It sounds like a total oxymoron: Independent Collaboration. On the Predictive Index, those two words are on opposing ends of the spectrum when it comes to describing an individual's working style. But I promise there's meaning to it, and we're going to get to that in this blog.
The idea came to me when I'd had my third conversation in two weeks about this very idea. Usually when a topic hits that threshold, I know that it's blog-post-worthy.
Before we move on, let me clarify: I’m not saying that all banks and credit unions should outsource components of their IT. I am saying that many financial institutions have found that outsourcing information technology and information security can be key piece of their overall strategy. This article is talking about one concept of doing that successfully.
So, lately I’ve been getting asked: “How can banks and credit unions outsource their IT/IS in an effective way?” Should they outsource everything? Should it be a team of specialized firms or should all services reside with one provider?
When the bank or credit union says they're going to put everything in the hands of one provider, they usually make the argument that “there's one throat to choke”, “one butt to kick”, “less to manage”, and “it’s just cleaner”.
I agree, from a vendor management standpoint, one provider is much simpler, there's less chance of miscommunication that can cause issues. If it's managed well, it can be in a very efficient way to do things because you bring the processes that are integrated across the board to the table.
You can even make the argument that by outsourcing it all to one service provider, you really can set it and forget it and not have to worry about IT or IS anymore.
So what’s the problem?
Although it may sound like heaven to put all of IT in one outsourced bubble, there are disadvantages of using one provider. Disadvantages that become exponential as the financial institution grows, to the point where the wrong managed IT provider could be a limiting factor for the growth and innovation for your institution. Growth and innovation are keys to survival for any bank or credit union over the next five years.
When I say having everything in one place, I mean having one provider managing the network, managing the servers (maybe even the core), managing patching and vulnerabilities, providing ongoing vulnerability scanning, monitoring the network for anomalous activity, monitoring the logs for anomalous activity, providing governance and oversight, performing risk assessments, incident response planning, policies, board reporting, etc.
The problem with having all of the above services sourced with one provider is that you've basically introduced a similar situation to what smaller banks and credit unions face in that you have a single “IT entity” handling everything. Just like when you have one person going it alone, you start to run into limitations such as:
- Lack of independence – something auditors and examiners are not OK with as you grow.
- Only one way of doing things (ie, no innovation) - information technology and information security needs different perspectives and anyone that says they have them all is either lying or ignorant.
- Little accountability or pushback - if you outsource everything to one provider, do you have the expertise on staff to call them out on much of anything? If not, who is in control of your IT strategy, and your information security strategy? It's definitely not you!
- Limits specialization and subject matter expertise – we’ve all heard the phrase “jack of all trades, master of none”. This is what often happens when a service provider says they can do it all – they are ok at a lot of things, but not great at anything.
- Large, complicated contracts - What happens to the contract if you want to move a component to another provider – are you now held hostage in all areas?
- Lack of visibility & transparency – this makes it hard for bank management to truly understand what's going on in a critical part of their business. This is where you hear: “you just have to trust us.” Examiners don't like it, auditors don't like it, and as bank management, it should make you uneasy as well.
So what's the solution?
One solution is a term that I call Independent Collaboration. Independent Collaboration is setting up a structure where a team of outsourced entities work together to build and maintain the information technology and information security functions for a financial institution.
This strategy brings in separate subject matter expertise for the various areas - the players are independent, but working toward the same goal. It’s like having a CIO, CTO, SOC Manager, and CISO all on your team, but each being a separate outsourced firm.
As vCISOs, we are getting involved in more and more of these types of scenarios, and we're seeing them work for financial institutions of varying size and complexity.
While it needs to be managed by the institution, Independent Collaboration provides an environment where the infrastructure gets built for stability and strategy. The information security, governance, and risk management functions are mature enough to handle growth. Monitoring of the network and logs are done independently 24x7x365 by a managed response team – so incidents can be detected quickly.
It requires communication and cooperation by all parties involved, but it's all doable with a regular cadence of check ins, along with on-demand ad hoc meetings.
When done correctly, Independent Collaboration takes a balanced approach to bring together the proper expertise, while keeping vendor management and middle-man relationships low – the best of both worlds when outsourcing IT and IS.
Part 2: The Framework
You’re probably asking: “how do I do this?” or “how do I avoid the pitfalls?” And that’s why this is a 2-part blog post. In Part 2, I’ll talk about the framework, including the players, the roles, areas of conflict, management practices, and more.
In the meantime, if you have specific questions about outsourcing some or all of your IT and/or Information Security, please email us at support@bedelsecurity.com.
Additional Resources:
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
Assessing Risk: Outsourced Service Providers
https://www.bedelsecurity.com/blog/assessing-risk-outsourced-service-providers
What is "Best Practice"?
https://www.bedelsecurity.com/blog/what-is-best-practice