This paper presents a comprehensive business intelligence plan for outsourcing and offshoring a firm's information security operations to third-party providers. Set against the backdrop of globalization and the comparative advantage theory, the plan examines the technical, financial, and operational rationale for transferring information security functions β including hardware, software, service delivery, and knowledge management β to an external organization. It outlines estimated costs, coordination structures, training requirements, and auditing approaches. The paper concludes with recommendations on researching destination countries and companies, and on managing the confidentiality and operational risks inherent in outsourcing sensitive IT security activities.
The international economic community has been focused on the financial crisis that commenced within the United States and soon spread across the rest of the world. Additionally, recent emphasis has been placed on the political unrest in the Middle East and Africa β such as in Egypt and Libya β which generated a primary impact materialized in an increase in the price of crude oil (Nunnally, 2011). However, before these two sets of concerns were raised, the economic community centered its attention on one simple word: globalization.
Globalization is the phenomenon that allowed the propagation of the financial crisis from the United States to the rest of the globe, and it is also the phenomenon that made it possible for rebellions in the Middle East and Africa to impact the broader global community. Globalization is generally understood as a mechanism that allows economic, political, technological, and other values to transcend boundaries and affect corresponding values in other global regions. This process is often referred to as westernization or Americanization, in reference to the trend of western and American values impacting the rest of the global community, with relatively little globalization flowing from the eastern hemisphere to the western one (Beck, Sznaider, and Winter, 2003).
Despite the varied approaches to globalization, the phenomenon has generated a series of significant changes within the business community. The most relevant example is the fact that globalization made possible the implementation of David Ricardo's theory of comparative advantage. With the aid of globalization, economic agents became able to transcend boundaries and benefit from the comparative advantages of other countries (Goldstein, 2007). Some of the most relevant of these advantages include cost-efficient labor forces, highly skilled workforces, and abundant natural resources. Capitalizing on countries' comparative advantages is most commonly achieved through processes of outsourcing and offshoring.
In light of this context, the current plan strives to outline a strategy for the outsourcing and offshoring of information security operations from the firm to companies in emerging economies. In constructing the project, several issues are raised and addressed, including:
As all these issues are addressed, the plan concludes with a section on conclusions and recommendations. The conclusions subsection restates and consolidates the most important findings. The recommendations subsection offers a series of considerations to be taken into account before actually launching the outsourcing and offshoring processes.
At a primary level it is necessary to distinguish between the two concepts. From a general standpoint, outsourcing and offshoring are related in that both imply the economic agent relinquishes completion of specific activities in-house and has them performed by third parties. The difference lies in the location of the destination firms. In the case of outsourcing, the company delivering the services could be located in the same city as the firm or in a nearby region. In the case of offshoring, the destination company is located in a different country, overseas. The following definitions clarify each concept:
"Outsourcing is an activity where the supplier provides for the delivery of goods and/or services that would previously have been offered in-house by the buyer organization in a predetermined agreement" (Tho, 2005).
"Offshoring occurs when companies move processes and productive factors abroad, whether they are conducted by separately owned suppliers (offshore outsourcing) or by fully owned (captive) subsidiaries. Almost always work is moved to locations with lower costs" (Beutler, 2009).
As indicated in the definitions above, the primary reason in favor of outsourcing and offshoring is the ability to reduce operational costs. This would represent the number one priority on the company's agenda. Through outsourcing information security activities, the firm would be able to complete the same functions under more financially favorable circumstances.
The organizations to which the information security operations would be transferred would deliver services at lower costs. The transfer of operations to another company β whether domestic or offshore β generates financial gains at the following levels:
All of the above situations generate cost savings at the organizational level, and those savings can then be redirected to support the firm's development in other areas, such as customer interactions and increasing levels of customer satisfaction. Aside from cost savings, however, the decision to outsource and offshore information security operations is also grounded in the operational benefits such a resolution creates. Information security activities are not the focal point of the organization; they represent a secondary function that supports the company's main lines of business. By eliminating this secondary set of operations from internal management, the firm would gain more time, energy, and resources to focus on its core processes and develop competitive strengths. Outsourcing and offshoring information security therefore not only generates cost savings but also creates a setting in which the firm can improve its competitive position through sustained focus on its primary operations.
According to a recent survey, outsourcing and offshoring operations are pursued not only for cost efficiencies but also for their ability to:
With all these benefits in mind, the recommendation is to outsource information security operations to a third party β particularly a firm specializing in such operations β based on the previously outlined strategic benefits of this decision.
A major benefit of outsourcing is that the organization is no longer obligated to technologically maintain its own information security infrastructure. The firm would no longer need to constantly update hardware and software, refresh services, or continuously develop internal knowledge. All such operations would be completed by the new partner to whom these functions are outsourced.
The technical hardware required for information security is extremely complex, expensive, and often difficult to maintain. The organization has constructed its infrastructure on multiple servers and computers that monitor the information handled within the firm. The purpose of this technical hardware is to protect "machines and peripheral hardware from theft and from electronic intrusion and damage" (Answers, 2011).
Like all technological hardware, these systems are easily rendered outdated by the latest developments. These developments β integrated through updates β are enormously beneficial for the firm as they generate efficiencies. Nevertheless, they are also costly and can be difficult to purchase and implement (Jaffe and Lerner, 2004). Situations have been encountered within the organization in which an investment in technical hardware only generated a return several months after its implementation, at which point new updates were already available. In some cases, an update generated no measurable financial benefit, yet was still necessary to prevent a weakening of the firm's competitive position.
In a context where information security operations are transferred to a different organization, the firm would no longer have to manage the burden of technological updates, as these would be handled entirely by the partner firm.
At the software level, the company has traditionally used an in-house intranet, defined as follows: "Intranets are in-house, platform-independent Web sites that serve the employees of the enterprise. Although intranet pages may provide links to the Internet, an intranet is not a site accessed by the general public" (Housel and Hom, 1999).
In addition to the intranet, the company uses a wide array of anti-virus programs, firewalls, and virtual private networks. These software applications screen the information flowing between all organizational computers (Answers, 2011). Software protection operations are made more complex by the organization's support of telecommuting, which allows some staff members to work from remote locations and access company information from outside the firm, raising additional challenges for software-based information security management.
The information security software requirements generate a constant need for updates. Analysis of existing data has revealed that software updates are completed on average twice per year β meaning that every six months, the firm must allocate resources not only to actual software purchases but also to installation and staff training, further increasing costs and generating organizational inefficiencies.
Outsourcing information security operations to a third party would shift these update expenses to the service provider, which would distribute those costs across all of its clients. This results in higher efficiency for both the firm and the selected service provider.
Information security services are currently provided by 15 company employees: five in charge of hardware operations, eight responsible for software processes, and two managing administration and oversight of information security operations. These individuals generate additional organizational costs that could be reduced once operations are outsourced or offshored. The average monthly income of an employee in the information security department is $7,000, totaling $84,000 per year per employee, or $1,260,000 per year for the entire department.
These are only the direct costs; additional expenditures such as benefits, bonuses, and incentives further increase the total. Once the internal provision of these services is transitioned out, the company would generate significant savings. Furthermore, rather than downsizing staff members, the firm would strive to integrate them into new positions within the organization. This would allow previous information security personnel to support organizational efficiency goals in other ways that capitalize on their IT expertise.
Information security is an extremely dynamic field in which threats continually evolve. Just as protective programs develop, intrusion techniques also advance as hackers continually intensify their efforts to gather information. This generates a need for individuals handling information security to be continuously trained and updated on new knowledge that allows them to identify and mitigate risks of information theft. Additionally, the need for knowledge acquisition extends beyond security threats to the operational level as well (Stamp, 2006).
Staff members must be able to operate hardware and software in the most efficient and effective manner, and they must be allocated time to learn how to use updated devices and programs. This need becomes increasingly pressing as technical hardware and software applications are continually updated.
It could be argued that the firm would lose a competitive advantage by relinquishing its private information security department and its accumulated knowledge base. However, this loss is insignificant compared to the gain achieved, which would support the company in creating more sustainable competitive advantages centered on its core operations. The knowledge held by current information security employees would be capitalized upon through the creation of a smaller team of specialists who would collaborate continuously with the service provider, transferring necessary knowledge and ensuring that operations are developed and implemented with a sustained focus on the organization's needs.
The success of the outsourcing and offshoring endeavor depends critically on the creation of a highly skilled and competent launch and analytical team. The role of this team would include:
The following cost estimates have been developed for the proposed project:
These costs are lower than those currently incurred through internal information security operations. Additionally, the costs are elevated only in the first year due to the transition process and are expected to decrease in subsequent years. A higher return on investment is accordingly anticipated beginning in the second year of outsourcing and offshoring.
Control and coordination of the outsourcing process would be ensured by a newly formed team drawn from existing organizational staff members and created specifically for this purpose. The supervisory team would be composed as follows:
The team would convene as necessary and would report to the Board. Its purpose would be to ensure a smooth transition to the service provider and to verify that the information security services delivered are efficient and of the highest quality. In order to meet these objectives, the coordination team would also meet regularly with representatives of the service providing company. These meetings would focus on establishing the terms of cooperation to support mutual benefits and to ensure that the service provider fully complies with the needs and requirements of the organization.
As noted throughout the previous section, the organization's training needs would decrease significantly following the outsourcing and offshoring of information security, leading to substantial cost savings. Nevertheless, some training programs would still need to be developed and implemented, targeting the members of the team designated to maintain technical relationships with the service provider. Following the transition, the firm would select five members of the current information security department and train them on how to interact with service providers.
The role of these individuals would shift from directly completing technical tasks to supervising the means by which the service provider completes those tasks. Given the nature of these new responsibilities, team members would be subjected not only to technical training but also to managerial and interpersonal skills training. This latter category of training would ensure that staff members are best equipped to interact and communicate effectively with employees at the service providing company (American Society for Training and Development, 1998).
"Team structure, cost estimates, and training program design"
"SEC compliance and internal audit team responsibilities"
"Risk management and destination research recommendations"
You’re 62% through this paper. Sign up to read the remaining 3 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.