Real Problem
The various PHBs have not figured out (probably never will) that most of an organization's IT functions should remain in house, done by direct, permanent, employees. This is the only scenario that allows for the most control of the information, data, and code. This is especially critical for privacy issues. The third party company may or may not have all the proper controls required by various national data privacy laws. Medical data laws are similar but not identical to financial data laws. I am reasonably familiar with one (HIPPA) and only have a vague awareness of financial but I work in the medical industry.
Employees of the third party company first loyalty is the company paying them not the client, as it should be.
Biting the hand that feeds IT
