the riskiness of the arrange-ment, or if the activity to be outsourced is highly critical, more detailed information may be warranted. Assuming that an RFI is worthwhile, it should be carefully crafted to provide all necessary information.

7. Collect information from providers and perform preliminary analysis. The results from analyzing the data obtained from the RFI will likely sup-port or refute the original idea to consider outsourcing. If necessary, it is better to abandon the idea of outsourcing at this point, where the time and effort has been relatively small, than to invest further resources in the evaluation. However, if the outsourcing approach still appears feasible and cost-effective, it supports the decision to proceed to the next step, since the question is no longer “should we?” but “who should we use?”

8. Prepare and distribute a Request for Proposal (RFP). To many, the RFI and RFP are seen as interchangeable, but there are (or should be) major differences between them. Information that is included in the RFP will often appear in the final agreement negotiated between out-sourcer and customer. And information that is excluded from the RFP will sometimes need to be included in the final agreement. Therefore, it behooves the RFP writer to think ahead about what terms and con-ditions will be requested during contract negotiation and to include such items, specified as wanted, in the RFP. It is not unusual to attach the proposal received in response to the RFP within, or appended to, the actual service agreement. Secondly, it is important to prescreen recipients of the RFP so that, if they respond with an appealing offer-ing, you are not dealing with an unreliable provider, especially one with a bad reputation. Were one of the latter to respond with an attractive price and other good terms, it becomes most difficult to explain to superiors why that provider should not be chosen. On the other hand, it is important to send RFPs to a fairly large selection of vendors to get a good feel for what is being offered under what terms and conditions. The RFP should require that proposals be received by a specific time and date. This avoids stragglers and provides some Summary of the Outsourcing Process—Soup to Nuts ¹⁶⁵

assurance that an early and prompt response represents an eager and responsible provider.

9. Since the receipt of proposals is fraught with potential problems, it must be handled in a formal manner.The date and time of receipt of the physi-cal proposal, whether on paper, on other media or in electronic form, should be carefully logged, particularly for those proposals received at a time close to the suggested deadline. Heated arguments might occur if a provider is eliminated due to purported late submission, and so the decision should be made in advance as to what extenuating factors will and will not be acceptable. For example, a regional blackout may be an acceptable reason for delaying the deadline, whereas the provider claiming that their PC crashed and the document was lost may or may not be considered reasonable. In any event, some population of pro-posals will have been received and are then subject to analysis and evaluation.

10.The customer should perform preliminary and in-depth evaluations of the proposals received. An initial scan of the proposals might eliminate some outliers. Perhaps the charges are far in excess of other reputable bids or the proposal may lack key ingredients. Even the professional-ism of the form of the proposal may indicate a questionable outsour-cer, although one must beware of the impressive, elaborate, expensive proposal that contains little of substance. In other situations, the out-sourcer may not have followed the guidelines for format and content and may have omitted key sections or ancillary documents, but instead submitted their own boilerplate. Again, the requestor has an opportu-nity to decide whether or not the submission is acceptable or should be rejected based on such differences. However, the requestor should con-sider being flexible enough to allow for bidders to make up moderate deficiencies within a specified time frame, so as not to disadvantage those who got the requirements right the first time. Ideally, all bidders will have submitted proposals exactly in conformance with the speci-fied format, since this makes the analysis so much simpler. However, the requestor should realize that their RFP will not have considered everything, or that the format precluded the inclusion of important information, and adjust accordingly. In some cases, a provider might raise an important issue that was not included in the RFP, so that it then becomes necessary to request additional information from all bid-ders. The right balance between structure and flexibility must be achieved, but this is not easy to do.

11.Having gone through each the proposals and eliminated some in an initial scan and others after more detailed analysis, the requestor should then select

166 Outsourcing Information Security

a short list of three or four top contenders.A polite note should be sent to those not making the short list, thanking them for their efforts, com-plimenting them on their submissions, regretting that they did not make the short list, and assuring them that they will be kept in mind for future projects. The note might indicate that, should the process not select among the remaining vendors, other applicants would be reconsidered—there is nothing to be gained in burning bridges. It has indeed happened that leading contenders have been eliminated for one reason or another, and that it has been necessary to revisit those out-sourcers who did not make the short list initially. After all, it is appar-ent that, for many of the proposals, considerable effort and cost were expended, so that a brief thank-you note is warranted. It is important to note here that the RFP should contain language indicating that the requesting company will not be liable for any costs incurred by the bidder in responding the RFP. An organization does not want to be pressured by bidders because of their investment to date in the process.

12.At this point, it is usual to review the proposals from the short list in greater detail.This might involve investing in credit checks and other financial analyses, and calling or preferably visiting references,¹having the bid-ders come on site to make presentations of their proposals and answer questions, and visiting the providers’ own facilities or facilities they manage for others. The degree to which this is done depends very much on the magnitude of the deal and its criticality to the business.

Clearly, for those on the short list, significant costs are incurred, and the requestor also incurs the cost of site visits. Consequently, this addi-tional review should only be done for serious candidates, and it should be emphasized to them that their costs in responding will not be cov-ered. An organization should make it a policy not to have service pro-viders pay for visits by potential customers to their facilities or for other work done in regard to evaluating their proposals, as this can cause problems if the service provider is not chosen. The service pro-vider might well apply pressure to an organization to select them based on such monies spent in the proposal stage.

13.Ultimately and usually, only one outsourcer is selected as the preferred ven-dor.This means having to notify the others that they were not chosen.

Summary of the Outsourcing Process—Soup to Nuts ¹⁶⁷

1. Even a visit to a customer site is no guarantee of an honest tour. I experienced a situation in which an employee of the vendor masqueraded as an employee of the reference company.

Obviously, the opinion of the “customer” was a glowing one. It was only because I knew someone at the reference company and called him directly that the fraud was uncovered.

Here, it might be appropriate to make a personal call as well as send a thank-you note. The final contenders will have put even more effort and money into this effort. Showing appreciation is the right thing to do, and maintaining good relationships with the other vendors will be important if the deal with the number-one choice is not consummated or if proposals are sought from them in the future.

14.By the time the selection has been made, many of the terms and conditions of the SLA should have been decided.In fact, it might well be appropri-ate to begin discussions with those who are still under consideration on the agreement at the point the short list is named. However, it is not until the final selection is made that one can formally initiate serious negotiations of the SLA. This stage should not entail any surprises, but often does. Attention will not generally have been focused on this area, and when it is, new issues will surely arise.

15.This is also the time to perform an in-depth due diligence of the selected outsourcer.This is usually accomplished through one or more site vis-its; completion of questionnaires about such aspects as security posture and practices, network, and system architectures; typical processes for answering day-to-day questions; and procedures to respond to inci-dents (such as system outages or compromises). A very extensive and complete questionnaire, designed for U.S. financial institutions and called the “Expectations Matrix” is available on the BITS Web site at http://www.bitsinfo.org. The narrower the field of contestants, the more the analysis, so that with one choice to deal with, the effort to ensure that no problems will be uncovered later can be very large, depending again on magnitude and criticality of the project. It is important to remember here that these costs should have been antici-pated and included in the original outsourcing analysis.

16. Once the appropriate due diligence and analysis have been done, and the terms and conditions of the contract with preferred service pro-vider have been agreed to by everyone involved,the contract is executed and work begins on setting up the newly agreed-upon relationship.

17.The transition or conversion period during which a service is cut over from an internal to external provider, from another provider, or from “scratch,”

must be carefully and closely managed to ensure that it goes smoothly and meets everyone’s expectations. This phase should be fully scripted in advance with individual tasks, accomplishments, and milestones speci-fied in a project work plan. Progress should be reported against the plan, with mitigating actions being taken if gaps arise.

18.Once the transition has taken place, it is necessary to manage the relation-ship.This is accomplished in part by using metrics and scorecards to

168 Outsourcing Information Security

monitor performance on an ongoing basis. Regular contact, through meetings and interchanges, is critical for any such relationships.

Meetings require an agenda listing such items as reviews of perform-ance measures, highlighting of exceptions, discussions as to which measures are resolved and which are in process, along with notations as to when pending items will be completed. It is also necessary to report any material changes in either party’s condition, such as loss of key staff, mergers, acquisitions, and changes in business plan. Some changes might trigger actions as described in the agreement between the parties. For example, the acquisition of one or the other party by a third entity could activate an option to terminate the arrangement.² 19.Under normal circumstances, the term of the service agreement is a specific

time period, such as 1 year, 3 years, or even 10 years.Often the agree-ment automatically renews for a specified period unless one party or another takes action. Sometimes terminating a contract early and pay-ing a penalty makes sense rather than endurpay-ing inadequate service until an opportune end date. In any event, at some point in time, the parties must determine whether to renew or terminate the contract.

This determination consists of revisiting each of the prior evaluation steps, since much in the environment may have changed during the life of the service arrangement.

20.At this point, the parties to a contract must decide whether an auto-matic renewal or a renewal with minimal analysis will be instituted or whether the time is appropriate to reevaluate the whole arrangement in detail and consider other options.A simple renewal continues virtually all aspects of the relationship, except possibly for an increase in price, which is generally tied to some economic inflation factor. If the mar-ket price of such services has dropped, due to, say, the competitive impact of offshore services, the specific price of this service might be reduced if other factors remain the same. Invoking the termination of the agreement activates the evaluation process again, with concomi-tant RFIs, RFPs, and proposals, unless the customer organization has decided to exit that particular business.

Summary of the Outsourcing Process—Soup to Nuts ¹⁶⁹

2. In some cases, the option to terminate an agreement may be exercised due to something within the control of the service provider, such as dissatisfaction with the quality of service.

In other cases, the reason for termination may have nothing to do with service level or even relative cost. An acquiring party might have a similar service in-house to the one being out-sourced and want to consolidate these particular services in-house; or the acquiring company might be a competitor of the outsourcer or of the outsourcer’s parent company.

The evaluation of outsourcing opportunities has become a continuous process as new services become available, new sources of those services appear, and business takes on more of a global aspect. While the parameters will change and the answers will vary, the process remains the same. It behooves a nimble organization in a competitive market to keep its options open and its ability to

Dans le document Outsourcing Information Security (Page 190-198)