In Depth

Offshore Outsourcing: Don't Forget IT Security

Offshore outsourcing may save you money, but it also creates new risks. Here's a guide to necessary IT security measures

By Christopher Koch

Page 4

* Every organization has its own risk tolerance. Companies outside the software, financial services and health-care industries (such as manufacturing and retail) generally face less risk in sending IT and BPO work offshore. But some set up extensive security measures because their culture demands it.

BNSF Railway, which offshores some system maintenance work, has a low risk tolerance and takes extra security steps as a result. The company does not send BPO work offshore, and most of its capital is tied up in locomotives, not mainframes. Yet BNSF doesn't feel comfortable with generally accepted security standards for offshore security. One example: network lines to its offshore providers. Most customers of outsourcers accept shared data pipes that segregate and shield each customer's work from the others. Security experts agree that shared lines are safe if managed properly.

But not BNSF. "We started out with a shared line, and it really limited us," says Beth Bonjour, assistant vice president, technology services for BNSF. "We weren't comfortable letting the outsourcer have access to our production systems over that line." Finally, an agreement was reached with the outsourcer to include a BNSF-managed dedicated line (these lines typically cost 50 percent more than shared lines, according to Forrester Research). BNSF began outsourcing a portion of its support and maintenance for some production systems at a significant cost savings, Bonjour says. "We're getting more value out of the relationship now than we were at the beginning," she says.

Once you've got a handle on your outsourcing relationship, follow these five best practices.Best Practice One: Keep Control In their relationships with offshore outsourcers, companies such as BNSF and CNA have retained control over security. They make the rules, they spec out the infrastructure, and they monitor their outsourcers. They write contracts that spell out how their vendors' employees will use computer networks and how much IT infrastructure will be set aside specifically for their outsourcing work. They perform periodic audits on outsourcers' security measures and background checks on outsourcers' employees after the outsourcers performs their own checks.

The goal: to ensure outsourcers practice the security that they preach. But getting such control isn't always easy. "With large [vendors], there is an assumption on their part that they have good practices and policies in place"and they often do, says Sony's Wheatley. Yet when Wheatley asks for details, "they will take issue with us coming in to have the discussion. The inference is, 'Hey, we're doing business withwhatever famous company you want to name. How dare you come and ask us to do certain things?' But when we've gone in and tested their policies, 100 percent of the time we've found serious issues."