This paper examines the critical factors organizations should consider when hiring an information technology security consultant or outsourcing vendor. It discusses the six main technical tasks involved in IT outsourcing, the importance of matching consultant expertise to project needs, and the risks of theft, fraud, overconfidence, and miscommunication. The paper also highlights two factors frequently omitted from vendor selection specifications: the need for excellent communication skills and the requirement that consultants honestly acknowledge the limits of their expertise. Drawing on multiple academic sources, it offers practical guidance for managers seeking to reduce cost while maintaining security through careful vendor selection.
Organizations that outsource information technology (IT) hope to experience cost savings as well as a higher level of security. Unfortunately, many of them are disappointed with the experience, often due to having hired a consultant or vendor who failed to meet their needs. This essay argues that the credentials of the information security consultant are a crucial element in the hiring process and that specific qualifications should be evaluated before concluding any hiring decision. The discussion below examines the required characteristics of a vendor or information security consultant and identifies two factors that were omitted from standard specifications — factors that would add significant value to the selection process.
There are six main technical tasks involved in IT outsourcing (Rowe), and the vendor should be a specialist in one or more of them. A qualified consultant should be able to distinguish between these tasks and understand their different requirements. Furthermore, if a specialist identifies a problem that falls outside his particular area of expertise, he should be honest enough to acknowledge that gap and inform the manager accordingly. The consultant's expertise should directly match the project's needs; doing so increases the quality of the work and reduces costs. In this way, honesty and scrupulousness are crucial factors in effective vendor selection.
The consultant should also have a strong, verifiable reputation. It is difficult for firms to determine whether a vendor is fulfilling his duties or shirking them, since problems can arise even when the consultant is making every effort. There should therefore be open communication between manager and consultant, with the manager clearly specifying terms of liability and definitions of service quality (Rowe).
There is also the possibility of proprietary information theft, where the vendor could sell the employer's data to competitors, as well as post-contractual renegotiation, where the vendor may attempt to revise pricing after being hired. In extreme cases, the vendor could even declare bankruptcy following the engagement.
Thorough investigation should be undertaken into the vendor's qualifications, experience, and personal history. As outlined in the White Paper on oversight systems (2004), both intentional and unintentional threats can be introduced by vendors hired to manage IT systems. Beyond independent insider threats, employees may sometimes collaborate with vendors to gain access to inside information. Among the fraudulent schemes vendors can perpetrate is accessing the payroll system and manipulating wages — either their own or those of another payee.
"Sloppiness, self-interest, and overconfidence as hazards"
"Offshore options and cross-cultural communication risks"
"Communication skills and honesty about expertise gaps"
Always verify citation format against your institution’s current style guide requirements.