Wednesday, August 10, 2022

Understand your outsourcer: ISACA

TORONTO – When it comes to an organization’s information security, having an IT strategy is critical. But surprisingly, one industry expert has encountered several chief information officers who relied on their outsourced IT providers for that responsibility.

“What’s the motivation for the provider to make things better for you?” asked Donna Hutcheson, information technology audit director with Energy Future Holdings Corp. She posed the question to an audience of information security professionals at this week’s ISACA (Information Systems Audit and Control Association) conference in Toronto.

Outsourcing providers cannot be relied upon to understand an organization’s business, know its policies, nor the demands of its leadership, said Hutcheson.

But in the event there is an IT strategy in place, then that strategy should also be subject to an occasional audit, she said. In particular, the organization should examine the problem the strategy seeks to resolve; whether the strategy reaches across, and doesn’t conflict with, all business units; the cost of maintaining the strategy; and whether the outsourcing provider knows of the strategy and is bound by it.

Conversely, an organization that buys outsourced services is often unaware of the complexity of such a relationship and what transpires behind the scenes on the provider side.

Often, an outsourcing provider will in turn outsource to a third party without the knowledge of the organization, said Hutcheson. Should something go awry, the business could find that the lines of communication between it and a third party may not be so direct and easy.

Furthermore, a problem may fail to be escalated or adequately addressed by the provider when, in turn, it has to pay its outsourcer to resolve issues that arise. She recommends including in the outsourcing contract that services cannot be outsourced to a third party.

But communication issues aside, an outsourcer outsourcing to a third party could mean that support for different parts of an organization’s business – IT infrastructure, database management, call centre – get globally dispersed. “What does that do to your contracts? That’s when the cultural issue comes back again and adds to your total cost,” said fellow presenter Patricia Milligan, associate professor with Baylor University’s information systems department.

Performing a forensic analysis across multiple jurisdictions could also prove tricky, added Milligan.

But to begin with, negotiating contracts can be tricky, said Hutcheson, in that negotiators seldom think in the long term. “Negotiators tend to go for what they see is the least cost today,” she said, adding that technology costs generally decrease with time. “So why negotiate a technology contract that locks in today’s prices?” asked Hutcheson.

Contracts should be written for long term endurance, including such things as baseline maintenance, new projects, decommissioning services and applications and adding new services and controls.

But taking an integrated approach to auditing business and IT services is necessary especially when those services are outsourced to different providers. That way, said Milligan, responsibilities won’t get lost in the interim because “we tend to not audit the interface between the two.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.