In Depth

Offshore Outsourcing: Don't Forget IT Security

Offshore outsourcing may save you money, but it also creates new risks. Here's a guide to necessary IT security measures

By Christopher Koch

Page 3

* The type of work being done offshore. Of the two main categories of IT-related offshore worksoftware development and business process outsourcing (BPO)BPO is considered riskier because it requires more human interaction and often focuses on sensitive data. In software work, the primary risk is intellectual property theft. Few developing countrieswith the notable exception of Singaporehave mature intellectual property protection laws. But intellectual property can be more easily protected with good physical and IT security measures than the BPO data.

* The importance of the work to revenue or innovation. For data, the risk is measured mostly in terms of regulatory weightthe Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act being two hefty examplesand the financial loss that could result if the data is compromised or stolen. Is this new software product that you are developing offshore a bet-the-company innovation? If so, you will want to take every possible security precaution. Are you a manufacturing company outsourcing maintenance and support for a legacy system that is not critical to operations and does not process sensitive data? If so, your security risk is much lower.

* The structure of your offshore services model influences how much security you need. Offshoring pioneers GE and Citibank built their own "captive" subsidiaries in India in the 1990s because they did not consider the local third-party providers mature enough to meet their needs. Experts still consider it safer to hire your own employees and dictate your own policies and procedures than to trust them to outsiders, even though service providersespecially in Indiahave matured to the point where they are on par with Western outsourcers in terms of quality, process and security capabilities.

Captive locationswhich today account for 30 percent of outsourcing employment and 50 percent of outsourcing revenue in India, according to consultancy A.T. Kearneyare expensive, requiring staff from headquarters to train employees, monitor management and build up the corporate infrastructure. They also face challenges in retaining local talent as competition for that talent grows. Some companies have created joint ventures with offshore providers to use the providers' access to local talent and later sell services to others.

More companies sending work offshore today are going to third parties than setting up either captive operations or forming joint ventures, A.T. Kearney says. These still require check-ins by customers. Some third-party vendors use subcontractors to perform worksometimes without their clients' knowledge. Without direct accountability to the customer, subcontractors can be a big security risk.