In Depth

Offshore Outsourcing: Don't Forget IT Security

Offshore outsourcing may save you money, but it also creates new risks. Here's a guide to necessary IT security measures

By Christopher Koch

Page 2

"I'd say fewer than 20 percent of my clients audit the security of their providers," says Atul Vashistha, CEO of NeoIT, an offshore outsourcing consulting company. "They just accept the suppliers' defined security plan and don't check to see if they are living up to it."

Steven DeLaCastro, an offshore outsourcing consultant with Tatum Partners, puts the total even lower, at 10 percent. "Sarbanes-Oxley requires the right to audit outsourcers, yet companies aren't putting [audits] into the contract," he says.

U.S.-based companies routinely underestimate the extra elements of risk introduced into the offshoring equation by issues like poor infrastructure, political instability and legal systems that don't line up with Western practices, says Ken Wheatley, vice president, corporate security of Sony Electronics. "People are so focused on saving money and shifting operations that they don't think about the safeguards that need to be put in place," he says. "They assume that people in different countries have the same mind-set and safeguards and sense of due diligence, and that's just not the case."

In reality, the case varies by the legal and workplace environment of the host country. Take India, for example. The country's IT industry, acutely aware of Western companies' security concerns, has been working since 1998 to get India's legislature to pass general data protection and privacy laws like those in the United States and Europe, without success. Though laws have been passed that prohibit tampering with computer source code and hacking, intellectual property and data protection lag behind the West.

Even if stricter laws eventually passand most experts predict they will, given the importance of outsourcing to India's economytranslating them across borders will still be difficult. Besides, relying on the legal system of any country to protect your corporate assets is misguided. Only your relationship with the vendor matters. "Laws only provide punishment," says Venugopal Iyengar, practice director of e-security consulting for TCS. "Ultimately what we need is the assurance of safety through processes and best practices. Assurance is more important than punishment."

Even the most elaborate security measures will not erase the significant cost savings of going offshore. But companies are inviting disaster if they don't assess their risks up front and factor the security they want into the cost equation.

Below, we look at the security risks of offshore outsourcing and offer best practices for assessing them and mitigating them.Risks to MitigateCSOs should consider these four major categories of risk before negotiating security practices with an offshore vendor.