In today's market, customers have a wide range of purchasing options available to them. Consequently, I have been asked on numerous occasions whether it is best for businesses to meet their security and GRC requirements via a traditional consulting model or using a managed service. This guide will help you to understand the factors which you should consider when making this important decision for your business.
- Do you have the in-house skills to deliver the objective?
The availability of in-house skills is a crucial part of the decision to go with a managed service solution for delivering security and GRC solutions. It is not just the technical expertise but the end to end capabilities that should be considered. Making a success of both access security and GRC does not just require technical skills in the specific product or application, but a wider appreciation of business process, business objectives as well as audit and regulatory requirements. Depending on the solution, you may also require infrastructure, hosting, DBA, platform level support and application expertise to deploy and operate the technical solution properly. Whilst many of these skills are becoming commoditised and are freely available in both the permanent and contract market, finding some of the more specific skills where knowledge is required on both the 'Why', and the 'How' is far more difficult to find.
If you have a proportion of the above skills in-house, then it may be that you are better off engaging on a consultancy or advisory services model, as you only really need to temporarily augment your own team's skillset with the additional expertise required to make your project a success. However, if your business is missing some of the fundamental supporting skillsets or has capacity issues, adopting a managed service approach will allow you to achieve your security objectives more completely.
- Do you have access to the investment/project funding to achieve it?
With the best will in the world, many security projects which do not succeed are hindered by customers who fail to treat them as a project in their own right. By trying to deliver project changes with a 'business as usual' mentality, the solution invariably becomes confused and remains incomplete, removing the prospect of delivering any true value in the long term.
If funding is available, or at least accessible, your business is more likely to be looking for consulting services. However, if your finances are less flexible, the managed service option allows you to access the right consulting skills but delivered in a manner that can be obtained through operational BAU budgets. By moving the cost into an operational spend, funding constraints can be removed. It will still be a 'project' with all of the advantages that this process brings, but the payment is smoothed across the term of the service, thus avoiding the high-profile implementation and licensing costs that cause many investment decisions to be refused.
- Do you have a proven track record for successful project delivery?
The ability to successfully deliver projects time and time again is often directly linked to your in-house skillset, as discussed above. If you have a consistent delivery mechanism with a strong delivery success rate, then it may make sense to augment your delivery team with external expertise to advise as part of that delivery approach. However, if your projects often suffer from delivery challenges that result in actual or perceived 'failure', then why not consider outsourcing the implementation as part of a managed service? The supplier will have particular experience in delivering these solutions across multiple customer sites, will know what to look for and how to avoid the common pitfalls thus immediately providing you with a better chance of success and a higher quality solution.
You should also keep in mind that it is in the supplier's interest to get you onto their service with minimum fuss and therefore, they will be keen to employ sufficient delivery rigor to ensure that the project is both successful for the customer and smooth for the provider to support.
- Do you have the support infrastructure to 'land' the project?
The ability to support the service once the implementation is complete is the single most important factor in choosing between consulting and managed services. If you have an integrated support team that can handle the generic infrastructure, application hosting, support ticketing, incident management and application specific expertise, then the choice is clear. You only require the consulting support during the actual implementation project to provide capacity or particular expert advice on a temporary basis. It may be that you sign up to an application support contract to augment the particular niche skills required, but you can achieve a lower TCO on your project by rolling in the commoditised skills with your existing teams and suppliers.
If there are questions on the ability of your existing team to actually land this additional project or to support the new technology that may be deployed, then perhaps a managed service is the way forward. It may also be the case that your IT strategy is shifting to provide fewer services in-house and divert the internal IT spend on competitive advantage in your chosen business. In which case why not let the experts handle what they are good at, allowing you to focus on what you are good at?
- Can you innovate and advocate to continually grow the ROI from the initial implementation?
Many consulting service delivered implementations are of fantastic quality. However, if the same consultants return after a short period of time, the consultant is often greeted with one of two scenarios:
- The solution is identical, or has not moved into new ground or undertaken new ROI opportunities
- The solution has mutated into a mix of non-adherence to design, or is riddled with bugs due to "tweaks" to the business solution
In both cases, this is mainly due to customer led advocacy of the solution. In some cases, the advocacy is missing entirely, and the customer continues to simply operate implemented processes without regard for a changing business requirement landscape or growth opportunity. Alternatively, the advocacy is there but the expertise to deliver on that ambition is not, leading to further tactical solutions or changes that may not be in the interests of the product. It is very rare for a customer to take on the end to end management of a GRC product, keeping pace with new developments, providing a conduit for business driven changes and continual improvements to grow the ROI. If the product is to continue providing you with business value, there needs to be the appropriate investment of time to keep abreast of innovations and often to drive them. Where that might detract from a customers BAU role, it is absolutely the function of a service provider to ensure that their service offering is commercially relevant to existing and new potential customers.
In conclusion, there is no single 'right' solution when choosing between consulting and managed service security and GRC solutions. Every customer is different. Even if one of the indicators mentioned above sounds like you, it is unlikely that a single aspect of the topics discussed will be sufficient to tip the balance to managed service. If, like most organisations, there are multiple similarities between your experiences and my blog, then perhaps thinking about delivering such business change projects via the managed service route merits further consideration.