S 2.250 Determining an outsourcing strategy

Initiation responsibility: Top Management

Implementation responsibility: Specialists Responsible, Top Management

The commitment to an outsourcing service provider is usually long-term, cost-intensive at first, and poses many risks. It is therefore important to plan the outsourcing project well. The planning must also take security-related aspects into account in addition to the economical, technical, and organisational framework. The following aspects should be considered in this regard:

corporate strategy (flexibility, dependencies, plans for the future),
feasibility study including a list of the general conditions,
business and economic aspects with a costs/benefits estimate.

After initially considering the strategic aspects, it is necessary to determine which tasks or IT applications are generally good candidates for outsourcing.

The importance of the applicable legal framework must not be underestimated. For example, there may be laws generally prohibiting the outsourcing of certain core tasks of an organisation or that place far-reaching conditions on outsourcing and prescribe the involvement of regulatory authorities. In general, the client is still fully responsible for the services or products they provide to their customers or government offices, regardless of whether the client has outsourced individual areas of responsibility.

Unfortunately, the subject of information security is often neglected at the start of planning even though it is of primary importance. This applies to technical as well as organisational security aspects, which play an important role in the outsourcing scenario. In general, the following must be considered in this context:

It is generally not easy to reverse the decision to use outsourcing once it has been made. The commitment to the service provider may be very long-term under some circumstances.
The service provider has access to the data and IT resources of the client. The outsourcing client therefore loses sole and full control over their data and resources. Depending on the outsourcing project planned, this may also affect data with a high protection requirement.

For the technical implementation of the outsourcing project, it is necessary to transmit data between the client and the service provider. This automatically poses a greater potential threat.
In general, it is necessary for employees or subcontractors of the outsourcing service provider (and therefore outsiders) to work in the offices of the client. This also poses a greater potential threat.
New processes and workflows need to be designed, introduced, and executed in the framework of an outsourcing project. The consequences of the changes necessary for this purpose must be estimated and clarified.

Every outsourcing service provider is faced with a conflict of interests that should not be underestimated: On the one hand, they need to supply the services as economically as possible to maximise their profit, but on the other hand, the client expects high quality services, flexibility, and a customer-friendly attitude. Experience has shown that this aspect is the most commonly underestimated aspect of outsourcing. While IT managers are usually very critical and cost-conscious and view the promises made by manufacturers and consultants with scepticism, the opposite can often be observed in the case of outsourcing. In this case, the client often falls all too easily for the advertising claims made by the service provider in great expectation of significant reductions of their IT costs. However, experience has shown that the client can usually only hope to be provided in the future with the services stipulated right from the start in the contract. If it then turns out that the service quality is inadequate because the client expected services that they - in contrast to the outsourcing service provider - assumed would be provided, then improvements cannot be expected in general without high additional costs. Every IT manager considering outsourcing should take the time to calculate the cost of the services agreed to be provided by a service provider so that the client and contractor can both benefit from the contractual relationship. It may become apparent after making this calculation that it is highly unlikely that the service provider will actually be able to provide a proper level of performance at the extremely low prices promised.

For this reason, an individual security analysis must always be performed to determine the outsourcing strategy. In the end, this is the only way to determine how to isolate and separate the existing business processes or information systems so that parts of them can be outsourced. In this early project phase, the security concept naturally only describes general conditions and does not contain any detailed safeguards. The security analysis should be performed according to the IT-Grundschutz methodology:

A structure analysis should be performed first in order to determine the current state.
After that, a protection requirements determination must be performed.
Based on this, suitable security safeguards must be selected and adapted to the relevant general conditions of the outsourcing project. This also includes identification of the action required, the priorities, and the costs for the safeguards that are to be implemented. The results can then be taken into account when considering the efficiency of the outsourcing project.

If the protection requirements of important systems or applications are high or it is impossible to model the information system according to IT-Grundschutz, then a supplemental security analysis (e.g. a risk analysis) must be performed. If the security-related threats have already been analysed, then it is possible now to specify if and how these threats will be counteracted.

Ultimately, though, the outsourcing client will still need to bear a certain amount of residual risk. The results of the security analysis flow directly into the costs/benefits estimate.

Management must not only direct their attention to saving costs during the development of a promising, long-term outsourcing strategy. The effects of an outsourcing project on the ability to perform their tasks, the business model, and the service or product portfolio also need to be taken into account. Will standard workflows or core business processes be outsourced? It is important in this regard to ensure the organisation remains sufficiently capable of determining and controlling their own IT requirements. In particular, management should consider the development and maintenance of the IT systems and applications developed in-house.

The following information illustrates the advantages and disadvantages of outsourcing in terms of information security.

Advantage: It is possible to establish new services (for example through diversification or expansion of the range of products). As a result, the security level specified must also be ensured for the new products as well.

Advantage: There is more flexibility. Systems, resources, or personnel requirements can be adapted or expanded quickly, for example, because it may be possible under some circumstances to purchase these from the outsourcing service provider on short notice. Fixed costs can then be converted to variable costs in this manner. However, there may be new security problems involved due to the expansion (of IT systems, for example).

Advantage: In the ideal case, it is possible through the outsourcing project to obtain a higher security level since the service provider employs specialists, which means they can operate new applications that are critical to security. In the area of information security in particular a lot of time and great technical knowledge is needed to evaluate the flood of security information, security bulletins, update messages, and bug reports regularly coming in, to determine if they are relevant, and to take the right steps quickly when needed. The increasing complexity of the hardware and software solutions offered on the market, constantly shrinking product cycles, increasing use of networking, and more demanding user requirements also make it extremely difficult to always strike the right balance between security and increased functionality.
Advantage: Individual employees are often highly valuable, especially in companies or government agencies with small IT departments. If such employees are suddenly unavailable (due to illness or holidays) or leave the organisation, serious security problems can arise when there is no equally qualified substitute available for this person. In contrast, service providers generally employ a number of equally qualified experts that can substitute for each other in such cases.
Advantage: In some organisations, outsourcing is often seen as the only way to overcome internal resistance to redesigning their business processes and IT systems. In the course of the outsourcing project, an organisation should clean up and standardise their heterogeneous system landscape.
Disadvantage: If the expertise of the specialists employed by the outsourcing service provider is inadequate, then serious IT security gaps can arise. If the expertise required to monitor the level of security at the outsourcing service provider is not available internally any more either, then security gaps might even go unnoticed.
Disadvantage: The decision to expand the range of services offered or the IT systems cannot no longer be made by the client organisation's management alone. The outsourcing service provider always needs to be included in the discussion. Service providers often compensate for the good conditions offered when the contract was closed by demanding higher prices to fulfil subsequent wishes or meet new requirements of the client. The resulting cost pressure often leads to cost cutting in the area of IT security.
Disadvantage: The time and effort required to monitor the service quality must not be underestimated. When deficits are discovered in the quality, it may be difficult and time-consuming to correct the deficits, especially when there are differences of opinion between the client and the service provider. If questions relating to information security cannot be answered promptly because of this, then security gaps may be the result.

A comprehensive costs/benefits analysis is essential to the strategic and economical success of every outsourcing project; it is therefore important to know and correctly assess all parameters.

The strategic value of the following resources must be estimated based on the general conditions of the outsourcing project:

expertise
employees
IT systems and applications

Studies and the experience of other organisations can supply valuable information when performing the cost/benefits analysis.

Finally, the outsourcing strategy must be documented. The goals, opportunities, and risks of the outsourcing project should be described clearly. It is also recommended in this context to integrate the experience gained in the course of an outsourcing project into the documentation of the outsourcing strategy. The documentation should also point out any bad decisions made and derive corresponding recommendations for the future.

Review questions:

Does the outsourcing strategy take security-related aspects into account in addition to the economical, technical, and organisational framework?
Is an individual security analysis performed for the outsourcing project according to the IT-Grundschutz methodology when determining the outsourcing strategy?
Does the outsourcing organisation in the outsourcing project remain sufficiently capable of determining and controlling requirements regarding the information security?
Are the goals, opportunities, and risks of the outsourcing project described in the documentation of the outsourcing strategy?