Application Security Testing: An Integral Part of DevOps
Over the last few years, there has been a tremendous amount of discussion, arguing, and writing about outsourcing. Decades ago, we started offshoring manufacturing—blue collar work—to China and many other Asian countries. There is very little manufacturing happening in North America and we all came to accept that. But in the late nineties and especially in the early years of the 21st century, this trend also started to affect IT jobs that were considered to be high paying and safe white collar jobs. There are many arguments for and against it. There are many emotions and fears associated with outsourcing. Many of us working in the IT industry have been affected by it directly or indirectly. If we haven't been affected by it yet, we for sure know a friend or neighbor who has been.
This article does not intend to argue the very fact of whether to outsource or not to outsource. There are enough articles out there that do already that. This article is intended to shed some more light on how that will affect IT organizations—what will be offshored over time and what will not be offshored. This article also covers how to manage an outsourcing relationship. What are the best practices you should put in place to make the outsourcing relationship a success? Realizing that my audience is scattered around the world, I want to stress that these best practices are mostly from the view of an organization that establishes a relationship with an outsourcing vendor. Outsourcing vendors will have best practices in place that mirror those.
What Were the Enabling Factors for Outsourcing?
What does that have to do with outsourcing? IT, having gone through the standardization phase and just now entering the utilization phase, has really enabled the widespread use of outsourcing. Without standards, it would be very hard to outsource. Nowadays, there are standards in place for hardware as well as for software. There are many common practices about how a software application should be built. Because of these standards, it is now possible to outsource the development of applications. Secondly, IT itself has made it possible to collaborate and exchange information easier and faster. Technologies such as TCP/IP networks, the Internet, VPN, VOIP, e-mail, instant messaging, and many more make it easy for your IT infrastructure to span the globe. It virtually does not matter anymore where your workers are sitting as long as they have high speed Internet connectivity.
Which Parts of IT Will Get Outsourced and Which Will Not?
IT used to have the image of technology gurus sitting in the corner, coming up with new magic code or hardware components. This is a thing of the past. As a rule of thumb, the closer you are to your internal or external customers, the less likely your job is to be outsourced. It doesn't matter where someone is located when it comes to coming up with the most sophisticated programming logic. But it does matter very much when it comes to understanding the pains and needs of your customers, whether these are internal or external customers. Software development can be split up in two parts.
First, you need to understand the pain and need of your customer's; this gets translated into requirements. Understanding the requirements requires closeness as well as a good understanding of the business your customer is in. Coming up with a proper architecture and design of the solution also requires a good understanding of the business the customer is in as well as a good understanding of the overall IT infrastructure needs the customer has. All this translates into requirements and design specifications that detail the what and how of the product. These functions are typically done in-house.
The actual implementation of the product, meaning the actual writing of the code and the actual testing, can be done wherever you have skilled resources available. Nowadays that can be India, China, Russia, or many other countries. And, that is a growing trend in the IT industry. You define the what and how; then offshore the actual implementation and only oversee it so it meets the what and how when delivered.
There is one more area that companies tend to keep in-house; that is high-value product research. When it comes to inventing the "next big thing," this is likely still done in-house. Some of the research is done offshore, but that tends to be more product renewal, meaning you have an existing product and you renew it year after year so you can continue selling it as new a product. For example, each year hardware vendors sell new versions of an existing laptop series that are just slight adaptations, like a better processor, a better video screen or card, and the like.
What Does that Mean for the In-House IT Organization and IT Employees?
IT organizations must recognize this new business environment unless they want to be surprised by it one day. Each individual employee in the IT field needs to recognize this change. Soft skills are as important nowadays as hard skills. Good communication skills are a must to interact effectively with customers and outsourcing partners. Good time management skills, meeting skills, project management skills, and so forth are all a must to have. Gone are the days where you can get a secure job just because you are an exceptional hardcore C++ developer. IT managers should mandate a certain amount of training in these areas and spend a bigger part of their training dollars on soft skills.
But, employees also need to recognize that fact. You no longer can afford to not work on these soft skills just because they don't interest you. That doesn't mean you need to become the best communicator and project manager in the world. But, good communication and project management skills will make it that much easier to work with your customers. That naturally translates into better understanding the business and being more effective with all the people you need to interact. This naturally translates itself into being seen as someone who can't be replaced.
IT managers should seriously assess how effective their IT organizations are in addressing the needs and pains of their customers. Customer satisfaction may play an important role whether business owners are considering whether to outsource the IT role. Many times, IT is seen by business owners as difficult to interact with, unreliable, and they very often don't understand its value. But rather, they see it as a big cost center. Exposing your IT employees more to the rest of the organization will demonstrate their value and be more responsive to your customers. In such scenarios, cost plays a much smaller role in the decision of whether or not to outsource.
What is the Business Driver for Outsourcing?
Many organizations have decided to jump on the outsourcing bandwagon. The industry has matured the last few years when it comes to outsourcing. It used to be that CEOs heard it's the new trend and it works for others so we must do it too. The industry has a better understanding what works and what does not work. Outsourcing is poised to grow over the years to come. Therefore, more and more employees will be exposed to it whether they like it or not. Only very rarely is IT completely outsourced. In most cases, your in-house IT organization is restructured and complemented with an outsourcing relationship. A contributing factor is that technologies are becoming more complex and that budgets over the last few years have dropped across the board.
It is important to include employees into the process as early as possible. The very fact of outsourcing causes fear and uncertainty. First of all, there must be a clear understanding of the business objective. Is it to cut costs, decrease time-to-market, freeze budget while still increasing R&D capabilities, and so on? When understanding the business objective, it is important to assess what changes are needed in your in-house IT capabilities. A proper assessment can very well come to the conclusion that it does not make sense to outsource but rather make some changes to your in-house capabilities. But, entering an outsourcing relationship forces new challenges onto your IT organization that it must face quickly and effectively or the whole value of outsourcing is in question.
What to Choose: Outsourcing Vendor or Outsourcing Partner?
Now, you have established that outsourcing is the right thing to achieve your business goals. Depending on size, complexities, and other factors, it may very well make sense to get help in that assessment. Next, you need to go through an RFP process that will end up in a selection of an outsourcing vendor or partner. Here, I make a clear distinction between vendor and partner. You should know right from the beginning what type of relationship you are after. An outsourcing vendor relationship is where you hand off clear specifications and monitor the delivery. Your objective is to give an agreed-upon piece of work to a vendor and that he delivers it to the agreed-upon specification, time, and cost back to you. This naturally means there is less interaction between your IT organization and the outsourcing vendor.
An outsourcing partner relationship is more like a natural extension of your in-house IT organization. You want to interact with the outsourcing partner on a very regular basis, best on a daily base. The outsourcing team is a team dedicated to your organization and performs whatever work it gets fed from you. You worry less about on agreeing what a project costs you. You know, based on the team size, what your monthly costs are and you feed it whatever work needs to get done. You can shift priorities as you would with your in-house team. You foster a long-term relationship with the employees who, over time, understand your culture and how you do business. They will also understand your business better over time and therefore will become more effective.
A lot of organizations get confused about which model to choose; this then creates confusion for staff on both sides. Choose the outsourcing vendor model if you have discreet projects with clear specifications and exit criteria. You want to avoid any unnecessary management overhead. The completion of the project then might terminate the outsourcing relationship or let it enter a new phase—such as ongoing maintenance of the product. Choose the outsourcing partner model if you want to expand your capabilities while leveraging cost efficiencies. You are complementing your in-house IT staff with outsourcing staff. Treat them as part of your team. They need to feel they are part of your organization. You develop their capabilities and your industry knowledge so you can leverage it for future projects. Your management overhead is higher but you have ongoing return of investment. This model applies if you, for example, use the outsourcing partner to create an annual release of your product.
The remaining sections of this article apply more to an outsourcing partner relationship.