For Jay Ferro, CIO of the American Cancer Society, his employer’s mission hits far closer to home than those of most others in his position. The father of three boys, Ferro lost his 36-year-old wife, Priscilla, to cervical cancer in January 2007. In her memory, he founded Priscilla’s Promise, a non-profit organization that brings greater awareness to cervical cancer.
Inspired by his personal experience with the disease, Ferro joined ACS as CIO in 2012 with the mission of applying his abilities as a savvy technology leader who understands how to apply IT solutions to achieve business goals. He was driven to ensure that in addition to supporting the organization’s infrastructure, IT also furthered its causes.
My wife often jokes that we had a child for the sole purpose of giving me a good reason to read Dr. Seuss’ books on a regular basis. When she does this I object- vehemently; she is absolutely wrong! I would most definitely read Dr. Seuss whether or not I had a child.
So it came as no surprise last week that I found myself reading “Green Eggs and Ham” to my daughter. After finishing the book and tucking her in, I sat down to do some work and began thinking about something in the recent CAST Report on Application Software Health (CRASH). The CRASH study noted there was no difference in the structural quality between in-house and outsourced applications. More specifically, the report revealed that applications developed onshore (even if outsourced) versus offshore showed no difference in the Total Quality Index (TQI) between the two.
In other words, “do you want to outsource your software here or there…it makes no difference.”
As an increasing amount of software is outsourced, regardless of whether it is near-shore or offshore, the inevitable questions continue to rise about security and software quality. Five years ago, the answer was simple: the quality of the software coding was frequently suspect. Today, however, much has changed.
Amplitude Research released a study in October, sponsored by VanDyke Software, which reported that exactly the same percentage of respondents (36 percent) believe offshore outsourcing had a positive impact on their network’s security as believe it has a negative impact. The remaining 28 percent indicated off-shoring has no impact one way or the other. The study notes that worries about the security ramifications of off-shoring software development is fading. In 2009, just 24 percent indicated off-shoring had a positive impact, while 50 percent believe it had a negative impact. Follow-up questions in the study revealed that many who believed off-shoring negatively impacts security noted other issues that arose during the relationship, such as language barriers and service issues. Additional follow-up questions yielded that 48 percent of those who felt off-shoring had a negative impact on security were uncertain about offshore security or concerned about increased security risk exposure.
Conversely, among those who stated off-shoring made their organization more secure, 42 percent said the offshore team did a good job, 39 percent noted the deal resulted in cost savings and 15 percent identified the 24/7 nature of the offshore model delivered better network monitoring and support. In terms of off-shoring destinations, India remained the most popular, cited by 79 percent of respondents, followed by China (40 percent), Mexico (26 percent) and the Philippines (19 percent). The types of projects most frequently “off-shored” were help desk or user support (62 percent), followed by app development (52 percent), database administration (42 percent), application management (36 percent), data storage/backup (35 percent) and network monitoring (33 percent). Close to 8 in 10 respondents noted off-shoring multiple types of IT services. These findings seem to agree with the CRASH study.
Recently, CIO’s Stephanie Overby published her Twelve IT Outsourcing Predictions for 2012. A couple of these impact software structural quality. She notes that outsourcing customers will be seeking increased innovation, global flexibility or better technology, while service providers continue to focus on labor cost arbitrage. In addition, Overby predicts IT offshore providers will increasingly take over infrastructure outsourcing. They have “slowly but surely” built infrastructure capabilities to move beyond application development and maintenance projects.
One security manager who blogs for the IDG network of publications under the pseudonym “Mathias Thurman” last year noted that he believed certain software functions should never go offshore. He lists “investigative work, such as forensics or anything that would require administrative action against an employee or other company” as well as “the administration of our data leak prevention infrastructure” among such actions.
But a lot of this commentary misses an important point. Developers should establish, follow and continuously review requirements for software structural quality for any code created, whether it’s developed on-shore, near shore or offshore. Enterprise IT teams should ask developers about their structural quality initiatives as part of the vetting process. Developers that do implement these processes and provide the kind of visibility into their work would be able to leverage this as a quality differentiator because such openness restores much of the control that is normally lost in an outsourced effort.
There are several software analysis and measurement solutions available, including those developed by CAST, to analyze the quality, performance, security and risk within a developer’s product and provide visibility into the development process. For developers in emerging markets, where software development prowess is less well known, this offers an especially strong opportunity to gain a competitive advantage by demonstrating the structural quality of their work.
As we approach the end of the year and it’s time for New Year’s resolutions, I suggest software developers worldwide make a pledge to scrutinize their applications more closely for structural quality in the coming year and that companies outsourcing projects should insist upon this kind of visibility. In doing so, they may find they do so like outsourcing IT here AND there.