The CTO s Guide to Outsourced IT

The CTO s Guide to Outsourced IT Bart McDonough, CEO Agio Superior Managed IT & Security Services

CONTENTS 1. Introduction 2. A Snapshot of Outsourced IT Services A. Past B. Present C. Future 3. The Top Eight Reasons to Outsource IT 4. What to Look For 5. Decision Process A. If to Outsource B. When to Outsource C. What to Outsource D. Choosing Your Provider 6. Conclusion 2 3 3 3 4 6 7 10 10 10 10 10 12 1

1. INTRODUCTION As someone responsible for your firm s technology, the procurement of outsourced IT services is one of the most important decisions you can make. It can be costly or generate large ROI if you select the right provider and services for your specific needs. When considering outsourced IT, some of the questions you may ask include: How do I know which services I need? How do I know which service provider to choose? How do I ensure that institutional knowledge is retained in the outsource process? With the evolution of service delivery models, such as cloud computing, how can I ensure what I buy now will still be around in two years time? The goal of The CTO s Guide to Outsourced IT is to help you answer those questions and make the right choice for your firm. We ll cover information like: 1. Identifying the core elements of an effective IT managed service 2. Knowing what to look for in your service provider 3. Clarifying the basics of cloud computing (and other next generation services) and what it can do for your business If you are a CTO, CIO or senior IT manager considering outsourcing or upgrading your outsourced IT, then this Guide is for you. It is written within the context of financial services, specifically alternative investment firms. The alternative investment space is somewhat unique in terms of IT provisioning, as firms can have very large revenues, require critical applications, and yet have a small physical IT footprint. A managed IT service provider specializing in alternative investment firms knows the intricacies of this environment and how to maintain uptime on your dealing apps, protect your trading algorithms and scale your IT capacity to meet your growth. As you read through The CTO s Guide to Outsourced IT, keep in mind these four key principals to success: BE CLEAR Know which functions you will be outsourcing, and which functions you want to retain in-house. Focus on your core business and let your chosen provider focus on the delivery of non-core services. CHOOSE YOUR IT PROVIDER CAREFULLY Conduct an in-depth review of provider s financial standing, ask for client references and do a competitive analysis of their service charges. DEFINE YOUR SERVICE LEVELS (AND CREDITS) Focus on the areas critical to your business and apply any service credits to those areas. Don t get sidetracked by meaningless metrics. HAVE AN EXIT STRATEGY You need a clear plan up front about how you will disengage from your provider, and write it in the contract. This saves a lot of potential conflicts in the future. 2

2. A SNAPSHOT OF OUTSOURCED IT SERVICES A. Past Although IT outsourcing enjoys a higher profile today than ever before, the concept has been around for many years. Blue chip technology companies, such as IBM and DEC, were providing outsourced IT services in the 1980s, even in the form of hosted services. At that time the services were typically targeted at large corporations, and very few SMBs were eligible. Historically there were two categories of outsourced IT service available: 1. Application Managed Services: The provision of a managed application, or suite of applications. The applications were usually aligned to a core function such as HR, or to a particular market segment, for example hedge fund CRM software. In the trading world this type of offering is reasonably mature. 2. Infrastructure Managed Services: The delivery of the underlying infrastructure which supports the application estate. This may cover all or part of the infrastructure environment, from network and data center through to the desktop and help desk. B. Present Over the past five years there have been many developments in the managed services space. Two of the most significant have been: 1. The acceptance of software as a service (SaaS) as a means of application delivery. This model has three key benefits: a. Application deployment lead times can be significantly reduced with the application already running somewhere else. b. Licensing models are much less capital-oriented than traditional models; generally you pay a monthly subscription as opposed to a large upfront amount. c. You don t have to worry about building or managing the infrastructure to support the application, as it runs from the provider s data center. 2. The growth of multi-tenant infrastructure management tools, which have had several effects: a. IT managed services have become more accessible to a wider client base, including SMB organisations. b. New toolsets have become an enabler for smaller providers to deliver IT managed services, which previously could only have been offered by enterprise providers (lower investment required). c. There is a wide variance in the quality of services delivered. New tools do not turn break/fix providers into managed service providers overnight. 3

In both cases the Internet has become an acceptable channel for both managing infrastructure and delivering applications. However, the rapid growth of both services and service providers means the market is more disjointed now than ever, but this may be about to change... C. Future This is certain: IT outsourcing will continue to evolve. New delivery technologies are emerging, network bandwidth continues to become more accessible, and innovative charging models are developing. However, the most significant development in recent years has been the growth of cloud computing. What was previously a concept is now a reality. THE CLOUD: While there is no single view of cloud computing, it s obviously impacting the delivery of IT services significantly. Essentially there are three types of cloud solutions: PRIVATE dedicated to one organization PUBLIC shared between multiple organizations HYBRID a combination of private and public cloud resources Although the major vendors have many ways of presenting their cloud offerings, there are effectively three main categories of cloud-based service: 1. INFRASTRUCTURE AS A SERVICE (IAAS) This refers to the delivery of (usually) a virtual environment for the hosting of infrastructure functions or applications. This can range from a simple virtual server to a complex combination of hardware and software resources to deliver a complete application environment. These services are generally charged on a utility basis, meaning you only pay for what you consume. This model is particularly attractive for temporary or interim requirements, such as the provisioning of development and test environments or for replicated disaster recovery facilities. 2. SOFTWARE AS A SERVICE (SAAS) The delivery of applications across the Internet is not a recent phenomenon. Managed application services, most notably in the form of Software as a Service (SaaS), have been a long established and successful mode of delivery for enterprise applications like risk management, CRM and market data. More recently, the market has expanded to all types of applications, and SaaS is now universally recognized as a smart way to deploy applications without having to invest in the underlying platform. 3. MANAGED SERVICE PROVISION (MSP) Like SaaS, this has also been around for some time and is really a bucket for other types of managed IT services delivered across the Internet. The range of managed services available is wide and varied, from network and perimeter management to remote desktop management. The most successful MSP application in recent years has probably been managed email anti-spam. This is now widely accepted as a secure and cost effective means of spam filtering without having to invest in, and maintain, in-house appliances or software. 4

Cloud Services: Benefits Cloud services will continue to grow rapidly over the next few years as portfolios expand, and although each of the above services may have a diverse application, they have a common set of benefits: REDUCTION IN ONGOING CAPITAL EXPENDITURE Typically a consumer of cloud services does not require any investment in hardware equipment or software licenses, nor the retention of skilled IT resources to maintain those services. UNLIMITED CAPACITY Peak demands can be met without unnecessary investment in additional hardware and software. SERVICES CHARGED ON A UTILITY BASIS You pay only for what you consume; certailnly a more attractive model than investing in heavily depreciating assets, which have to be continually refreshed. Cloud computing is, no doubt, a game-changer for the industry, but there is still a widespread degree of scepticism over the hype generated within the industry. That said, the potential benefits are clear. As a CTO, CIO, or IT manager, you may be seeking reassurance that shared cloud environments provide sufficient security. The right provider should be able to give you the confidence that your data is secure. This can be achieved on three levels: 1. Your provider s data center should have the right security accreditations, namely SSAE 16 and ISO27002. These certifications are evidence of audited, best practices for handling data securely. This should be supplemented with strong perimeter security measures, such as intrusion detection and prevention systems (IDPS) ideally independently audited. 2. The provider should employ the latest security techniques and toolsets, such as data loss prevention (DLP) and information protection and control (IPC). These technologies can centrally monitor, encrypt, and control the movement of your sensitive information, essentially mandating where your data should be. This can be further enhanced with the addition of identity management systems (IdM), which offer an additional layer of access control to systems, applications and data. 3. There should be evidence of stringent data protection measures. This includes encrypted backups and secure off-site tape handling to not only ensure your data can be recovered, but also that the actual backups are securely stored. 5

3. THE TOP EIGHT REASONS TO OUTSOURCE IT Although there are some shared components across other markets, the alternative investment industry has a unique set of requirements in terms of IT provisioning. Downtime, data loss and decreased productivity are expensive consequences. So what are the key challenges in building an IT function in such a critical environment? My top eight are listed below: A. Maintaining the Availability of Critical Systems and Applications If your systems are not available, your business cannot function. Well designed architecture, proactive systems management and practical capacity planning are the most effective means of keeping your applications available. B. Contingency Planning for Disaster Scenarios It s the CTO s worst nightmare. Any number of potential scenarios could cause your business to stop functioning. The most common culprits are power or network outages to your primary data center, or the failure of a major system. Planning needs to take into account all aspects of service, from facilities and technology to people and processes. C. Maintaining Data Security This is particularly relevant within the alternative investment segment. Market data, investment ideas and trading applications are the lifeblood of any firm and data must be protected from unauthorized access, malicious attack, accidental loss and employee theft. D. The Ability to Expand Quickly as the Business Grows A primary firm objective is obviously to increase the value of assets under management. This has a direct impact on the provisioning of your IT services. If your IT function cannot flex, your growth potential could be prematurely restricted. This is less likely to be an issue for a good outsourcer who is proficient in the design, build and operation of new services. E. Delivering Leveraged Services Even large alternative investment firms struggle to resource all of the elements of an effective IT service. Outsource providers have the advantage of leveraged functions where the cost of delivering services is spread across multiple clients. As an example, the cost of building a 24x7 operation may be unsustainable for a single operation, but is perfectly viable when that cost is allocated across several clients. F. Access to Experienced IT Resources The recruitment and retention of skilled IT resources is always a challenge. Commercial service providers will generally have larger pools of resources with more in-depth technical skills than in-house teams. This is simply due to the fact that specialist providers can offer greater career development and more opportunity for technical teams to apply their skills. That strength in depth also helps to reduce the impact of sick days, vacations and covering 24x7 shifts. 6

G. Commercially Binding Service Levels An established service provider will offer contractual service levels with a service credit regime for nonperformance. The reputational risk of non-delivery and the threat of financial penalties are effective tools in driving a level of performance beyond that of any internal IT team. H. Reducing the Peaks of IT Service Expenditure Outsourced IT services are, by their nature, more predictable in terms of financial profile. Depending on the cost model you adopt with your provider, an IT managed service should have a flat monthly charge to make IT expenditure more predictable. 4. WHAT TO LOOK FOR Once you have made the decision to move forward with an outsourced model, what should you look for in a service provider? Although it may not be obvious on the surface, the differences between providers can be significant. You should expect a number of benefits: A. An Intelligent Help Desk 1. Help desk agents should be courteous, professional and above all else, knowledgeable 2. The desk should be able to resolve tickets quickly and effectively 3. If you don t like wasting time on the phone, a good service provider will offer a web portal to log and track tickets or provide email ticketing with regular status updates Make sure they have taken no shortcuts in building an effective help desk. A good help desk needs skilled staff, comprehensive training and an investment in the right tools and technology. B. An Efficient Desktop Service Desktop management is one of the most expensive components of any IT service. Your provider should be able to deliver: 1. Quick provisioning of new desktop devices 2. A reduction in end-user problem tickets 3. Effective data loss prevention and security 4. A lower TCO through economies of scale and efficiencies The key to achieving this is through standardization, tools and processes. This starts with the development of a streamlined build process for desktop devices, establishing baseline patch and security levels, agreeing user policies and profiles that meet specific business needs, building automated application deployment packs and using an effective desktop management toolset to maintain health of the desktop estate. 7

C. A Highly Available Infrastructure and Application Environment Not surprisingly, this is number one on the list for most CTOs. An effective service provider will always focus primarily on the availability and performance of networks, systems and applications. This can be achieved at a number of levels: 1. An operations bridge will provide 24x7 monitoring of system events, alerts, security logs, etc. Any events should be automatically logged and handled as problem tickets. 2. Proactive housekeeping will maintain operating system, database and application environments and avoid any unexpected capacity or performance issues. 3. Comprehensive patch management will maintain the reliability and security of systems. 4. Strong operational procedures and service processes will eliminate unnecessary mistakes and ensure that unavoidable problems are resolved clinically. 5. An effective data protection service will ensure that systems and application data are backed up regularly, stored securely and recovered quickly when required. D. Maintained Data Security and Integrity This is another non-negotiable. A professional IT service provider will already have an effective IT security framework. This should cover all aspects of data security from the client device to the data center: 1. Central data loss prevention systems will ensure that users can only store and move data where your company policies permit. This is particularly important if and when you suspect an employee is about to fly the nest. 2. At the client level, anti-virus, personal firewall, media encryption and access control systems help to prevent accidental or malicious loss of data. 3. Identitied management systems prevent unauthorized access to your systems and data. 4. Perimeter firewalls, Internet content control systems, anti-spam gateways and intrusion detection/prevention services ensure that your data is protected at the data center. E. Defined, Predictable Service Costs This is usually one of the key differentiators a mature service provider can deliver. A professional provider should offer a catalog of services, which will give you predictable pricing and shorter lead times. This catalog will generally be available as an online application and should be integrated with your procurement process. F. Comprehensive Management Policies In addition to robust operational procedures and processes, your service provider should have welldefined management policies to keep you both in the clear. These include: 1. INFORMATION SECURITY POLICY An effective information security policy sets the standards to which IT systems and networks should comply. This involves looking at all aspects of IT security, from Internet usage through to data protection, with a view to maintaining acceptable use of systems, preventing disruption to systems and avoiding potential data leakage. 8

2. SERVICE CONTINUITY & BCP/DR PLANS Service continuity and BPC/DR are interdependent, though often misinterpreted. The differences are: Service continuity is a process generally undertaken by your provider to maintain the continuity of your services. This should involve a continuous review of all aspects of the operating environment to ensure that the services meet your service levels. Disaster recovery (DR) generally applies to the recovery of a primary operating facility (e.g. a data center) following a major incident. The level of service provided following a disaster will often be lower than that in the primary facility, but enough to operate your business. An effective DR plan will execute a regular test, at least annually. Business continuity planning (BCP) has a wider context and applies at an organizational level. It looks at facilities and people, as well as IT systems. Both disaster recovery and service continuity are major planks in the delivery of BCP, so it s vital your IT provider has advanced plans for both. 3. IT RISK MANAGEMENT PROCESS Risk management, in an IT context, will identify, assess, and manage risks against the delivery of IT services. This is primarily to remove or mitigate circumstances that could cause a potential service disruption or failure. The IT Risk Management process forms an integral part of the overall business Risk Management plan. 4. EXIT MANAGEMENT PLANS Exit management is often one of the most overlooked aspects of an outsourced IT service. No matter how good your service provider is, there is always the potential you will need to in-source services because of an organizational change, merger or takeover. An effective exit plan will outline all aspects of the IT service, including assets, people and procedures, and document how these would be transferred in the event of an exit event. G. Informative Service Reporting The success of any service can usually be measured at two levels: 1. Popular user perception 2. Service metrics IT outsourcing should not be intrusive. Systems should stay up, applications should meet performance benchmarks and changes should be processed efficiently. You can really only know how your provider is performing against each of these elements through your service reporting framework. A well-structured report will cover a number of components: a. A summary of service highlights and lowlights b. Performance against service levels such as ticket resolution, infrastructure availability and application performance c. Details of any major incidents or problems and steps to avoid reoccurrence d. Changes to the service e. Capacity planning information f. Status of any ongoing projects being delivered 9

5. DECISION PROCESS Not only is the decision to outsource a difficult one, but deciding what to outsource, and to whom, can be just as daunting. There are a number of factors to consider when making the decision: A. If to Outsource There is no rule of thumb to define if you should outsource. However, it s worth remembering that you want to be in the trading business, not the IT business. The decision to outsource can often be aligned to other operational areas of your business. For example, if you need to outsource your HR and Payroll function, then chances are you need to do the same for your IT. Of course there may be other factors involved, such as an existing, malfunctioning internal IT function, or simply demands that have grown too large for your existing infrastructure. When delivered well, an IT outsourced service will allow you to focus on your core business without the headache and cost of managing technical systems, technical problems and technical people. B. When to Outsource There may be any number of drivers to outsourcing your IT, but in many cases it comes down to a number of common factors around your internal IT function: 1. Consistent failure to deliver the service levels you require 2. Inability to meet the growing requirements of the business 3. A lack of market knowledge around new IT initiatives 4. Constant resourcing issues around covering rotations, sickness/vacations and the delivery of new projects 5. A failure to retain skilled staff 6. Headcount limitations around the recruitment of new permanent staff members Any of these factors can have a significant impact on your ability to grow your business. If you choose your provider carefully, these issues can be addressed quickly. C. What to Outsource Once you have made the decision to outsource you must be clear about which services you plan to have provided externally. Each business is different, however a common approach is to start by outsourcing standard IT services such as help desk, desktop, infrastructure and data center management, while retaining business specific functions in-house such as application management. When you gain more confidence in your provider, you can always increase the scope of services they provide. But whatever you decide to outsource, be clear and make it contractual. D. Choosing Your Provider This is quite often the toughest part of the decision. You need to be sure that you pick a provider who can keep up your systems, protect your data and scale to your business growth. Quite simply, this means effective due diligence. And that due diligence needs to cover all the bases. 10

1. FINANCIAL AND LEGAL STANDING IT outsourcing agreements can last for several years. It is critical that your potential provider has the financial stability to engage in a multi-year agreement. Managed services generally offer steady, recurring revenues for suppliers, so look for unexplained peaks and troughs in your provider s finances. At a legal level, you should also know if there is any outstanding litigation. The root cause of any such litigation is usually either a failure to deliver or a breakdown in the relationship. Either issue is reason enough to steer clear. 2. TRACK RECORD AND REFERENCES A good service provider will have good client references. A reference is the best way to get a feel for the quality of service you can expect. Start with checking some service reports, ideally around the mid-point of the contract term. Find out how the supplier/client relationship works, how the supplier management team engages, and how the supplier handles changes on short notice. 3. SCALE The size of your service provider is important, but bigger is not always better. Your instinct may be to go with a large, established provider who seems like a safe bet, but you may not get the flexible, customizeable service you need. However, a provider should be large enough to be classified as a full service provider, covering the basics of a help desk, infrastructure and applications capability, 24x7 operations, and multi-site presence. 4. DELIVERY CAPABILITY A good managed service is usually based on a well established set of processes and procedures. It is difficult to measure the maturity of a service provider on the surface, so you need to see evidence of some indicators. Does your provider have: a. A catalog of standard, pre-priced items b. Detailed operational procedures and quality checks/audits c. Policies for BCP/DR, information security, risk management and exit management d. A documented approach to retaining and developing staff e. An outline of how your services would be migrated while maintaining your system integrity f. An investment in systems management and service reporting toolsets to demonstrate that your systems will be proactively managed and maintained 5. COMPETIVENESS You should be aware of what you pay for your service in comparison to the market. The best way to ensure that the price you re paying is fair is to undertake a benchmark exercise. This simply means using a research group to analyze the going rate for the type of service(s) you need. 6. KNOWLEDGE OF YOUR BUSINESS Again, delivering alternative investment IT services is not the same as delivering generic IT services. A competent provider has to know the trading business, your trading applications and what data to secure. This helps to offset the risk of losing institutional knowledge in the event that internal staff leave the business. Moreover, from a security perspective it should be no surprise that most threats take place within your organization. Ask the question, Which is more important, endless firewall penatration tests, or effective data loss software preventing employees from accessing and removing your trading algorithms? Your IT provider should know. 11

6. CONCLUSION The outsourcing process can be complex, yet rewarding. The alternative investment sector is unlike any other industry. Choosing the right services to outsource, the right service model and the right provider is not a simple process. However, choose well and outsourced IT can be a great enabler for your business. Managed IT services has come a long way from where it began, and it is now accessible to more companies than ever before. The future of cloud computing is a reality today and can be a cost-effective and secure way to structure your services. I ll leave you with a reminder of the key principals in choosing outsourced IT, as well as an open door to contact me directly if I can ever be of service in helping you select the right service provider for you. 1. Be clear about what you are outsourcing, and which functions you want to retain in-house. A good start is to outsource general IT functions but retain those specialist in-house functions that are directly related to the delivery of your business. 2. Pick the right service model for your business. If predictability of expenditure is most important, then go with a catalog based model. If rapid growth is a key consideration, then scalable cloud services may be the best option for you. 3. Choose your IT provider carefully. In addition to being of sound financial standing they should be happy to provide client references and to share collateral demonstrating the standards they follow and their delivery maturity. Consider selecting a niche player, one who has an intimate understanding of the hedge fund industry. Also, undertake some form of competiveness analysis to make sure the price you pay is fair. 4. Take time to define your service levels. Identify those areas that are most critical to your business and focus the majority of service credits in those areas. For less important areas you can still define KPI s to measure performance, but with no contractual level of service. 5. Define your exit strategy. It may seem strange to do this in advance, but in reality even if your service provider is delivering a good service, your business model may change and you may need to dissolve the partnership. Define a clear exit plan up front and make it contractual. About Bart R. McDonough, Founder & CEO of Agio A noted thought leader in the alternative investment technology space, Bart developed his nearly 20-year career building and maintaining superior technology solutions for some of Wall Street s best-known firms. Prior to Agio, Bart held Business Development and IT Management roles at BlueStone Capital Partners, OptiMark Technologies, Sanford Bernstein, American Express, and Point72, formerly SAC Capital Advisors. Bart attended the University of Oklahoma and received his undergraduate degree from the University of Connecticut. Bart can be contacted at bart@ About Agio (www.) Agio is a progressive Managed IT & Security Services provider, offering technology hosting, monitoring, management, disaster prevention and recovery, security, and other high-end technology services. With nearly 150 employees, Agio is headquartered in New York City with operational headquarters in Norman, OK. 12

1.877.780.AGIO (2446) sales@