• United States



Why Security Outsourcing Won’t Work

Mar 01, 20038 mins

The number crunchers don't see security management the same way that CSOs do. That's why they're willing to turn it over to strangers.

We’ve decided to outsource security at my company.

We’ll be doing so against my better judgment. Because, to me, when you give away the protection of the crown jewels, you’re just asking for trouble. But beyond my concerns about what it all means for my company’s security, it also means I’m going to have to let some of my best people go. Not because they’re doing a bad job, mind you, but because some accountant in our finance department put forth a costing study that claims we can save money by outsourcing.

I wish that the accountants had to do my job at times like this. They don’t get to see the business of security while tucked cozily away in their little offices. To them, security is just numbers, nothing more. All the breached machines. The scummy pornographic spam. The employee stalkers. It’s just numbers to them. They think that the staff is too expensive and that they should go. They think we can do better with strangers who cost lessor so the analysis says.

I want to tell the finance guys, “Sure, you can outsource security. But where should we buy our loyalty?” They just stare back at me, confused.

I mean, how do you factor loyalty, dedication or willingness to go the extra mile into return-on-investment analyses? And make no mistake, employee loyalty and dedication are two of the most important things we’ll lose. Immediately.

These great people on our security staff are the same people who worked and worried all weekend long when security problems arose. They’re the same people who put their personal lives on hold to save the company’s butt when someone broke into our systems and messed with our customer records. The same people who put their faith in the company. We were family.

Does ROI take any of that into account? Of course not. Oh, sure. We might be able to get some extra care from the outsourcer. But we’ll only get it at an extra cost. Most of the soft stuff we won’t see at all because the vendor’s loyalties will never be the same as the employee’s loyalty. And so the employees will lose, butlet’s face itthe company will also lose because it won’t be able to buy the same sort of dedication from an outsourcer that it can find in an employee.

Meanwhile, the finance twerps won’t have to be the ones to look good people in the eye and tell them the past 10 years of hard work doesn’t mean squat. Mostly they just run the numbers and call the shots after doing “the analysis.”

Statistics and I have always been at odds. There’s a saying: Lies, damn lies and statistics. It reminds me that one can find numbers that say anything. Especially if you make it up. We all know that it’s easy to use numbers to make anything look good.

A friend of minea manager at a large oil companygot himself a master’s degree in mathematical statistics. When I once asked what possessed him to work on such a degree, he smiled and told me, “I’ve learned that, with statistics, I can make a persuasive case for anything I want.”

Over the years, I’ve discovered how right he is. Anyone can turn any ROI analysis into something that supports whatever case he is trying to make. But that isn’t necessarily the truth.

And so here I sit, contemplating the value of number crunching and awaiting the sweet aftermath of outsourcing. And 50 years of expertisethat’s five people, averaging 10 years each with the companywill be looking for employment elsewhere (with our competitors?).

And most of that experience can’t just be replaced by a vendor, no matter how good it is. These five employees, they know all the employees here. They know all the hacks and attacks we have had. They know what we did to stop them and what we did to make certain that they wouldn’t happen again. They understand most of the management issues, the budgetary problems, the idiosyncrasies of the company. They know what it takes to communicate information about security throughout the company. They’re trusted by employees to make sense of the chaos that happens in the fog of war.

And they’ll be replaced by outsiders. And part-time outsiders, at that.

It’s funny because I’m not that worried about how well the outsourcing company does the grunt work, the mechanical stuff. The particular outsourcer we’re turning to has all the right credentials, all the right experiencean admirable track record, in fact. I checked it out pretty thoroughly. And I’m sure that it will be able to keep the vehicle running. That’s not my concern.

No, what really worries me is the “gotchas”you know, the problems that an outsider can’t know about and probably doesn’t care about.

I remember reading an article years ago about a large commercial soup maker losing its top cookan expert who knew all about the glitches in the heating systems and the subtleties of the recipes. The cook was eager to retire, so the soup company designed an expert system to capture as much knowledge as it could from this one particular guy about his work. Two years later, the cook was still working as a full-time consultant to the company because the “expert system” was still severely lacking the knowledge that he had accumulated during his 40 years at the company. The soup maker realized that, if it lost that knowledge, it would have suffered in a major way.

We’re about to do the same thing with our organization. Only we have no expert system being built to at least capture the knowledge. Even worse, I have also been told that we’ll have no budget to rehire ex-employees to help if something goes very wrong. So we’re going cold turkey. Geesh, even smokers trying to kick the habit get the patch. We just get the shaft.

I talked to one of my peers at another company that uses the same outsourcer we’ve selected. She told me it is competent and will do a good job. When I asked her about knowledge base loss, she was quiet for a moment and then, in a low voice, told me that the loss of people who knew how to get things done in security had dealt her company a serious blow to productivity.

She also said that no ROI she knew of could explain all the ancillary costs they have run into trying to compensate for the loss of smart people with extensive knowledge who worked day and night to keep the lid on the pressure cooker that is her company. When you add all the numbers together as part of the real situation, she said, it costs more to outsource than to keep it in-house.

I asked what happened when she brought it up. She said no one wanted to talk about it or hear any bad news. Period. Decisions had been made, and there was no point in bringing it up until the whole exercise is a dismal failure five years from now when the outsourcing contract expires.

It’s hard to deny. My personal attitude is going from bad to worse. Of course, I’ll be expected to work with the guys in finance who concocted this whole plan. And I’ll have to play nice with them. Otherwise, I won’t get the purchase orders signed for the unscheduled coverage time by the contractor. I won’t get the contracts amended for the extra work I’ll need done. And I won’t get the budget overrides approved for vacation time that they forgot to account for in “their” plan.

You can be sure that none of those costs are going to show up in the post-conversion analysis that the finance guys do. Instead, they’ll get their raises and promotions and go about their business of figuring out which department should get hosed next.

Most likely, I’ll be fired in a month or two when none of this works and the finance guys are looking for a scapegoat. Or maybe I’ll stay here and work at becoming an expert at managing outsourced relationships. I suppose I could manage all sorts of outsourcing relationships if I got really good at it: shipping, IT, HR, finance…. Hmmm….

In the meantime, I cannot possibly get all the work done properly with the bare-bones staff available to me from the outsourcing vendor. I mean, the vendor is competent in many areas, but it will not be able to help out in important ways like corporate security policy development, business case development, integration issues with other departments, security awareness training and so much more. No, I’m on my own for all of that now.

But tomorrow is another day.

Today, I get to visit HR to get the paperwork done for the employees I’ll be letting go. I always thought that people were the most valued asset of a company. I guess I was wrong. It appears that the most valued asset in my company is an accountant who thinks he knows how to make a security department cost-effective. I’m sure he can pitch in to help when we get hacked again. n