To the IT professional, the U.S. Navy's
decision to have private-sector contractors build and maintain
its entire 360,000-user intranet may be the mother of all outsourcing
strategies. Many believe in-house IT capabilities protect business
secrets and improve efficiency. But if the Navy is willing to
treat communications the same as electricity and telephones,
how can civilian managers justify greater caution?
Smart IT organizations will not copy the Navy.
Unlike arranging for electrical power and other utilities,
getting an intranet system up and running requires ongoing intimate,
intrusive interaction between end users and technical specialists.
Even if outsourcing can cut some costs, IT managers still have
to coordinate inter-firm collaboration, protect crucial proprietary
information and monitor their contractors' performance. These
tasks far exceed simple contract oversight.
An electric company's job ends when a business is hooked to
the grid. In contrast, defining an intranet's basic architecture
means mapping a user's entire organization in excruciating detail.
Intranet contractors must identify each of their user's individual
messaging needs -- both today and into the future.
Eventually, a contracting team builds a virtual mirror image
of its customer's operations. The IT manager's first priority
is to assure that the many nonemployees and subcontractors privy
to this information don't misuse it. Evaluating supplier quality
and trustworthiness is essential.
Most experts believe, for instance, that IT managers must know
how their contractors recruit for and staff a project. Many
contractors court business with senior staff but then assign
recent graduates, or poorly trained interns, to do the work.
IT professionals have to learn as much about the way their contractors
function as contractors glean about their companies.
Then you must consider the question of monitoring performance.
Knowing when plumbing fails is usually straightforward. Making
sure that an intranet contracting team achieves state-of-the-art
performance, especially when technology is rapidly changing,
can be much more complicated.
IT managers face what's sometimes called the "black-box" dilemma.
They subcontract to avoid the costs of developing specialized,
expensive skills in-house. The more they excise their internal
capabilities, however, the less they can comprehend what their
suppliers actually do. Over time, their ability to know if they
are getting fair value declines.
Even the most aggressive outsourcers usually retain enough
in-house expertise to understand supplier technologies and adequately
monitor performance. Of course, outsourcing for supplier evaluation
services is possible, but a buyer then has to have some way
of knowing that the second contractor's opinion is worth heeding.
IT staff must also manage security. By its nature, an isolated
intranet defies basic network logic. It seeks a secure closed-loop
communication system using technologies designed for openness.
Small wonder that, according to the FBI and the Computer Security
Institute, 60 percent of the nation's 1,000 largest companies
recently reported network intrusions costing an average of $2.8
million per incident.
Relying on contractors can increase security risks because
outsiders have access to key network protocols. Armed with such
knowledge, a contractor's disgruntled employee can wreak havoc
on a customer's whole operation. Even when a contractor's staff
integrity is not an issue, many "managed security services"
purveyors -- the most sophisticated network protection suppliers
in businesses -- freely concede their capabilities can easily
Despite the rhetoric of 24x7 protection, for instance, few
suppliers provide more than limited spot checks against network
infringement. Many assign inexperienced, poorly paid staff to
do highly monotonous, yet crucial online surveillance. Often
the most telling evidence of a security lapse is buried in detailed
transaction logs or automated databases that don't get adequate
analysis. That's a big reason why so few companies, or third-party
underwriters, are willing to provide more than the most minimal
insurance for system intrusions.
The IT manager must assure that service providers are using
the best possible, full-spectrum security protection techniques.
This includes reviewing a contractor's internal security policies,
firewall hardware and software approaches; thoroughly understanding
what triggers potential "alarms;" and knowing who responds to
them. The contractor must be able to explain why a breach occurred
so that appropriate countermeasures can be taken. A contractor
that doesn't, or can't, satisfactorily explain an incident should
be replaced with one who can.
Faced with these challenges, most companies are unlikely to
emulate the Navy's intranet outsourcing model. Communications
procurement, if anything, resembles professional service contracting
much more than buying simple utilities. To get the best legal
or consulting assistance, most companies -- and even the military
-- have found they still need highly trained specialists in-house
to protect their interests. Lacking such capabilities, intranet
outsourcing will likely present a full range of enterprise problems
-- some we have yet to imagine.