Perilous Outsorcery · Chapter 7 285 Table 7.2 Continued AV Function Dept. ID or Group/IT Function Outsourced AV team X IT support Lab Y Legal and Risk Management Trigger Get Sharing Store Sample Results Results C I C R C AV Security Professional at service provider AV Lab Tech supporting vendor Y's AV tool Security and Risk Compliance Manager (Internal) C R C I A, C To validate a matrix for an outsourced AV activity quickly, the (sub) tasks should have precisely one A and at least one R; letters "A" and "R" cannot be put in one cell together. At least one R belongs to the vendor if the activity is to be categorized officially as being outsourced.The other letters (C and I) are optional, and can be added whenever needed for more quality, clarity, or to allow others to adapt to the new way of working more quickly. It is useful to make up the matrix not only for the imminent scenario, but also for the one that applies currently. In many companies, some basic AV activities are already transferred. Shifting them again will give rise to conflict in vendor relations that can be very hard to overcome. Nobody likes their work taken away without any warning. AV staff remaining in-house will, however, have a clearer view of any changes to their roles, and can discuss that impact with the vendor managers. Critical Success Factors for Surviving AV Outsourcing Here we address the most important CSFs.The excellent publication " The Critical Success Factor Method: Establishing a Foundation for Enterprise Security Management" (Richard A. Caralli et al, July 2004) defines critical success factors (CSFs) as "key areas of performance that are essential for an organization or manager to accomplish its mission or objectives." The authors make clear that any AV operational activity must be tightly couple to one or more operational (business) goals in order to obtain or keep management support for what will become your AV gear box, and hence your way to succeed in outsourcing AV. So the obvious question is: do you know your mission and business objectives, and what you need to accomplish that? If you don't know, ask your manager for more information. Managers should implicitly know and consider the key areas when they set their goals, and direct operational activities and tasks that are important to achieving those goals. But operational staff are usually less aware of the (often complex) hierarchy of goals and missions. www.syngress.com