It may be an unusual perspective for a security consultant, but I am a big proponent of creating in-house expertise and, when possible, building teams/software internally rather than defaulting to third party support. At Google, hiring full-time employees for the workplace violence prevention team meant more agility, more control and a long term commitment to building an industry-best program. But we still took advantage of critical third party expertise, especially as hiring at Google ebbed and flowed. We brought in embedded vendors for case intake and organizational support, worked with experts to enhance and evaluate our proprietary methodology, and partnered with consultants for training, employee support and uniquely challenging cases. Combining in-house capabilities with the right amount of third party expertise helped us build a well-rounded and effective program. We made it work, but it’s not always clear how best to weave internal and external resources together. Having now managed partnerships from both sides of the internal-external divide, I wanted to share what I’ve learned about how to make these engagements a success.
As a first step, it’s important to acknowledge and overcome the psychological hurdle of asking for help. This is a challenge in all walks of life, and the workplace is no different. A common piece of advice is to “take your ego out of it.” That may sound nice, but everyone wants validation and credit for their accomplishments – building a successful career may depend on it. The key is not to strip away ego entirely, but to shift your perspective. Managers want to see programs thrive – that’s it. You don’t get extra credit for doing it all yourself. By building a program that is more complex and well-rounded than your personal skillset, you widen your scope and demonstrate the ability to oversee more than just your own area of expertise. That is real growth, and real impact.
There are many reasons to seek third party assistance. The simplest consideration is just the need for “more hands on deck” when hiring full time employees is not an option. Vendors are a natural option where budget is more readily available than headcount. Technical expertise is another area where needs are easy to recognize and psychologically comfortable to accept – most people acknowledge their limits when it comes to technology. Some needs, however, are more subtle. Subject matter experts might help accelerate or enhance your existing program, but with a program already in place and cases to handle, it might be hard to think about moving from “functional” to “industry-best.”
In my experience, there are four broad categories of third party service, each serving a different purpose and presenting unique challenges and benefits.
Technical Assistance:
Best Use Case: You need software and/or tooling to support non-technical workflows (e.g. case management for investigations) and do not have in-house expertise available.
Things to keep in mind:
- Your program should be constantly evolving. Your technical tools must keep pace, and ideally help drive that evolution.
- Every piece of software needs “forever maintenance.” The greater the complexity, the greater the maintenance burden. Make sure your technical provider can meet your maintenance needs over the long term, including uptime requirements and bug resolution.
Embedded Services:
Best Use Case: You need additional bandwidth to execute program tasks, ideally for a subset of work that can be differentiated from work done by full-time employees.
Things to keep in mind:
- These roles present significant risks for co-employment, especially in the wake of a recent National Labor Review Board ruling against Google. Work with your employment legal teams to make sure the work and working conditions of embedded employees are sufficiently distinct.
- Make sure to create internal resilience for work completed by embedded employees to avoid single points of failure with a single vendor.
Ad Hoc Support:
Best Use Case: You want a “bench of experts” that can be engaged periodically for training, assistance on niche or unusual cases, and real world mitigation needs.
Things to keep in mind:
- Availability is critical, so create a deep bench. No one person will be available 24/7/365, and you can’t know when the ad hoc support will be needed.
- Understand what you are paying for. Write contracts that give you cost control mechanisms like pre-approvals and “not to exceed” clauses. Also understand to what degree you are paying for availability in terms of on-call, turnaround time and priority.
Long Term Partnership:
Best Use Case: You want to shortcut the achievement of long term objectives like program building or risk remediation by leveraging industry-leading expertise.
Things to keep in mind:
- Carefully vet expertise of prospective partners. A significant benefit of long term partnership is the transfer of expertise and the creation of company-owned IP. Be wary of partners who don’t have the expertise in-house but plan to hire a role to support you.
- Keep cultural fit in mind. More so than any other form of third party service, a long term partner needs to be able to see the vision through the unique lens of your company.
At PRG, our approach is shaped by the wisdom – and scars – from decades of Fortune 50 experience working with third parties. PRG works across all of these engagement types to give clients everything they need, and nothing more.