As noted by Tech Financials, infrastructure outsourcing is now a go-to option for service providers, since it allows them to maximize their strengths while shoring up their weaknesses with third-party expertise. But what does this trend mean for companies at large? Is it worth partnering with an IT vendor to supply key components, or is reserving this task for in-house experts the better option? Here's a look at both sides of the infrastructure issue.
Two-Sided Solution
Why keep infrastructure deployment local? There are a few compelling reasons. First is the existence of legacy hardware and applications which may not support new links with third-party technology. It's effectively an "if it ain't broke, don't fix it" argument: Why make more work for local IT pros if you don't have to? Security is also a commonly raised case against the outsourcing of infrastructure, since access to the underpinnings of your IT effectively gives hackers full run of your network.
Related Article: Prescription for Healthcare Data Encryption
Flip the infrastructure coin and organizations are looking to cut costs and improve performance by using IT vendor expertise. Effective outsourcing, however, requires extremely strong risk controls, which means more work for IT pros and compliance officers. When it comes to your team itself, there's something to be said for the cutting-edge knowledge of contract professionals. The use of legacy hardware and existing IT pros may also make it more difficult to adopt new technologies such as converged infrastructure (CI), which both simplifies and empowers IT deployments. While it's possible to build this kind of setup in-house, many vendors specialize in creating and delivering custom-built IT options.
Critical Compliance
Beyond the nuts-and-bolts of in-house infrastructure or IT vendor solution, CISOs have a bigger problem on their plates: compliance. It's no longer possible to spin up services in a vacuum — if servers or storage solutions touch, transmit or terminate personally identifiable information (PII) or credit data, IT executives need to ensure proper compliance protocols are created, followed and enforced.
Outsourcing typically gets the lion's share of concern here, since first-party companies are on the hook when it comes to data auditing and safety. In other words, if the data hit your servers first, it's your problem. Consider the specific scenario of data covered under HIPAA: Any IT vendor needs to sign a business associate agreement (BAA) before they touch any of your information. Not having a BAA in place puts you at serious risk of non-compliance and could result in penalties or sanctions. CISOs also need to ensure that third-party providers only have access to the tools and data needed to move and secure information; here, a "zero knowledge" policy is often the best approach to limit the potential for accidental compromise.
And while hiring in-house may seem simpler at first, there are unique compliance issues which CISOs must also anticipate. "Scope creep" is among the most common — when in-house IT transitions to a new project, current permissions must be re-assessed to ensure it can't access now-restricted material. You also need to monitor for accidental breaches which may occur when employees use social media sites at work; according to Infosecurity Magazine, social websites and services were the top-rated IT risk in a recent internal security survey.
Best bet in both cases? Don't try to manage infrastructure security on your own. Compliance rules are too complex and their implementation too critical for CISOs to take on this responsibility without help. Instead, consider developing a "compliance officer" role for a candidate skilled in both policy management and IT to ensure both in-house and outsourced use of infrastructure follows all federal, state and applicable private-industry guidelines.
Bottom line? Both in-house and IT vendor infrastructure deployments have their benefits and drawbacks. No matter your preference, however, you need a compliance officer with enough autonomy to draft solid policies that bridge the gap between local and outsourced IT.