TORONTO – When it comes to an organization’s information security, having an IT strategy is critical. But surprisingly, one industry expert has encountered several chief information officers who relied on their outsourced IT providers for that responsibility.
“What’s the motivation for the provider to make things better for you?” asked Donna Hutcheson, information technology audit director with Energy Future Holdings Corp. She posed the question to an audience of information security professionals at this week’s ISACA (Information Systems Audit and Control Association) conference in Toronto.
Outsourcing providers cannot be relied upon to understand an organization’s business, know its policies, nor the demands of its leadership, said Hutcheson.
But in the event there is an IT strategy in place, then that strategy should also be subject to an occasional audit, she said. In particular, the organization should examine the problem the strategy seeks to resolve; whether the strategy reaches across, and doesn’t conflict with, all business units; the cost of maintaining the strategy; and whether the outsourcing provider knows of the strategy and is bound by it.
Conversely, an organization that buys outsourced services is often unaware of the complexity of such a relationship and what transpires behind the scenes on the provider side.
Often, an outsourcing provider will in turn outsource to a third party without the knowledge of the organization, said Hutcheson. Should something go awry, the business could find that the lines of communication between it and a third party may not be so direct and easy.
Furthermore, a problem may fail to be escalated or adequately addressed by the provider when, in turn, it has to pay its outsourcer to resolve issues that arise. She recommends including in the outsourcing contract that services cannot be outsourced to a third party.
But communication issues aside, an outsourcer outsourcing to a third party could mean that support for different parts of an organization’s business – IT infrastructure, database management, call centre – get globally dispersed. “What does that do to your contracts? That’s when the cultural issue comes back again and adds to your total cost,” said fellow presenter Patricia Milligan, associate professor with Baylor University’s information systems department.
Performing a forensic analysis across multiple jurisdictions could also prove tricky, added Milligan.
But to begin with, negotiating contracts can be tricky, said Hutcheson, in that negotiators seldom think in the long term. “Negotiators tend to go for what they see is the least cost today,” she said, adding that technology costs generally decrease with time. “So why negotiate a technology contract that locks in today’s prices?” asked Hutcheson.
Contracts should be written for long term endurance, including such things as baseline maintenance, new projects, decommissioning services and applications and adding new services and controls.
But taking an integrated approach to auditing business and IT services is necessary especially when those services are outsourced to different providers. That way, said Milligan, responsibilities won’t get lost in the interim because “we tend to not audit the interface between the two.”