Keep the keys to the kingdom close.
Identity management and authentication should never be outsourced. This is the cornerstone for any organization's security system. These functions need to remain strictly under the auspices of trusted internal resources. I will go so far as to say that all of the services and servers used for authentication and identity management purposes should remain in-house, including domain controllers. As CIO, when there was a need to integrate with a cloud provider, I drafted and approved a policy that required vendors to authenticate directly against internal Lightweight Directory Access Protocol resources, with access provided through our firewall. We didn't allow vendors to simply create access lists based on information we sent them -- the authentication had to be direct to us. This way, we retained complete control over our resources and could immediately disable access to a resource centrally. This also allowed us to maintain a single set of credentials for every user and every service. If things went south with a particular provider, we could more easily cut access to the service altogether.
Keep your core competencies core and in your control.
Every organization has something that makes it unique. Let's look at a college as an example. While a college may outsource entire functions, such as its dining services and book store, only a college without a unique value proposition would fully outsource its academic functions. Academic functions are its primary business. Always maintain control of what makes your organization special.
Don't let the allure of outsourcing derail carefully laid data lifecycle plans.
Outsourcing is a bad idea when there is the potential for significant disintegration of data, which could lead to poor or incomplete decision making. Outsourced services should integrate as seamlessly as internal ones when it comes to the data lifecycle. If that's not possible, that's a sign that your service shouldn't be outsourced.
Your outsourcing partner is an extension of your business.
An outsourced service shouldn't be considered an "arms length" part of the overall operation. It needs to be seen as integral and important and a part of the team. Anything less will relegate the service to second-tier status and leave money on the table. If your internal technology team is weak, the outsourcing partner is, by default, operating from a position of weakness. More importantly, you've also got an internal leadership issue that needs to be addressed. It's counterintuitive, but outsourcing requires strong internal talent that can shepherd internal resources while leveraging external ones to fill critical gaps. If you have a weak internal team, fix that problem before attempting to outsource anything related to that team.
More on IT outsourcing
Fix your weak team and leadership issues before you subject others to the madness.
Working with an outsourcing partner means you're bringing the company into the fold as a trusted business partner. That means the outsourcer needs to fully understand your specific business environment and challenges, as well as have at least a semblance of an understanding of the vertical in which your business operates. Don't outsource components or services that aren’t well understood by your partner.
Fix your internal capacity issues before you invite others into a mess.
Don't outsource a service or project if an internal team is already buried under the weight of its own responsibilities, unless that outsourcing engagement is intended to directly reduce the existing workload to reasonable levels. If this is the case, workloads should be reduced to a point where the internal team has adequate resources to manage and monitor the contract. An outsourcing arrangement requires a deep commitment and partnership. Fair conditions for success must exist on both sides of the equation. If you add new contract management responsibilities to an already overburdened team, neither side wins.
There are some times when outsourcing is the perfect decision, but other times when it's the exact opposite. Make sure that you don't make an outsourcing decision that you will regret that may negatively affects the business -- and your reputation as CIO.
Scott Lowe is founder and managing consultant of the 1610 Group. A former CIO, he's a frequent contributor to TechTarget, TechRepublic and other IT publications. Write to him at email@example.com or firstname.lastname@example.org, or follow him on Twitter @OtherScottLowe.
This was first published in March 2012