Outsourcing Your Intranet?

By David Friedman
Senior Fellow

Planet IT
November 16, 2000

To the IT professional, the U.S. Navy's decision to have private-sector contractors build and maintain its entire 360,000-user intranet may be the mother of all outsourcing strategies. Many believe in-house IT capabilities protect business secrets and improve efficiency. But if the Navy is willing to treat communications the same as electricity and telephones, how can civilian managers justify greater caution?

Smart IT organizations will not copy the Navy.

Unlike arranging for electrical power and other utilities, getting an intranet system up and running requires ongoing intimate, intrusive interaction between end users and technical specialists. Even if outsourcing can cut some costs, IT managers still have to coordinate inter-firm collaboration, protect crucial proprietary information and monitor their contractors' performance. These tasks far exceed simple contract oversight.

An electric company's job ends when a business is hooked to the grid. In contrast, defining an intranet's basic architecture means mapping a user's entire organization in excruciating detail. Intranet contractors must identify each of their user's individual messaging needs -- both today and into the future.

Eventually, a contracting team builds a virtual mirror image of its customer's operations. The IT manager's first priority is to assure that the many nonemployees and subcontractors privy to this information don't misuse it. Evaluating supplier quality and trustworthiness is essential.

Most experts believe, for instance, that IT managers must know how their contractors recruit for and staff a project. Many contractors court business with senior staff but then assign recent graduates, or poorly trained interns, to do the work. IT professionals have to learn as much about the way their contractors function as contractors glean about their companies.

Then you must consider the question of monitoring performance. Knowing when plumbing fails is usually straightforward. Making sure that an intranet contracting team achieves state-of-the-art performance, especially when technology is rapidly changing, can be much more complicated.

IT managers face what's sometimes called the "black-box" dilemma. They subcontract to avoid the costs of developing specialized, expensive skills in-house. The more they excise their internal capabilities, however, the less they can comprehend what their suppliers actually do. Over time, their ability to know if they are getting fair value declines.

Even the most aggressive outsourcers usually retain enough in-house expertise to understand supplier technologies and adequately monitor performance. Of course, outsourcing for supplier evaluation services is possible, but a buyer then has to have some way of knowing that the second contractor's opinion is worth heeding.

IT staff must also manage security. By its nature, an isolated intranet defies basic network logic. It seeks a secure closed-loop communication system using technologies designed for openness. Small wonder that, according to the FBI and the Computer Security Institute, 60 percent of the nation's 1,000 largest companies recently reported network intrusions costing an average of $2.8 million per incident.

Relying on contractors can increase security risks because outsiders have access to key network protocols. Armed with such knowledge, a contractor's disgruntled employee can wreak havoc on a customer's whole operation. Even when a contractor's staff integrity is not an issue, many "managed security services" purveyors -- the most sophisticated network protection suppliers in businesses -- freely concede their capabilities can easily be overrated.

Despite the rhetoric of 24x7 protection, for instance, few suppliers provide more than limited spot checks against network infringement. Many assign inexperienced, poorly paid staff to do highly monotonous, yet crucial online surveillance. Often the most telling evidence of a security lapse is buried in detailed transaction logs or automated databases that don't get adequate analysis. That's a big reason why so few companies, or third-party underwriters, are willing to provide more than the most minimal insurance for system intrusions.

The IT manager must assure that service providers are using the best possible, full-spectrum security protection techniques. This includes reviewing a contractor's internal security policies, firewall hardware and software approaches; thoroughly understanding what triggers potential "alarms;" and knowing who responds to them. The contractor must be able to explain why a breach occurred so that appropriate countermeasures can be taken. A contractor that doesn't, or can't, satisfactorily explain an incident should be replaced with one who can.

Faced with these challenges, most companies are unlikely to emulate the Navy's intranet outsourcing model. Communications procurement, if anything, resembles professional service contracting much more than buying simple utilities. To get the best legal or consulting assistance, most companies -- and even the military -- have found they still need highly trained specialists in-house to protect their interests. Lacking such capabilities, intranet outsourcing will likely present a full range of enterprise problems -- some we have yet to imagine.

Copyright: 2000 Planet IT

Top of Article
Other articles by David Friedman
Printable Article
E-Mail This Article