|When the goods or services are not themselves produced or provided by the enterprise,||Outsource commodity goods and services that are easily replaced and cost efficient.|
|In areas where content or information technology is key to business continuity or success,||Avoid any outsourced arrangement that deeply entangles substantial information technology functions.|
|For content or systems of Medium Risk or higher,||Only outsource what you can control effectively from a protection standpoint.|
|For content or systems under regulatory schemes,||Only outsource if all regulatory requirements can be met by the outsourcer.|
|In all cases, and taking into account lost opportunity costs and management and overhead costs over the life cycle of the content and technologies involved,||Outsource if the costs through the outsourcer are lower than the internal costs.|
Outsourcing balances costs with benefits. The main benefits come from reduction in cost and ability to focus the enterprise on its primary functions. The main costs come from the cost of the outsourcing contract, the management costs of running the contract, and the security costs associated with compensating for the reduction in control over the activities now outsourced.
Commodity goods or services that are easily replaced have little security impact in most cases. Paper and ink for printers, most delivery services, office supplies, and many other goods and services can be outsourced with little information security impact.
On the other hand, non-commodity items tend to deeply entangle the enterprise with the outsourcer and this creation of strong interdependency also leads to a high level of risk aggregation. The result is typically failure of business continuity and disaster recovery plans, collapse of the enterprise if the outsourcer collapses or chooses to exit the business, very high disentanglement costs, high security costs to maintain the equivalent security levels, inability to audit adequately, inadequate management controls, and so forth.
Protection that is readily controlled in outsourcing can help to compensate for deep entanglement, but most outsourcing contracts do not allow this in any substantial degree. In cases where the outsourcer has their workers at your facilities and allows you to verify qualifications and retain consistent staff for long periods, low and medium risk situations may be acceptable from a risk management standpoint.
All regulatory requirements must be met by the outsourcer as well, and this creates enormous problems when the outsourcer, for example, possesses enterprise records that are called for in court proceedings. It is the responsibility of the enterprise to get those records, but if the outsourcer fails, the enterprise may be held liable for failure to meet the court order. Many legal obligations cannot be transferred in this manner.
Substantial cost savings by outsourcing must be available or it is not worth doing the outsourcing. In many cases claims that they can do it for less than you can are fictions because the outsourcer is not doing the same things the enterprise would have done from a protection standpoint. The only place these savings really occur is in cases where the outsourced effort is a commodity.
The other reason to outsource is in cases where the outsourced provider has some special expertise that the enterprise does not have or does not need in adequate volume to justify or time to achieve by hiring on a full time basis. A really good example of this is information security consulting.
There are four reasons to use an outsourcer; (1) not enough time, (2) not enough expertise, (3) an objective outside opinion, and (4) lower cost. But these must be balanced against the increased cost of compensating for all of the controls the outsourcer does not have and the risks associated with entangling your enterprise with theirs.