SmartAdvice: Build Facts And Allies To Get Head Start On BudgetingSmartAdvice: Build Facts And Allies To Get Head Start On Budgeting

Question C: What are the major considerations I need to understand when making outsourcing decisions?

Our advice: The two major components you need to consider are controlling access to your resources and determining who's responsible for security.

In today's outsourcing environment, the guiding principle is "risk assumed by one is a risk assumed by all." Not all of the participants in an outsourcing contract have the same security disciplines. When you contract with one source, you assume the risks of everybody involved.

Many outsourcers will outsource certain parts of their activities to other companies. These subcontractors may not be bound by contract to adhere to your security requirements. This element is frequently overlooked as part of contract negotiations. You may be exposing your IT assets and not even know it.

The best solution is to make sure that your contract specifically outlines your security requirements. In addition, you need to be specific as to who you will authorize to work on your project. Any work that's to be sent to another contractor should require your approval.

The next question you need to answer is, who's responsible for the security layer? This is a company-specific decision. Some organizations specify the security standards they require and simply ensure that the outsourcer adheres to them. Other organizations apply the security layer themselves so they can keep their processes confidential.

The decision is entirely based on your security concerns and the sensitivity of your information for this specific application. The majority of organizations prefer to apply their own security layers.

-- Alan Guibord

Wes Melling, TAC Expert, has more than 40 years of IT experience with a focus on enterprise IT strategies. He is founder and principal of Value Chain Advisors, a consulting boutique specializing in manufacturing supply-chain optimization. He has been a corporate CIO, a Gartner analyst, and a product strategist at increasingly senior levels.

Peter Schay, TAC executive VP and chief operating officer, has 30 years of experience as a senior IT executive in IT vendor and research industries. He was most recently VP and chief technology officer of SiteShell Corp. Previously at Gartner, he was group VP of global research infrastructure and support, and launched coverage of client-server computing in the early 1990s.

Alan Guibord, TAC founder and chairman, has more than 25 years of experience leading IT organizations as CIO with Fortune 100 companies and small to midsize businesses. Guibord has served as VP and CIO of Fort James, VP of information technology at R.R. Donnelley & Sons, CIO of PictureTel, and VP of MIS and administrative services at Timeplex.