Navigant's Cyber Risk and Information Security PracticeLearn More


3 Things to Consider When Outsourcing Your IT07 June 2016

Academia, Financial Services, Healthcare, IT Security, Non-Profit, Risk Management

For many small- to medium-sized businesses, staffing full-time IT personnel is not necessary. Not only does outsourcing your IT reduce costs, it also provides access to a wider range of expertise. To ensure the best fit for your organization, following are some questions to consider before you select a vendor:

1. Is the company vendor agnostic?
We see it far too often. IT vendors consult with an organization that ultimately recommend purchasing a tool or software, which may or may not be the best fit. It’s common for IT vendors to have partnerships or even referral programs with other software/hardware vendors, which seems to imply they advise organizations to buy these tools even if unnecessary. An important question to ask your IT vendor is if they are vendor agnostic. If the answer is anything but “no,” it may be wise to schedule other consultations. Securing a vendor-agnostic consultant ensures that any software/hardware-purchase recommendations will be unbiased and indeed benefit your organization.

2. IT experts vs. security experts
A common misconception is that outsourcing IT to a vendor is the same as outsourcing cyber security. Not unlike the medical industry, cyber security is a broad term that refers to both technical and non-technical areas of expertise. Assuming your IT vendor is able to stand up servers and network devices, as well as perform security-related projects like vulnerability scanning, policy implementation, and employee training, can leave your organization exposed. Another fundamental question to ask any potential vendor is whether or not it has experienced security professionals. If not, the security of your network remains your responsibility.

3. With whom will you really be working?
Before selecting your outsourced IT vendor, be sure to clearly identify the specific person(s) who will be working on your account. Stories abound about organizations that believed they would be working with one person (i.e., their point of contact throughout the engagement process); but, after signing the agreement, were introduced to the IT personnel who would actually work on their account. As with government contracts, request the bios of all personnel with whom you will be working upfront. That way, you distinguish exactly who is on your outsourced team and can learn more about their experience and skillsets.

Organizations can outsource security needs just as they do their IT. This is one effective way to incorporate cyber security into your everyday risk-management initiatives, while keeping costs at a minimum. Learn more about our outsourced Cyber Security as a Service offering, or contact us to get the conversation started.

Work With Us Learn How