Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Books Media Security Businesses Book Reviews

Outsourcing Information Security 196

Ben Rothke writes "Outsourcing information technology has been the rage over the last decade, to the degree that there are not enough bodies in Bangalore and Mumbai for companies such as Wipro, Infosys and Tata to hire. The problem is that many companies have gone down the road of outsourcing without performing the proper due diligence. Rather than saving money, many organizations have found that outsourcing ultimately is much more expensive than keeping security functions in-house, in addition to other negative consequences." Read on for the rest of Rothke's review of Outsourcing Information Security.
Outsourcing Information Security
author C. Warren Axelrod
pages 248
publisher Artech House
rating 10
reviewer Ben Rothke
ISBN 1580535313
summary Examines security risks related to IT security outsourcing

When it comes to the outsourcing of information security functions specifically, the situation is even worse. Far too few organizations know the inherent risks involved with outsourcing security, and don't properly investigate what they are getting into. The same company that makes it nearly impossible for an employee to enter the office supply closet to get much needed toner cartridge will outsource their intrusion detection, email and firewall systems without a blink.

One of the many reasons companies turn to security outsourcing and managed security services providers (MSSP) is to use their limited internal security staff for more interesting areas such as web development, VPN and e-commerce applications. They will then outsource the boring activities such as firewall and IDS monitoring and maintenance to a MSSP.

Given that activities such as firewall monitoring and administering an IDS in large enterprise requires 24/7 support, it is not unusual for a company to want to outsource such activities; monitoring and administering are not core functions of most organizations.

The trouble comes from the lack of due care often given to choosing a MSSP. With that, Outsourcing Information Security is a long-overdue book that asks the questions that are necessary before an organization decides to outsource any information security function.

The author's general tone is against the outsourcing of information security; but provides readers with the various benefits and risks involved in outsourcing security, and let's them ultimate decide if outsourcing security is right for their organization. It is the reader who must define, evaluate and manage those risks and determine if outsourcing is a viable solution. These include technology, business and legal risks.

The book comprises nine chapters and three appendices totaling a bit under 250 pages. The first two chapters provide a good introduction to and overview of outsourcing and information security, and the associated security risks.

Chapter 3 details various reasons why outsourcing information security makes sense. The chapter includes various tables and references to the many reasons why a company would want to outsource security.

Chapter 4 takes the other side and analyzes the risks of outsourcing. The chapter details the traditional risks, in addition to other factors such as hidden costs, broken promises, phantom benefits and more. The book shows that while many organizations hand over information security responsibility to their MSSP, when things go wrong, they can't effectively blame the MSSP. When things go wrong -- and they will -- all of the fingers in the world can be pointed at the MSSP, but the ultimate responsibility falls on the organization itself. With outsourced security, if something goes wrong, those fingers will point back to the company's security manager, not the incompetent firewall administrator in Bangalore.

The chapter provides a balanced look at the risk of outsourcing, and while calm in its overall approach, the chapter should at least make the person considering outsourcing information security think twice. In fact, the author concludes the chapter by stating "when all of the risks of outsourcing are considered, one wonders how anyone ever makes the decision to use a third party." Nonetheless, there is plenty of evidence that many security activities are indeed outsourced to MSSP, and are often satisfactory from both the buyer's and seller's perspective.

Chapters 5 and 6 provide a thorough summary of the costs and benefits of outsourcing, and provides a method with which to categorize them. The chapter is well suited for a CFO with its discussion of direct vs. indirect costs, controllable vs. non-controllable costs, and much more. These two chapters show that creating meaningful financial numbers to see if outsourcing makes financial sense is not such an easy task. It is important to understand that outsourcing sometimes makes financial sense, but certainly not all the time. For those organizations that don't crunch the numbers seriously at the beginning, these costs can later come back to haunt them in a big way.

Chapters 7 and 8 detail the processes involved in commencing an outsourcing project, from requirements gathering to placing policy against the outsourced company. A mistake many organizations make is failure to ensure that the MSSP is abiding by the client's information security policies, rather than their own.

Similarly, one of the most overlooked areas of outsourcing information security functionality is regulation. A U.S. company may be under numerous regulations, from HIPAA to Sarbanes-Oxley, GLBA, SEC and more; when they outsource their security functionality, the remote technician may not be under the jurisdiction of the SEC; but the corporate data still must be protected according to those regulations.

The main part of the book concludes with chapter 9, which provides a 20-step process to determine if an outsourced security solution is appropriate. In seven pages, the author specifies the various events, tasks and steps that make up the typical outsourcing project.

Appendix A provides a breakdown of the various services that can be outsourced, with Appendices B & C providing brief histories of IT Outsourcing and Information Security.

The only downside to the book is its $85.00 price, which is at the high-end for technology and business books. While the price is high, the book is a huge value for anyone considering outsourcing security. The book asks the questions that are often never asked, and details how the outsourcing of information security is not the slam-dunk that the MSSPs often portray it to be.

For those who know what their security issues are and look to outsource their security functionality to a trusted MSSP, Outsourcing Information Security shows how it can be done. On the other side, for those who are drunk with the panacea that outsourcing security is supposed to provide, Outsourcing Information Security will be a sobering wake-up call.


You can purchase Outsourcing Information Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, carefully read the book review guidelines, then visit the submission page.

This discussion has been archived. No new comments can be posted.

Outsourcing Information Security

Comments Filter:
  • good! (Score:2, Funny)

    by Mako.h ( 809438 )
    serves them right. keep it in america!
    • Just finished Mitnick's "The Art of Deception". It gives me mixed feelings about outsourcing security. 1. Security should never be outsourced offshore, 'cuz offshore entitites are really beyond reach of our law. 2. Outsourced (onshore) security may be a good thing since the staff may be more immune to social pressure.
  • For me... (Score:5, Insightful)

    by FiReaNGeL ( 312636 ) <fireang3l@@@hotmail...com> on Thursday November 04, 2004 @06:33PM (#10729170) Homepage
    To me all the outsourcing problems can be resumed to a simple allegory : cooking.

    Home-cooked and cafeteria; sure you'll eat just fine at the end of the day, but chances are the cafeteria food will taste bad, cost less in the short term (efforts + money) but more in the long term, and doesn't have the nice 'home' feeling.

    And you're never sure if the cook is on a bad day and spit in your soup (security allusion, for those who don't get it).
    • by Rosco P. Coltrane ( 209368 ) on Thursday November 04, 2004 @06:40PM (#10729223)
      To me all the outsourcing problems can be resumed to a simple allegory : cooking.

      That's right: I just had papadams, lamb vindaloo and a kingfisher tonight and I can really feel outsourcing going on in my tummy!
    • Outsaucing (Score:2, Funny)

      by (void*) ( 113680 )
      Because without it, my cooking would be so bland.


      Sorry, the joke was just waiting to be said.

    • My advice to you is to stay away from the clam chowder.
    • by Tablizer ( 95088 )
      Home-cooked [vs.] cafeteria.......And you're never sure if the cook is on a bad day and spit in your soup

      But, sometimes if my wife is pissed at me, I am a little suspicious and think about eating out.

      - Mr. Clinton
      • Feminist hat: Since "wife" is apparently a code word for "domestic drudge", my advice is to change your insurance beneficiary and check for almond odors.
    • Re:For me... (Score:2, Insightful)

      by JanneM ( 7445 )
      But of course, if cooking isn't your speciality, then going to a real restaurant, which, while more expensive than cooking at home, will give you a dinner of a variety and quality in flavour and presentation you just wouldn't have been able to achieve by yourself.

      Doing something like security badly may be far worse than letting someone else do it well.

    • Re:For me... (Score:2, Insightful)

      by fatjesus ( 703825 )
      Interesting that you should say that. "Food" is tangible. Services are not. This is why so many American's have such a hard time understanding how outsourcing can improve the American economy.

      The point I always try to emphasize to people is that the you can benefit from trade in services in precisely the same way that you benefit from the trading of goods. The law of comparitive advantage still applies.

      Although, what you say is true. There are some added risks to "ordering out", but that doesn'
  • by Rosco P. Coltrane ( 209368 ) on Thursday November 04, 2004 @06:35PM (#10729179)
    cannot be complete without chapter 11.
    • cannot be complete without chapter 11.

      Which is what you're likely to get if you turn the keys to the company over to people without any personal interest in the company or its future. Of course the CEO will then use his/her golden parachute and retire to spend more time with their family after all that exhausting CEO-ing.

  • by Anonymous Coward on Thursday November 04, 2004 @06:37PM (#10729199)
    My President says so.

    • by erick99 ( 743982 ) <homerun@gmail.com> on Thursday November 04, 2004 @06:40PM (#10729224)
      Outsourcing began with the policies of Clinton late in his first term and into his second term. His policies made sense then and they do now. How companies use outsourcing, however, can be a problem for workers. When it gets to the point that companies have laid off enough workers, they will realize that the workers are customers of the economy and without jobs people don't buy much. Outsourcing is not something you can drop at the feet of a president, though.
      • Thank you. I've been saying the same thing for years to all of the Bush bashers who have short term memory and don't even remember most favored trade status to China or NAFTA.
      • True, the outsourcing method did start achieving refinement in the 1990s. It was in no small way due to the pervasiveness of the Internet, which convinces people that they have more managerial control across the world ... but it is undeniable that the Clintonesque business environment also offered significant advantages for those willing to become global instead of national.

        But, outsourcing really swelled as a fad after the 911 attacks. I think of outsourcing and offshoring now as a businessman selling short on America ... by drawing down his investments in America and moving them to safer areas ("safer" = safer for growth and safer for profit retention). Any Socialist movement whatsoever in America will continue to repulse businessmen in this new mentality, and hence cause even further capital flight.
        • Any Socialist movement whatsoever in America will continue to repulse businessmen

          You don't have to worry about that. The chances of a genuinely 'Socialist' movement within the United States having any notable influence are nil.

          Or perhaps you meant 'socialist' as shorthand for anything even slightly against the grain of the free market. No American government has ever been remotely socialist; it's all right-wing, just a question of degree.

          BTW, do you seriously think that the risk from terrorism is an
          • perhaps you meant 'socialist' as shorthand

            Yes, I did. However, this thing with your statement:

            [n]o American government has ever been remotely socialist; it's all right-wing

            ... fails to identify that there's a lot of socialist policy in all levels of American government. If there are degrees of Capitalism, then by definition the remainder is some degree of Socialism. Look at the Federal gas tax ... on a balance, some states pay in, others get paid. All schemes to redistribute wealth are Socialis
            • What you may have intended to convey is that this "free market" crap is gaining significant mental market share

              What I intended to convey (with no moral judgement) is that America has never been anything close to a socialist society. Americans themselves may disagree, but with respect, US political opinion is skewed to the right (relative to the rest of the world overall) and anything smacking of government interference is likely to be labelled "socialist", "communist" or whatever. Some moderately left-wi
      • by vsprintf ( 579676 ) on Thursday November 04, 2004 @07:35PM (#10729712)

        When it gets to the point that companies have laid off enough workers, they will realize that the workers are customers of the economy and without jobs people don't buy much.

        Companies don't outsource jobs, company executives outsource jobs. Companies don't "realize" anything, and the CxOs don't care. Why don't people understand that the so-called *leaders* of corporate America (and government) don't care about anything except personal fortunes? Once they've got theirs, they couldn't care less what happens to the company or the "workers". How many executives have to be indicted or jailed before it's obvious? (And those are only the ones stupid enough to get caught.)

        • Why don't people understand that the so-called *leaders* of corporate America (and government) don't care about anything except personal fortunes?

          What about the second wealthiest person in America [forbes.com]? What about the members of Responsible Wealth [responsiblewealth.org]? What about Gordon Moore, who in addition to founding Intel, has been giving away huge sums of money for decades? What about these 50 philanthropists [businessweek.com]?

          As for politicians, having worked in Washington, D.C., I can tell you that the vast majority of the elected and ap

      • Outsourcing can be internal (to the United States) and almost as bad as moving the work off-shore. For example, a major contractor at a GOCO is replaced with 13 contractors, each of whom got their piece of the bid by offering to lower the costs of operation. How do they lower it? 3 companies kept the pay and benefits of the old contractor. In the other 10 companies the employees lost their pensions to start, then the cost of healthcare insurance went up 10x from the former rate. Any new work gets assig
      • His policies made sense then and they do now.

        I would like to hear the explanation of this statement.
    • That's why he lost to Bush by 3,000,000 votes Tuesday.

      <mods, it's a joke. laugh.>
    • Ultimately he may be right - somebody has to clean up the mess, and the lawyers will have a field day the first time an outsourcing agency loses, or loses control of your medical records.
  • At 85$ a go (Score:5, Insightful)

    by Timesprout ( 579035 ) on Thursday November 04, 2004 @06:42PM (#10729238)
    Those books should be pretty secure on the bookstore shelves.

    That aside though I think its about time people quit whining about how inherently evil outsourcing is. Many companies outsource everything from cleaning and security to payrole and management advise.

    Of course if you outsource security there is a risk, just the same as you risk one of your own employees fucking you over if you keep it in house. Proper investigation and dilligence are required. Thats not to say outsourcing is an inherently bad thing. In many cases companies will gain from outsourcing to specialist companies who can offer greater competency than could be achieved inhouse.
    • by myc_lykaon ( 645662 ) on Thursday November 04, 2004 @07:02PM (#10729414)
      Don't worry, there's an Indian version of this book available for $1.75.
    • Thats not to say outsourcing is an inherently bad thing. In many cases companies will gain from outsourcing to specialist companies who can offer greater competency than could be achieved inhouse.

      That's probably because most often, when word "outsourcing" is used, people think it means off-shoring for cost savings: moving your operations to a third-grade third-world place, costing a fraction of original cost, and getting at most what you pay for. They do not think of it as simple task of calling the plu

    • All true, but having a good notion of outsourcing risks isn't the same as having a good way of evaluating those risks or a good plan to put into practice. You might want the book to help arrive at that point.
    • Re:At 85$ a go (Score:3, Insightful)

      by Not_Wiggins ( 686627 )
      You're oversimplifying the risks.

      There are substantial differences between an outsourcing company and a local employee:

      1)
      The laws governing an outsourced company are the laws of their native country. Forgive me for saying so, but most of the "popular" outsourcing countries have weak fraud/theft protection for American companies.
      -vs-
      With a local employee, they steal from you, they're going to lose their job, go to jail, and suffer serious consequences.

      2)
      With an outsourcing company, they generally pay the
      • Re:At 85$ a go (Score:2, Informative)

        by Tablizer ( 95088 )
        Good points. Mod up.

        I remember reading about a US company that tried to prosecute a worker in their India subsidiary for fraud and gave up. The legal firm they hired appeared to be taking advantage of the company's naivity about Indian law and culture, and the courts were so backlogged such that it could take decades to prosecute.

        As bad as our court/legal system is, India's is much worse. Part of it is also that inter-country lawsuits take longer to prosecute in general.
    • IS that many companies fail to actually do a real cost analysis on it. They buy in to the base cost figure of the outsourcing, and forget to account for any additonal costs. Then it ends up costing more and giving worse results, as well as putting people out of jobs.

      Outsourcing is fine when it actually saves money and gets better service. I know many small companies that outsource their tech support. They can't afford to keep a fulltime tech guy since they have too few computers. So they have a local tech
  • Secrets for Sale. (Score:4, Insightful)

    by Anonymous Coward on Thursday November 04, 2004 @06:43PM (#10729247)
    Ask yourself this. Were do you want your secrets to reside?

    Who do you trust to watch them?
  • by Anonymous Coward on Thursday November 04, 2004 @06:44PM (#10729249)
    No matter where the seed lies now a days companies have gown much bigger than the nation itself. Companies have become multinational trananational and their products and suppliers are all intetwined spanning multiple countries. So like it or not work is also going to be distributed and spread over many nations. Protection of intellectual properties and the like has to be developed within the organisation in consultation with the service provider or third party vendors. Taking an lazy outsiders look into the internal workings of an multinational company will not help to understand the extent of globalisation in every activities.
  • Contrary to popular belief there is not a cracker/hacker/meanie in the world that actually wants to steal your data. Data is worthless. There is not a single market for it, even stuff that seems to be really valuable.

    "But but but, I have lots of top secret plans for our X14 prototype for the new product line..."

    Nope, Not Interested. The data on your new product line is a trade secret, and even if your biggest competitor didn't already think thier own product is superior, being caught with the data coul
    • by the-build-chicken ( 644253 ) on Thursday November 04, 2004 @06:58PM (#10729374)
      I disagree...I know many business managers that would happily accept information of their competitors upcoming marketting campaigns/products.

      Not everyone is as logical as you are...not everyone sees or expects a downside.

      And for a lot of people, having that edge can be worth significant bonuses in their pay packet, and is worth the minimal risk of getting busted.
      • I not only know it from inference, I've seen it, at very high levels at a former employer. I was told once not to question how a particular document was obtained, but to read it and figure out a counter-strategy before product X came to market.

        So yeah, the original poster is dead wrong. Corporate espionage is very real, although usually it's done through much more mundane things - like buddying up to someone who does business with both you and Competitor X, and convincing him that violating his NDA and g
    • by Rosco P. Coltrane ( 209368 ) on Thursday November 04, 2004 @07:02PM (#10729419)
      No, nobody wants your data, get that through your head!

      You my friend need to do a reality check. People out there want your data. However meaningless items of data. *BAD*.

      * Spammers want your email, as you point out
      * Marketdroids want your consuming habits
      * Health insurance folks want your latest medical checkup and your average cigarette consumption
      * Car insurance companies want your tickets and warnings
      * Pedophiles want your kids' school timetables
      * The IRS want your overseas banking records
      * Bubba from da 'hood wants to know when you take holidays

      Please get real...
    • Look, you can't just wish away industrial espionage and credit card fraud. Maybe it's not a huge issue over at Little Caesars, but it's been a pressing concern for every company I've ever worked for.
    • Troll or uninformed bullshit.
    • Industrial/Corporate Espionage happens all the time. To think otherwise is nieve and foolish. Everybody wants your data because there is a chance there it contains something worth a ton of money/market share to someone else.
    • Getting caught by the SEC means JAIL TIME for rich white men.

      But the thing is... you have to get caught by SEC. I always wondered about this one:

      SEC: How did you know about the merger?
      Me: An angel came to me in a dream and told me to buy MergingCo, so I did.
      SEC: That sounds awfully convenient...
      Me: Can you prove any wrongdoing?
      SEC: Why, yes. You just confessed. You and the angel will go to jail for insider trading.

      IANAL.
    • nobody wants airline scheduling and capacity info either,
      boring stuff...


      Air Canada claims that "espionage on a massive scale" took place at the home of WestJet vice president Mark Hill. It wants to search WestJet's records for evidence that WestJet used information from an Air Canada employee-only website to plan its flight schedule and expansion.

      ...


      In court documents, Hill has admitted that he did access the Air Canada employee-only website using the password and PIN of a former Air Canada employee

  • Due Diligence (Score:2, Insightful)

    by Agilis ( 796661 )
    Do it yourself, or pay someone else to do it, since when did either case not involve doing your homework properly? The only bad thing about outsourcing security is that managers think they can get away with doing less homework than doing it in house. Otherwise, it's a perfectly valid option.
  • by Anonymous Coward on Thursday November 04, 2004 @06:53PM (#10729329)
    There is a big debate in Canada about outsourcing to US based companies due to the fact that the Patriot Act allows the FBI access to databases. Canada has fairly strict privacy laws and the liability of sending this information to the US could be big since there is no way for a US company to refuse the FBI access. The British Columbian government is still thinking of going ahead with sending of medical information down to the United States. It should be an interesting election day issue come next April when the voters go to the polls for the local elections...
  • I'm willing to consider the pros and cons of outsorcing a particular activity.

    But the second one starts preaching the increased unemployment here, or the poor conditions there, I walk away...

  • sounds redundant to me.
  • by Tablizer ( 95088 ) on Thursday November 04, 2004 @07:19PM (#10729590) Journal
    Although I think offshoring will eventually gut our economy[*], if a company is going to offshore, then they should do it more effectively. Communicating business requirements to offshore teams can be tricky and time-consuming in itself.

    I realize during recent programming projects that there are often little things that can be outsourced in order to help a developer deal with business logic more and technical issues less.

    For example, a program crashes and you cannot figure out where it crashes. These kinds of tasks would be served well by somebody offshore. You only have to give them the program and ask them to find out why it crashes. They don't have to understand the business logic, only how to debug that language.

    Another time we needed some test data. The developer could create a sample pattern and then offshore the data entry of similar entries.

    Thus, a horizontal division of labor may be more effective than a verticle division.

    [*] So will the alternative. I think the US does not offer anything economically special anymore, and we will become an also-ran economy. "Innovation" does not help much because much of the actual development of ideas can also be offshored these days. Thus, the source of innovation no longer generates as many local jobs as it used to. For every good idea there may be say 200 people bringing it to fruit. Now maybe only 50 of these remain local, for example.
    • My thought on your footnote... It's intersting and DOES make sense, but...

      Wasn't the same thing predicted during the Industrial Revolution? (vague recollections of high-school History) America at the time was moving from a primarily agriculture-based economy to a manufacturing-based economy (as were other parts of the world). Yes, there were some short-term upheavals, but the DOOM that was to befall the American economy never came to pass.

      We (and the rest of the world) will weather this and emerge wit
  • Outsourcing Security (Score:3, Interesting)

    by FooGoo ( 98336 ) on Thursday November 04, 2004 @07:22PM (#10729617)
    Is not about providing better cheaper IT security services. It is about shifting liability.
    • by yintercept ( 517362 ) on Thursday November 04, 2004 @07:59PM (#10729956) Homepage Journal

      I think many firms think outsourcing security is safer as they see their employees as their worst risk. I've watched managers knowingly do horrible things to employees...then they become paranoid that they employees with act in retribution.

      To a large extent, employees are a worse threat since they will learn the company's weaknesses. The growing distrust between management and workers is scary.

      Anyway, my experience is that managers who perceive themselves in a different class than workers don't like delegating secutity to members of the class they disparage.

  • Office 2020 (Score:2, Funny)

    by Tablizer ( 95088 )
    The same company that makes it nearly impossible for an employee to enter the office supply closet to get much needed toner cartridge will outsource their intrusion detection, email and firewall systems without a blink.

    "Why are you getting pencils, Dave? You already took two last week."
  • by DataDragon ( 693231 ) on Thursday November 04, 2004 @07:24PM (#10729636)

    Keep in mind, outsourced security firms aren't domestically regulated like banks or other groups. If you can't "sue", "arrest" or otherwise influence the people watching you, then why give them the keys?

    Outsourcing security seems like a good paradigm at first, but trust is earned. Here, we have serious certifications (clearances, CISSP, credit ratings, background checks, bonding, etc.) and there's a definite degree of employer influence over their employees.

    Maybe its just me, but whenever someone I don't know says, "Trust me! C'mon, take a chance, live a little, all the cool CEOs are doing it" I'd conclude right away that these guys are going to ruin me. Mostly because, up until now, "TRUST ME" hasn't been too much of a necessity in outsourcing.

    Anyway, outsourcing security could be one of the next "Great" phishing scams, after all -- why go for the salad when someone can go for the five course meal.

  • by thewalled ( 626165 ) on Thursday November 04, 2004 @07:26PM (#10729657)
    Losers.. for the nth time understand the difference between outsource and off-shore..

    Where the fuck was all this anti-offshoring movement when nike / reebok was selling you cheaper shoes (made in india/china), most of your apparel is made by the asian-tigers and a third world country like bangladesh. Now that you are losing your jobs (in the IT industry) you think it's not fair??? where were you when the others were losing their jobs???

    First elect a president who is more concerned for america rather than unsuccessfully being world-police. Maybe things will change for you in due time.

    and once again (n+1).. Outsourcing is not equal to off-shoring
  • by BartulaPrime ( 744634 ) on Thursday November 04, 2004 @07:48PM (#10729843)
    What we really need to have are results of outsourcing. Sure, we've heard of Dell and a few other companies pulling work back to the US, but I doubt we'll ever hear of the failures or, for that matter, how bad it failed in terms of money and effort. I find it amazing that no investigative work has been done on reporting about the real effectiveness of outsourcing. My friend works for an IT recruiting company and they were told that Chase and another bank were quietly restaffing their US workers after moving most of their work overseas. The recruitment is for 4,000 workers for Chase alone. After the effort, move, and training, it turns out that they were getting the work at the same price, but now the quality sucked and were getting complaints from customers.
  • Umm... most MSSP's are not located "offshore". Most of the people in that space are right here in the US. You've probably heard of them - Symantec, Internet Security Systems, Verisign?

    Data regulations in Europe would probably entirely prohibit any European companies from even contracting with an overseas firm, certainly (sensitive data often cannot cross national borders, by law). I don't know of any specific US regulations, but I'd imagine the companies themselves are highly unlikely to go for this.
  • We outsorced our network management to the bozo that was our service provider. Without loss of generality, let's refer to him as Bozo.

    I argued for a long time that we needed a firewall. Bozo argued that they were useless. A couple of years later, Bozo seems to have decided that firewalls were usefull and so decided that we needed a firewall.

    Bozo then oursourced our firewall management to one of the better known computer security firms. At the time, I figured that was far better than letting Bozo handl
  • I work for a large company (about 2500 employees in IT alone). Our policy is to do very little outsourcing. We only out source the types of tasks that are well defined, most of it in legacy support. Out sourcing works very well in these situations. Any new development is kept in house where it can be better managed, and changes can be made faster when requirements change.

    Out sourcing has it's place, but it should only be used in certain situations.
  • by woodsrunner ( 746751 ) on Thursday November 04, 2004 @09:59PM (#10730889) Journal
    ... I did an outsourcing gig earlier this year. I was flogging my resume trying to find work when this recruiter called me and asked me to do a weekend job doing an upgrade rollout at a major bank.

    I was told to show up on Friday afternoon and that I'd be working with a group pretty much all weekend. No one took a look at my ID, or had me sign anything. They believed me that I was eligible to work in the US even though most of my resume was working outside of the states. Asking around I found that this was the case with most of the forty odd nerds they had rounded up for the job.

    We were all working for a subcontractor of a subcontractor of a major IT firm from Texas. We were all given pretty much free reign of the executive offices and all shared the same username and password. There was basically no supervision what so ever.

    It would have been so easy to install a good deal of malicious software... heck, it wouldn't have been that hard to swap out the master image to take over pretty much every machine on the network.

    I don't even want to think of what goes on in third world countries. That weekend really made me second guess what goes on in the US. If the bank had it's own IT staff, seven people who could work together could have done the same job that it took about sixty including supervisors and honchos and I am sure the cost of their salaries for a year was less than was wasted on that crew. The upside was they did buy us good pizza!!!
  • Dont you think the people in India, China and Pakistan are concerned about sercurity as well? I mean think about it. If there is a continuous lapse in secrurity and you they caught, they go out of buisness. The fact is that to stay in business these offshore companies need to ( and some do) realize that we might loose buisness if we let all this personal information be readily available for our employees to view and share.
  • "The only downside to the book is its $85.00 price, "

    Ever since my job was outsourced, I can't afford books. Or food, or beer... :P
  • I've noticed a different result of my company dealing with the "Lowest cost provider" as they put it. I'm on the road a bunch more (over 150 days this year vs. 35 or so last year). I'm doing field engineering work because the "boring grunt work" is no longer in my office.

    I'm actually making more money since I get OT while at a client's facility but I'm liking my work less. It doesn't look like things will be changing any time soon.... the US corporate world at its best!

  • How is it possibly that anyone in those companies care about security in the first place? They use shitty application software, written by undereducated hacks (both American and foreign ones), on unpatched Windows boxes, run by poorly paid people with barely enough qualifications to run their own desktops. No outsourcing can make this situation any noticeably worse.
  • I cringe when I hear CEOs say "IT is not a core competency" of their company. I want to smack them with a cluebat and yell:

    "When the crew you outsourced your IT to screws up, how long will your company stay in business? If the answer is 'Not long', then you'd better MAKE IT A CORE COMPETENCY!"

    The problem is that far too many people in executive management have no common sense whatsoever, and writing new laws won't change that. I don't know what will, other than easing up on the red tape that holds back
  • One major European thought it was a great idea to outsource and offshore. So much so that they offshored the handling of the SWIFT keys. The SWIFT keys give the user the ability to make irrevocable payments to banks anywhere in the world on behalf o the holding bank.

    Normally SWIFT keys are looked after by procedures and also legislation. Whether a company in a developing country can do either is arguable, even if the company is a wholely owned subsidiary.

  • I have a very sneaky suspicion that a major US student loan company outsources [johnvu.net] their customer support department. Why worry about this? Do you care that your sensitive information is being accessible halfway around the world? How many of us still have student loans to pay off?

If A = B and B = C, then A = C, except where void or prohibited by law. -- Roy Santoro

Working...