Internet Outsourcing

Are you considering Internet Outsourcing? Before you begin working with your vendor, you had better first learn how to effectively manage your project.

• 08/26/1999

Internet outsourcing is an incredibly broad topic, but not as broad as outsourcing in general. Outsourcing is a market, growing, by some estimates, to $123 billion worldwide in 2002 at a compounded annual growth rate of over 16 percent (with the United States representing around 40 percent of that.)

Outsourcing can be considered as a portion of all forms of IT services. Services outside outsourcing include standard consulting, system integration, custom application development and maintenance, hardware and software installation and support, network and desktop integration and consulting, and IT education and training.

Outsourcing is a contractual relationship with an outside supplier that takes on responsibility for one or more functions typically performed in-house. Outsourcing categories include information systems, business process, processing services, application, and network and desktop outsourcing.

Outsourcing of information systems is the long-term agreement with a service provider to run the client’s information systems. Usually, there is a service level agreement (SLA) tied to the contract, detailing system availability and performance metrics. Depending on what is contracted, this may include the outsourcing of the operation of the systems, whether in the data center or distributed, and integration of the systems with the local area networks (LANs) and wide area networks (WANs). Disk backup, archiving and recovery, application development, application maintenance, application operation, system maintenance, disaster recovery and help desk operations are also often included in the outsourcing contract. Sometimes, a quantity of related consulting is bundled in.

Business process outsourcing can include any of the following areas, involving both IT and non-IT functions: finance (payroll, accounting), human resources (benefits, compensation structures), administration (401K services), sales (telemarketing), marketing (prospect list generation, focus groups), customer support (call centers), manufacturing (distribution, engineering) and logistics (ordering). The business process outsourcing vendor can become an integral part of the strategic decision-making process of the client for the areas outsourced, almost becoming a partnership arrangement.

Outsourcing of processing services is a big business and can include areas such as check processing, claims processing and payment (credit/debit card) processing. These outsourced services are generally off-the-shelf with little customization and, generally, the client retains control over strategic decisions.

Application outsourcing should not be confused with application development, which is developing, modifying, troubleshooting and delivering a custom application. Application outsourcing is the deployment, management and enhancement of custom or off-the-shelf applications. Generally, the vendor is responsible for managing the infrastructure and connectivity issues required to deliver the functionality. Other areas typically considered include change management and operational and process improvement.

Network and desktop outsourcing targets the support and management of the network and desktop communications infrastructure of the client. This can be for one network and desktop segment up to an organization’s entire networking infrastructure. By 2003, outsourcing of network and desktop operations is expected to be a $30 billion worldwide market, growing at over 16 percent compounded annually, with the U.S. representing roughly half of that.

Usually included in this category are project management, asset management, network design and configuration, installation and upgrades/migrations, backup/archiving/recovery, security management, tools, capacity planning, performance levels, optimization, fault isolation/resolution/recovery and moves/adds/changes. As far as what equipment is monitored and managed, look to include servers of many varieties and sizes, networking hardware (routers, hubs, switches, etc.), PCs and laptops and remote access technology, such as modems and terminal adapters.

Thin-client infrastructure, desktop systems (including network computers), servers and software logically belong with network and desktop outsourcing.

Security for the network, servers and desktops is also included in this form of outsourcing. This could encompass firewalls, server and desktop access procedures, anti-virus software and related products and technologies. When the Internet is taken into consideration, this security subcategory becomes even more important.

Outsourcing of remote network management and monitoring is a prominent piece of network and desktop outsourcing and becomes more imperative in an Internet-based paradigm. This is projected to be a $4.7 billion business in 2002, growing at nearly 20 percent compounded annually. Think of network monitoring and management as accomplishing three objectives:

• Reactive monitoring, which is monitoring for faults; example: A router breaks.

• Proactive monitoring, which is catching a problem before it impacts the end user; example: A router reaching 70 percent utilization signals it is time to install a faster router for that group.

• Predictive monitoring, which is a network planning aid that examines trends for the networking changes that may be needed in a given amount of time, based on current utilization curves; example: Current network load for a router maxes out at 25 percent utilization, but in three months, given how network utilization is increasing, that same router will max out at 70 percent utilization.

The ability to provide 24x7 support can be a driving factor behind network outsourcing. It can take up to five individuals to provide round-the-clock monitoring when weekends, holidays, vacations and overlaps are taken into consideration. In addition, broad geographic coverage spanning multiple time zones plays an important role.

The driving factors for network and desktop outsourcing are freeing resources for other business-critical activities, difficulty in obtaining and retaining a highly skilled support staff, the specialized skills required for network security, the rapidly changing technology, the impact of the Internet and the impact of network expansion projects.

According to a March 1999 IT survey, the three most important reasons for selecting a network services vendor is reliability/availability, technical expertise and cost. A distant fourth is reputation to deliver the promised services.

That same survey lists the number one and number two most important changes expected to occur in networking over the next two years as Internet and intranet integration, and network security system implementation.

The Internet market is characterized by quickly changing and unproven technology and incredibly rapid expansion of telecommunication bandwidth requirements. Integral to this is dependence on the Internet’s quality of service and the continued development of the Internet infrastructure. Coincident is evolving industry standards, rapidly changing customer needs, a fluid competitive environment and frequent new service introductions. Moreover, Internet businesses may be affected by government regulations and legal uncertainties including such areas as encryption, privacy, copyrights, taxation and transmission limitations on suitable content. Complicating and spanning all of these areas are international issues.

With the Internet being so large and pervasive, you would think that outsourcing of Internet-related tasks might be unique to the Internet, or at the very minimum, have futuristic-sounding names or have names specifically tied to the Internet. However, Internet outsourcing categories are generally just particular views of the previously mentioned outsourcing categories. We will survey the spectrum, and then delve into two of the most quickly growing areas as representative samples: Internet server outsourcing and remote firewall monitoring/management.

Help desks are taking on new importance in the Internet arena. Now help desk outsourcing allows Web users to call an "800" number for support. This is especially important during the initial stages of a Web application rollout. Help desk outsourcing still must be viewed as part of the total IT support package, including, for example, break and fix maintenance, remote management and monitoring and asset management. Major driving factors include cost savings, technical and operational competence, support staff availability and retention, complex IT structures, globalization, Y2K and network-centric – especially Internet- and electronic-commerce-centric – computing.

Web site development, along with its two cousins, intranet and extranet implementation, is really just a variety of application development outsourcing and is perhaps the most common area of Internet outsourcing. This is where a portion or an entire Web site’s development and integration are outsourced. One application or an entire application suite may be developed. A growing area of outsourcing of Web site development is Web-based electronic commerce implementation. Typical reasons to select this outsourcing include time to market and qualified expertise.

An old outsourcing stalwart is the outsourcing of Internet-related training and education.

Of late, there is a new Internet business sector forming which lies somewhere between outsourcing and pure consulting: affiliate marketing. What these companies do is create a database of clients, some numbering in the thousands. For each client, they track the characteristics of typical visitors to the client’s Web site. They are also aware of the products and services offered by the clients’ companies. Armed with this information, the affiliate marketing consultant advises client companies as to whose Web sites are most appropriate for banner-advertising their products.

Another category of outsourcing is Web site hosting, i.e., outsourcing the application hosting and management of a Web site. By one projection, this alone will be a $14.6 billion market in the U.S. by 2003. This form of outsourcing is very popular for smaller commercial Web sites. Web site hosting is a subset of the combination of information system outsourcing and application outsourcing. It is the same as what is provided free to most of us that have personal Internet service provider (ISP) accounts (i.e., a personal Web page).

Taking Web site hosting one step further, an organization can co-locate their entire Web server and content with a Web server outsourcing firm and outsource their server’s operation, management and monitoring. These Web server outsourcing firms supply the real estate and personnel for operating the server securely and continuously 24x7 with live monitoring. Furthermore, these outsourcers connect carrier-grade Internet bandwidth directly to the server in their facility. These are two of the major differentiators: 24x7 operation and monitoring, and scalable bandwidth.

These outsourcing companies usually take prospective clients through a cost analysis that shows what it would cost for the client to keep the data center in-house. The cost is generally five to six times higher than the cost of outsourcing: One quoted annual figure is $120,00 versus $700,000. This is a true example of economies of scale by the outsourcing vendor. The savings come from not having to build, staff and operate a 24x7 data center.

The other differentiator is scalable bandwidth. Co-locating an organization’s Web server at an outsourcer’s facility that has a big "pipe" redundantly connected to the Internet allows for almost instant addition of bandwidth. This fulfills a requirement that is difficult to satisfy: What do you do when the number of hits at your site grows unexpectedly and dramatically (e.g., a favorable review or major contract win)? It can be a slow and non-trivial exercise to get new communication lines run from the company’s facility to the ISP’s point of presence. Consequently, vendors providing this form of outsourcing often tailor their offerings to clients that have customized applications requiring variable, growing or high bandwidth availability and scalability.

Look for the following capabilities from Web server outsourcing vendors: security (both physical, information, anti-virus, virtual private networks and firewalls), system administration and support, proactive, collaborative monitoring and management of the server and Web applications, a complete suite of reports, strong disaster recovery capabilities, multiple redundancies, high network availability and management with defined quality of service goals, controlled and limited access to the facility and server farms and locked cages for isolating sensitive servers (such as those from banks or containing credit card numbers). Also look for a mission-critical enterprise focus, Internet system integration expertise and a proven record of accomplishment.

A successful Web-server outsourcing vendor has a broad geographic presence and depends on its ability to adjust to and integrate leading-edge technology and to address the increasingly complex, sometimes unique, and certainly varied needs of its clients.

The last outsourcing area to be considered here is security services. From now through 2003 will be the defining period for this relatively young, but incredibly fast-growing market. A rather meager market of $400 million in 1998, it will grow 34 percent compounded annually through the next five years. And the network security monitoring segment will grow even faster, at 47 percent annually, ultimately accounting for about one-third of all network security-related services spending. What’s more, almost half of all organizations surveyed plan to use an outside vendor for the design and implementation of their security system. And closer to two-thirds will outsource to a network security monitoring service.

Security has many facets. As to what security functions lend themselves to outsourcing, this includes the management and administration of any of the following: firewalls, assessment/audit, logging/reporting/alerting, access control, standard/enhanced/consolidated user authentication, cryptography, certification, anti-virus and physical security.

Key considerations for outsourcing network security monitoring lie in two factors: whether the security function is strategic to the business (e.g., user authentication for home banking) and whether it is a core competency. When "yes" is answered for both, then outsourcing is probably not recommended.

The one thing to never outsource? The ownership and strategy for the overall security policy. This would be similar to outsourcing the IT planning and architecture functions.

Safe Internet connectivity depends on two key items: constant firewall monitoring to stop suspicious activity and immediate OS, firewall and utilities updates with the latest security patches. Let’s look briefly at some of the details.

Firewall monitoring is responding immediately to suspicious activity – including, and up to, shutting down Internet access. It is also tracking hacking patterns for reporting.

Firewall management relates to updating the operating system, firewall and utilities as patches are released. This is crucial, since hackers are usually the first to read security flaw reports and then probe sites using the flaws. Management is also coordinating and tracking the updates from a central location. It also involves implementing, tracking and logging unique customer requirements and changes, also from the central location.

Firewall configuration is the use of standard and proven firewall hardware, software and rule configurations to ensure everything works from the outset without holes. Configuration is the mechanism which customizes the security solution and monitors the client’s unique requirements, tying it to the organization’s security policy. Additionally, it must be integrated with the current network. While the initial configuration is usually hot-staged, the final configuration is updated online across an encrypted Internet link during installation, which saves installation time and costs. Special requirements can also be remotely configured and tested. And firewall backup images can be maintained in a secure central location.

With the Internet and electronic commerce bringing security (and hacker exploits) to the forefront, one of the key factors driving the security outsourcing market is fear: fear of financial loss, intrusion and embarrassment. Another key driving factor is cost, which tells a compelling story in favor of outsourcing. Skilled in-house information security experts are scarce, difficult to hire, expensive to train internally and even more expensive to retain, often commanding six-figure salaries on the open market. Worse, a mistake by a newly trained though inexperienced security "expert" can be more expensive than the cost for outsourcing.

When considering real-time firewall monitoring, the staffing requirements for a 24x7 in-house operation is daunting, especially when compared with what turns out to be a moderate monthly monitoring and management outsourcing fee. Using a service frees up the skilled internal resources from day-to-day fire fighting to more competitive and business-related strategic activities.

Although an important factor, outsourcing vendor selection should not be based solely on price. Most monitoring service offerings are bundled with a firewall and some form of value-added security assessment, design and implementation service. Sometimes, to add a firewall requires networking changes and a network redesign. These changes should be handled at this phase by a competent network services provider.

Look for a complete offering that supplies, aside from the proactive real-time 24x7 monitoring, a security assessment, an intrusion detection system, event and attack signature tracking, audit log reviews, periodic and frequent incident and usage profiles and reports, alarm notification, intrusion response strategies, multiple redundancies, nightly backup capability, event escalation procedures, regular patch updates and inclusion of market-leading products.

Outsourcing, alone, does not replace or fulfill an enterprise’s business strategy. It must be complementary to the strategy. And when it is, there are many good reasons to outsource, such as:

• It supplies critical skills when those skills are scarce, very expensive or difficult to train. It also allows a company to stay on technology’s leading edge.

• It allows an organization to take advantage of the outsourcing vendor’s greater scale and processing volumes to reduce overall transaction or monitoring costs.

• It can bolster staffing on large individual projects.

• It provides access to resources for geographically dispersed projects.

• It can be used to establish a new IT paradigm and attendant processes.

• It allows the internal IT organization to focus on business objectives rather than on the implementation details, allowing them to take advantage of their industry and enterprise (domain) expertise.

• It can reduce or eliminate internal political squabbling and serve as a rallying point for activity.

• Following a merger or acquisition, it can facilitate the integration and standardization of multiple infrastructures, especially by further avoiding partisanship.

• It can reduce infrastructure costs – fixed IT costs – by allowing those fixed capital assets to be sold.

• It provides a more definitive way to determine costs, since there is a specific allocation for the project being outsourced, versus the sometimes more "mysterious" and difficult-to-measure internal cost accounting methods.

• It allows for 24x7 vigilance and maximizing site uptime (e.g., Internet transaction processing, site outsourcing and hosting).

Outsourcing is not a panacea: It may or may not reduce costs. Look first for poorly managed or inefficient functions, and recognize that sweeping infrastructure modifications and stabilization can be a sizable investment, regardless of whether it is outsourced or not.

Organizations that consider IT to be a core business competency or require very fast time-to-market should use less outsourcing than ones that focus more on costs. A sizeable outsourcing deal not directly linked to the enterprise’s business strategy is more likely to fail. And outsourcing can result in increased IT staff turnover.

That is the question: Outsourcing is a means, not an end, and should not be planned in a vacuum. For example, although growing at a healthy rate, outsourcing in general is being impacted by Y2K requirements as companies focus on readying for the millennium.

First, consider costs. General categories include hardware and software, personnel, facilities and outside services. More specific costs that apply across these categories include leases, depreciation, maintenance, expenses, and salaries and related expenses.

Some costs can, and should, remain regardless of whether or not you outsource. Examples include IT management and planning, business-unit interfacing, security management and quality assurance.

There will also be new costs aside from the obvious contractual negotiation and legal costs and vendor and termination fees, such as vendor, SLA and change management functions. When analyzing costs, ensure that a complete life cycle – all of these costs – are compared with a similarly encompassing in-house budget.

Do not minimize the human aspect of outsourcing and its impact, whether perception or reality, on existing personnel.

To achieve the greatest probability of success and cost-reduction consider outsourcing those functions where the outsourcer can provide a service through facilities based on economies of scale and best practices. For example, look for operations where 24x7 operation is required, but the organization seeking the outsourcing runs typically as a 9x5. This particularly applies to Internet outsourcing, where every Internet site, its attendant and required security is, de facto, a 24x7 operation.

By one report, up to 50 percent of all outsourcing deals are considered unsuccessful by senior management, having not delivered on expected business value or IT effectiveness. This can be the result of unrealistic expectations or unclear contractual SLAs, but it can also be due to an improperly managed relationship with the outsourcing vendor.

While it is crucial to closely manage outsourcing projects, it is even more important to clearly establish objectives, scope, responsibilities, SLAs, rules for changes, prices, penalties, escalation, termination, etc., up front in the contract. Plan to take your time during vendor evaluation and negotiations. This allows you to factor in Y2K, consolidation and industry deregulation implications. Any lack of clarity in the contract usually winds up being negotiated during execution, affecting everyone associated with the project, as well as the project schedule and cost.

IT managers are usually responsible for monitoring delivery and vendor performance, and ultimately bearing the risk. During development of the outsourcing project objectives, project risks must be evaluated. Create scenarios that include mergers or acquisitions, government regulation changes, major market price dynamics, new technologies or processes (especially Internet-related), distribution channel changes and international requirements. Any one of these can influence an IT organization’s requirements and impact its outsourcing strategy. Be sure to include senior management in discussions to help determine where the risk factors lie and what their scope is.

Consider the following factors when making plans for an outsourcing agreement:

• Retain sufficient technical staff on the payroll to understand how technology and an evolving infrastructure and architecture map to the business requirements. By doing so, the difficulty to align IT with business requirements can be better managed. Adding outsourcing to the sometimes-divergent mix of business requirements and IT requirements exacerbates any existing problems, and necessitates crisper communications amongst the parties. Those that must specifically be included are senior management, and architectural and tactical teams.

• Monitoring and managing vendor performance usually lies with the IT manager. Micro-managing the vendor is not the answer, and neither is macro-managing (i.e., abrogating responsibility). Only a balance will work. Aside from regular performance meetings between the vendor and the IT organization, more abstract areas must also be managed. These include vendor and in-house staff cooperation, ensuring the vendor understands the business requirements driving decisions, and growing the vendor’s staff’s loyalty to the company, its goals and its objectives.

• Proficiency in the program/project management and architectural functional areas is a fundamental in-house expertise requirement. Consider a team approach in all cases, one that includes these areas plus finance, contracts, business-unit interfaces and operations (facilities, systems, applications, network and desktop).

As an IT manager, you never want to be in the position of having to blame the vendor when, in fact, it was the IT manager’s fault for failing to manage the vendor. With the vendor, be proactive, cooperative, sincere and specific for best results.

About the Author: Charlie Young is Director of U.S. Network Enable Solutions in the Global Customer Services (GCS) organization at Unisys Corporation. He can be reached at charlie.young@unisys.com.