It sounds like a total oxymoron: Independent Collaboration. On the Predictive Index, those two words are on opposing ends of the spectrum when it comes to describing an individual's working style. But I promise there's meaning to it, and we're going to get to that in this blog.
The idea came to me when I'd had my third conversation in two weeks about this very idea. Usually when a topic hits that threshold, I know that it's blog-post-worthy.
Before we move on, let me clarify: I’m not saying that all banks and credit unions should outsource components of their IT. I am saying that many financial institutions have found that outsourcing information technology and information security can be key piece of their overall strategy. This article is talking about one concept of doing that successfully.
So, lately I’ve been getting asked: “How can banks and credit unions outsource their IT/IS in an effective way?” Should they outsource everything? Should it be a team of specialized firms or should all services reside with one provider?
When the bank or credit union says they're going to put everything in the hands of one provider, they usually make the argument that “there's one throat to choke”, “one butt to kick”, “less to manage”, and “it’s just cleaner”.
I agree, from a vendor management standpoint, one provider is much simpler, there's less chance of miscommunication that can cause issues. If it's managed well, it can be in a very efficient way to do things because you bring the processes that are integrated across the board to the table.
You can even make the argument that by outsourcing it all to one service provider, you really can set it and forget it and not have to worry about IT or IS anymore.
Although it may sound like heaven to put all of IT in one outsourced bubble, there are disadvantages of using one provider. Disadvantages that become exponential as the financial institution grows, to the point where the wrong managed IT provider could be a limiting factor for the growth and innovation for your institution. Growth and innovation are keys to survival for any bank or credit union over the next five years.
When I say having everything in one place, I mean having one provider managing the network, managing the servers (maybe even the core), managing patching and vulnerabilities, providing ongoing vulnerability scanning, monitoring the network for anomalous activity, monitoring the logs for anomalous activity, providing governance and oversight, performing risk assessments, incident response planning, policies, board reporting, etc.
The problem with having all of the above services sourced with one provider is that you've basically introduced a similar situation to what smaller banks and credit unions face in that you have a single “IT entity” handling everything. Just like when you have one person going it alone, you start to run into limitations such as:
One solution is a term that I call Independent Collaboration. Independent Collaboration is setting up a structure where a team of outsourced entities work together to build and maintain the information technology and information security functions for a financial institution.
This strategy brings in separate subject matter expertise for the various areas - the players are independent, but working toward the same goal. It’s like having a CIO, CTO, SOC Manager, and CISO all on your team, but each being a separate outsourced firm.
As vCISOs, we are getting involved in more and more of these types of scenarios, and we're seeing them work for financial institutions of varying size and complexity.
While it needs to be managed by the institution, Independent Collaboration provides an environment where the infrastructure gets built for stability and strategy. The information security, governance, and risk management functions are mature enough to handle growth. Monitoring of the network and logs are done independently 24x7x365 by a managed response team – so incidents can be detected quickly.
It requires communication and cooperation by all parties involved, but it's all doable with a regular cadence of check ins, along with on-demand ad hoc meetings.
When done correctly, Independent Collaboration takes a balanced approach to bring together the proper expertise, while keeping vendor management and middle-man relationships low – the best of both worlds when outsourcing IT and IS.
You’re probably asking: “how do I do this?” or “how do I avoid the pitfalls?” And that’s why this is a 2-part blog post. In Part 2, I’ll talk about the framework, including the players, the roles, areas of conflict, management practices, and more.
In the meantime, if you have specific questions about outsourcing some or all of your IT and/or Information Security, please email us at support@bedelsecurity.com.
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
Assessing Risk: Outsourced Service Providers
https://www.bedelsecurity.com/blog/assessing-risk-outsourced-service-providers
What is "Best Practice"?
https://www.bedelsecurity.com/blog/what-is-best-practice