Utility sets IT department on path to self-destruction

Northeast Utilities tells IT employees it may shift work to overseas firm, but hasn't set deal or severance plan if it comes to it

Northeast Utilities has told IT employees that is considering outsourcing IT work to India-based offshore firms, putting as many as 400 IT jobs at risk.

That's a scary thing for any employee to deal with, but the company is also saying that a final decision has not been made. Everything is up in the air. Where does that leave the utility's IT employees and IT department?

With this move, NU may be prompting its best IT employees to head to the exits, creating a risk that key positions will become vacant. It's a morale crushing announcement, making it difficult to lead an IT organization.

It also creates IT security risks, since disgruntled employees are considered a top threat in any organization.

When you consider all the risks that NU is inviting, this heads-up to employees in advance of a firm plan is "kind of mind bogglingly stupid," said David Lewis, who heads a Connecticut-based human resources consulting firm OperationsInc, especially "since this is IT of all places."

But Lewis and others aren't discounting the idea that NU's internal announcement to IT employees is deliberate and calculated. Keeping details incomplete and uncertain is destabilizing. Employees will begin job hunts and contact recruiters, said Christine Santacroce business development manager for Modis IT Staffing in Hartford. She has already heard from some NU developers.

As IT workers leave in advance of the outsourcing threat, it may reduce the number of severance packages that NU has to offer to employees, saving the company some money. But this destabilization "also becomes self-fulfilling," said Santacroce. With the IT department falling apart, NU might say that "we really need to do something to secure the business" and bring in the outsourcers, she said.

Lewis calls its "artificial attrition," where "you are creating a run to the door before anything is announced." That is the only strategy that he can see to NU's handling of its outsourcing moves, barring some legal disclosure requirement in that industry. "I'm not saying it makes any sense, but you can see it as a strategy," he said.

NU's plans are triggering a backlash. The state attorney general has asked for information and meetings, and political leaders, in particular State Rep and House majority leader Joe Aresimowicz, are urging NU not to eliminate the jobs. But Aresimowicz is uncertain how much success the state will have.

"I think, at this point, I really do feel it's a done deal," said Aresimowicz of NU's outsourcing intentions. But he's still holding out hope that something can be done to prevent or limit the IT outsourcing.

Other than to confirm the possibility of outsourcing the IT department, a utility spokesman declined to discuss any details concerning its outsourcing plans.

It's uncertain how much leverage the state has to keep the IT jobs. The utility is regulated, but it's also a private company. Last year, the Hartford-based NU merged with another utility, NSTAR, in Boston, to create an electric and natural gas utility with 3.5 million customers in three states. At the time of this announcement, the newly merged firms said they expect $780 million in merger savings over 10 years.

On Friday, the state attorney general, George Jepsen, and its consumer counsel, Elin Swanson Katz, asked public utility regulators to review the impact that the outsourcing of IT jobs could have the utility's ability to respond to major storm and outage concerns.

The Hartford Courant first reported on NU's outsourcing plans after it had spoken to some IT employees, with a promise of anonymity. An IT employee reached by Computerworld, who has begun a job search, said the company is telling them that the outsourcing contracts have not been finalized. All the employees are concerned, this worker said.

The IT job outlook for employees in the Hartford area, where NU is based, is mixed. The IT job market is not as good as it was five or six years ago, and the state is not seeing a lot of new industry development, said Santacroce. "We're sort of in this holding pattern," she said.

But NU has a reputation for having "a pretty good .Net shop," said Santacroce, and its developers may be in a good position, as will those with big data and business intelligence experience. IT desktop support, as well as telecom and network admins may have a tougher time, she said.

Santacroce said in a job hunt proactive people, who move quickly, will be in better shape, because a layoff of several hundred IT workers will "inundate the market fairly quickly."

Tom Mazzulla, a senior IT recruiter at iTech Solutions in Connecticut, said NU developers should be able to find something, but he said it's a difficult market overall.

"The employers are driving the market right now, and it allows them to be much more particular about who they are going to hire," said Mazzulla. "It allows them to take more time to hire, and it allows them to pay less."

One issue that has yet to arise is whether the offshoring the utility's IT services poses long-term security risks, particularly if work is moved offshore.

The mere fact that a utility company might be outsourcing IT functions to India, China or other offshore destination should not raise security red flags, said Joseph Weiss, managing partner at Applied Control Systems LLC and author of the book "Protecting Industrial Control Systems from Electronic Threat."

Many of the largest providers of critical Industrial Control Systems used by U.S. utility companies are either based overseas or have major software development centers in foreign countries, Weiss said. As an example, he pointed to General Electric, which has its biggest software development center in China.

"I'm not really sure if the security risk would be any different [with offshoring business applications,]" Weiss noted.

What ultimately is important are the governance and oversight processes in place to mitigate security risks, he said. Any company that finds itself needing to implement tougher governance processes simply as a result of outsourcing should not be doing it in the first place, Weiss said.

"If you think you need to have more oversight if you are going to India, then why are you doing this? "If you are saying the 'trust is less', then don't do it."

Dale Peterson, CEO of consulting firm Digital Bond, a company specializing in control system security, said the real risk arises only if control room operations are being outsourced to an offshore destination.

"[That] is a whole other matter," Peterson said. A few utilities have begun talking about control systems being managed through virtual plants based somewhere else, he said. "But that would be very bleeding edge stuff," and most likely not what's going on here, Peterson said.

Typically business application outsourcing should introduce little new risk for a utility, he said. "Essentially the [Industrial Control Systems], [Supervisory Control and Data Acquisition Systems], Distributed Control Systems] network considers the corporate or business network untrusted," he said. "No access is allowed into the [Industrial Control Systems] zone except under emergency conditions."

Corporate networks sometimes have links to plant systems to gather performance metrics and other data, he said. But the data needed by the corporate network is typically pushed out to the Industrial Control System perimeter in a secure fashion, he said. So any offshore vendor with access to the corporate network is unlikely to be able to touch plant systems, he said.

"If an owner or operator has a good [Industrial Control Systems] security perimeter, it doesn't matter if the corporate or business network is outsourced," said Peterson.

Patrick Thibodeau covers cloud computing and enterprise applications, outsourcing, government IT policies, data centers and IT workforce issues for Computerworld. Follow Patrick on Twitter at @DCgov or subscribe to Patrick's RSS feed. His e-mail address is pthibodeau@computerworld.com.

See more by Patrick Thibodeau on Computerworld.com.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about it outsourcing in Computerworld's IT Outsourcing Topic Center.

Copyright © 2013 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon