cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Newcomer I

Have outsourcing activities left us incapable of reacting to security incidents?

The Australian core government has outsourced it's IT workforce to the tune of nearly 4,000 people; so what has happened here in New Zealand?

Over the last decade we have had a series of "restructure consultations" where the outcome is the same. A whole internal IT team is broken up into components where the lions share of the services are pushed out to a third party. The remainder are either just managing the third partys or doing something the third partys don't do.

In the past this has been services like service management being favorites to outsource, others like application development depend on who has the right skills to do it.

Irrespective this just leaves a few people in the business and most elsewhere.

This now means we can't fix anything ourselves and have to wait to the "leveraged" third party to get round to our job.

Security obviously is affected as our paramount need is to understand our risks, and be able to manage them.

Can we do this with just the few people left ??

https://www.itnews.com.au/news/canberras-biggest-agencies-reveal-size-of-outsourced-it-workforce-553...

4 Replies
Highlighted
Advocate I

Re: Have outsourcing activities left us incapable of reacting to security incidents?

It is a common problem where an organisation is hollowed out by outsourcing and there are insufficient people within the customer organisation with the right skill set or capacity to effectively manage the outsourced organisation.  

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Highlighted
Contributor I

Re: Have outsourcing activities left us incapable of reacting to security incidents?

@linzeeb wrote:

The Australian core government has outsourced it's IT workforce to the tune of nearly 4,000 people; so what has happened here in New Zealand?

Over the last decade we have had a series of "restructure consultations" where the outcome is the same. A whole internal IT team is broken up into components where the lions share of the services are pushed out to a third party. The remainder are either just managing the third partys or doing something the third partys don't do.

In the past this has been services like service management being favorites to outsource, others like application development depend on who has the right skills to do it.

Irrespective this just leaves a few people in the business and most elsewhere.

This now means we can't fix anything ourselves and have to wait to the "leveraged" third party to get round to our job.

Security obviously is affected as our paramount need is to understand our risks, and be able to manage them.

Can we do this with just the few people left ??


What's been your experience with having your company outsource IT services?

 

Mine has been fairly positive but there have been some draw backs. The main benefit has been allowing me more time out of the trenches. For example, I can focus on staff development, strategic planning, and projects more often. It allows me to be more of a generalist so to speak. Ticket completion times are longer but it was to be expected. 
   

Highlighted
Advocate I

Re: Have outsourcing activities left us incapable of reacting to security incidents?

The experience depends on the outsourcer and arrangements put in place to manage them.  I guess the general rule is don't outsource a mess.  You'll pay a high price and the outsourcer is likely to tie you to legacy arrangements which may not support your business of IT direction for a time.  Also don't outsource your crown jewels that you derive your competitive advantage from.

 

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Viewer II

Re: Have outsourcing activities left us incapable of reacting to security incidents?

I second the "experience" perspective on outsourcing.  Over the years, I've seen companies completely outsource their IT (both hardware and personnel), only to decide to completely bring it back in house, or do something in-between like own the hardware, but outsource a notable number of IT personnel.  Along the way, I've seen outsourcing vendors do great jobs, but I've seen other outsourcing vendors completely take advantage of the power they have over clients in regards to charging premium prices for less than premium service quality.  I've also consulted to clients who asked for my help in planning for and actually pulling back services from an outsourced vendor the client lost confidence in.

 

I tend to recommend a "middle ground" approach.  Don't be afraid of outsourcing, but at the same time be sure to maintain at least a "core" IT expert competency so that you know when an outsourcing vendor no longer has your best interest at heart.  Also always be sure to maintain an approach that allows you to "pull back" control over any outsourced services if the outsourcing vendor has lost your confidence (this last sentence is easier written than done).