Professional Monitor in association with (ISC)2
Professional Monitor in association with (ISC)2

With outsourcing growing as a corporate strategy, the IS department needs to ponder its impact on professional development and nuture relations with outsourcers.

Few can deny that outsourcing plays a significant role in today's organisational structure. The current economic climate has many looking for ever more functions that can be outsourced or provided through cost-cutting, third-party services. As a result, more and more third parties will access valuable data. And outsourcing models are changing, with several providers offering specialist services for a single function, or the outsourcer sub-contracting part of a service.

Legislation may well define how data should be governed, while IS departments are increasingly involved with compliance. But what impact is this having on professional development? Are companies outsourcing this to service providers, or is there room for them to shape the team?

Companies should be interested in assuring the competency of the people providing their service, contends Andrew Cardwell, who has spent the past eight years managing security compliance in third-party relationships at BT Openworld. Part of the challenge, he says, lies in helping to develop the desired skillset for the outsourcing organisation. This includes encouraging skill sharing. “It's not all about cost and meeting the metrics,” says Cardwell. “Companies should know what they want and take part in making it happen.”

Cardwell describes the typical scenario for providing compliance training for outsourced teams. All too often, they will only receive standard computer-based courses. A security officer will not be a part of the offering and little is in place to help individuals stay up to date.

Cardwell acted as interface between outsourced providers and BT, with a team of 20 consultants to supervise an outsourced security function for Openworld. This team was highly dependent on the quality of the interaction with many business units in BT. Part of the working policy instigated by Cardwell was to dedicate up to 20 per cent of the time for professional development. He facilitated mentoring across outsourced and in-house teams.

Cardwell set up a ‘buddy system' to transfer knowledge between dependent business and the security units. “People, both technical and business, are coming to the security department for advice and information. Knowledge-sharing relationships can help address common needs and overcome barriers,” he says.