Five Golden Rules for a Secure Cloud Migration

This evolution is worth watching since private MSP organizations could potentially provide much better security, agility and oversight for their service offerings compared to what is offered by the largest providers such as Google and Microsoft.

So while an outsourced cloud infrastructure can be a good fit for many companies, it holds huge potential for costly disasters. And, if the outsourcer fails you could be left without the resources to repair the damage. There is little margin for error in choosing an outsourcer, as Lieberman Software found in our recent industry surveys at the annual RSA and InfoSecurity conferences held earlier this year. Our survey revealed that 77 percent of IT professionals said that their outsourcers had made up work simply to earn extra money.

Here are my five golden rules to ensure your outsourcing lifeboat doesn’t sink mid-stream:

1. Make a Transition Plan and Stick to It

Any kind of IT outsourcing will disrupt your entire organization in ways you may not expect. Your plan should include a change management module, a detailed and well-argued case to your staff outlining how you intend to make a smooth transition and a well-documented process to let your customers know that you have the outsourcing process well under control.

2. Get Your Outsourcing Plan in Writing

You need to see the outsourcers’ plan in writing, particularly their crisis management plan.

In the written report make sure you add capital asset budgets for the acquisition of software to improve operational efficiency and provide better coverage of security. Make sure that there are disincentives for contractors to avoid using or impairing the usage of software tools to improve things even if they reduce billable hours. Also make sure you allow for the embrace of better tools for labour saving. Do not allow the fox to guard the henhouse.

3. Demand Transparency with Respect to Security

You will have to place special emphasis on choosing an outsourcer that has a proven track record of delivering quality security services to a similar range of industry sectors over a long period of time.

They will need the ability to accurately correlate, analyze and interpret large volumes of network security inputs in real time and be able to separate legitimate threats from a welter of false starts. An outsourcer should have multiple security operations centres that run 24x7x365. Having two or more data centers allows for redundancy and may ensure constant compliance with security standards. Your outsourcer should have security experts in place to monitor and analyze data from customers on a global basis. This level of intelligence will help your outsourcer issue real-time alerts and recommend fast reactions to unforeseen events.

Anticipate security breaches. You will have to plan for emerging threats and the need to purchase both software and hardware to respond to threats as well to improve compliance and security.  Don’t allow the outsourcer to select their own tools as they will pick those that maximize their revenue, not your security. You cannot predict the future: provide slack to change your contractor’s mission as business and the security landscape change.

4. Know Their Financial Status, Compliance Standards, History, and Audit Points

What is your future security partner’s financial state? For publicly traded companies, Gartner estimates that annual run rates of more than $40 million per year in managed security services contracts indicate a sufficient base of revenue to support growth and enhancement of services.

For the biggest outsourcers management experience should include defense, government, and a range of industrial sectors. This is an important consideration because it indicates an outsourcer’s ability to meet wide security management needs, including the monitoring of all industry standard security products.

An outsourcer should be able to provide documented standards and policies for handling typical and atypical operations and threats.

They must be able to show that they employ security specialists with certified expertise across a broad range of security products from a variety of vendors. This allows a company the freedom to select best-of-breed solutions.

The outsourcer must also have facilities, processes and procedures in place that are validated and certified by a third-party auditor. Compliance can be a side effect of good security, or a gigantic make-work scheme for the outsourcer. Put yourself in the outsourcer’s position – why fix the problem on thousands of machines in an hour using a security management tool, when they could bill for months reimaging systems? The organization should take ownership of its own security and not outsource its direction. Pick the best of breed security solutions, do not use checkboxes to select solutions nor should you allow purchasing to select your security solutions. You don’t pick a doctor by the lowest price; you’re far better off finding the one with most expertise and history of success. You should do the same for your security – don’t allow critical processes to be controlled solely by your contractor or low level employees.

5. Find Experts in the Areas You Need

In the role of subject matter expert and experienced implementer of systems, the right outsourcer can be a godsend if you can find them. The key is to know how much specialised value your outsourcer can add to your organization and how quickly they can do it.

So those are our five golden rules. But remember – our position is that outsourcing as a means solely to reduce costs is a fraud since these cost reductions are achieved by gutting the organization of its talent and providing its customers with the poorest possible support at the lowest cost.

Ultimately outsourcing for cost savings alone leaves a company weak and ill prepared to respond to emerging threats and opportunities. On the other hand, outsourcing to provide unique talent that is otherwise unavailable or impossible to train can provide your company with distinct competitive advantages. Outsource when there’s expertise to be gained (through contracting of specialists), not lost (through abandonment of loyal staff).

Happy outsourcing!