Security startup confessions: How to tackle outsourcing
My name is Kai Roer and I am a co-founder of a European security startup, and these are my confessions. I hope you will learn from my struggles, and appreciate the choices startups make when security matters. I will share experiences from my own startups (my first was in 1994), and things I have learned by watching and advising numerous other startups around the world.
Picking outsourcing partners can be a tricky thing.
On one hand, you need them to deliver high quality, often on key elements of your business. On the other, you may not want to give away your secrets to companies in other countries, who may hire staff you have no control over.
In the great majority of cases, companies opt for outsourcing either because they want to lower direct costs (salaries come to mind), or because they need knowledgeable and competent workers they can’t find and employ locally. To these motives you can also add the following: flexibility in workforce planning, business-to-business contracts that reduce liability, and possibly even the option to not have to care about workforce safety.
When all this taken into consideration, it’s no wonder that outsourcing is an attractive option for some companies – including mine.
I have been involved in the outsourcing of a large variety of tasks and operations to other companies since I did my first service-purchase in the mid-1990s. Some of these choices turned out to be very successful, others became lessons to learn from. Risk is omnipresent, and outsourcing your business to others is a major risk.
For a small company, in which everyone has to do everything, outsourcing can be an attractive way to grow. One lesson I learned very early on is that outsourcing partners should about the humans who work there, and how you get on together.
Back in the 1990s, I ran a small software company in Europe that had potential for growth. To enable that growth while avoiding the risk of paying salaries to developers when they were not required, we decided to jump on the outsourcing bandwagon. But we wanted more than just low costs – we wanted a partner who we could grow with.
In the next six months we tried to find companies from countries like Hungary, Bulgaria, India and Russia that we could outsource work to. They all offered good pricing, and I’m sure they were great at delivering the services required by their customers. Yet, none of them were a good match for us. A different culture, inadequate communication skills, a disregard for our code requirements – the list grew longer after each new company we tested.
Then one day I received an email from a stranger. A guy called Mamoon pitched me his new company, located in Pakistan. We set up a Skype call, and we immediately hit it off. We quickly moved on to testing his team, and from there on we decided to work together. Over the next few years, we where both able to build and grow our companies, and Mamoon and I became friends on top of being business partners.
Investigating potential partners and learning how to successfully outsource a critical business function took a lot of effort and significant investment. It also took a lot of time to learn how to manage the process of outsourced development in an effective way. I think it helped a lot that our main focus was not cost-reduction, but a low-risk and flexible way to grow our team.
Since then, I have witnessed a lot of poorly executed outsourcing attempts, and I became convinced that cost reduction is a good reason for outsourcing only if you want to outsource something that can be easily replicated and sold as a packaged service, (e.g. accounting, help-desk).
Cost reduction alone tends to lead to poor quality services, high turn-over, and poor results over time. And during that time, you have disgruntled employees throughout your supply chain.
To reduce the risks involved in using outsourcing partners, I find that a focus on mutual benefits, combined on a risk-based approach, gives good results. Outsourcing for the right reasons, like growing the workforce, adding competence, and accessing commodity services makes sense.
But most importantly, instilling the security culture you expect from your own in-house team throughout the supply channel is critical. Outsourcing services to other companies is just an extension of your own team, and the best tool against the insider threat is a happy worker.
Other columns from this series:
- Security startup confessions: Building a team
- Security startup confessions: Let’s talk about channel management
- Security startup confessions: Limited funds and their impact on security
- Security startup confessions: Choosing a tech partner