All about IT Governance

Clearly anything that is not core to your business can be outsourced - it is upto you to define what is core service to your business and what is not.

As an example, One company believes the helpdesk is core to their business while another company does not believe the helpdesk is core to their culture and they go ahead and outsource it to IBM completely.

Mark Egan, ex-CIO of Symantec once said, “Help desk department is the internal facing ambassadors - they are core to the success of the employees productivity - I would not outsource it”.

Would you outsource your finance department? Probably not. That is one of your core process. How about Datacenter monitoring? Probably yes - that is not one of your core process/service and you might as well outsource.

 We did not talk about the risk - overall risk is ‘ownership’ - internal staff tend to own the process/service and try to resolve it with process maturity while an outsourced vendor cannot offer the ‘ownership’ but can offer accountability.

Bottomline, there is no right answer for this - you measure the risk while review your core services and then take the decision.

Short answer: Yes. 

Rather thoughtful answer: Yes and No.

Computing virtualization (as against storage virtualization from NetApp etc.) helps reducing outage and reduces your hurdles of hardware aging for scaling and growth.

 However, Virutualization has upfront investment including the multi-processing environment (Fijitsu, Sun or IBM blades) and eventually maintenance.

The TCO depends on

a. Mission critical appplications

b. High availability of these.

Do you need an application or a set of applications that is available 24×7x365? If yes, CoV (Computing virtualization) is worth exploring. If not, you are probably better off waiting for a couple of years for CoV to get better in scalability and coherence with mainstream business applications including ERP, CRM etc.

Security gears today including firewalls, IDS/IPS and IDMs are key components of Information security department however, it is a common observation that these network gears were inherited from another team or a predecessor and happens to have no common policy. The benefit of having a policy for these security gears is - scalability.

 The more the need for firewalls, the lesser the problem it would be if you have consistent policies - it is easy to push the same policy accross to newer locations and thus policy is a must.

What is the difference?
27001 says, how to build your Information security practice or department  while 27002 talks about the security best practices. ISO 27002 was formerly 17799 standard.