Offshore Outsourcing: Don't Forget IT Security

This is what it's like to be an employee for Tata Consultancy Services (TCS), an Indian IT services vendor, when working for a big American insurance company (in this case CNA):

When you come to work, your bag is searched. You may be too. You hand in your cell phone to the security guard, to be picked up when you go home.

When you arrive at your desk, there are no traces of the papers you worked on yesterdaythey got shredded last night. Don't bother trying to copy a digital picture of your kids onto your work screen (you can't copy or move files). There's nothing but a phone (which can't call anyone but the insurance company's help desk) and a computer with CD-ROM and floppy drives that work fine but are locked to you, as are the Internet and e-mail. And taking home a copy of CNA's confidential business process manual to bone up on in your spare time will get you fired, as one employee recently learned.

"The data and our processes are too sensitive. We can't afford to be lax," says Scott Sysol, director of infrastructure and security architecture for CNA.

While experts disagree wildly about the degree of extra risk involved in offshore outsourcing, companies such as CNA, an insurance giant that entrusts TCS with its sensitive financial and health-care information, are not taking chances with security when they send IT and business process work overseas. They are setting up rigid control processes with high levels of IT security. These initiatives cost money and cause disruption for outsourcers everywhere, but they are also the best ways to limit risks associated with sending such work offshore. (For its part, TCS declined to discuss its work with clients.)

And while practices such as forcing contractors to wall off work areas, slice up server farms and keep employees exclusive to one customer do not serve the basic economic tenets of outsourcingscale, sharing and repeatabilitythey are the kinds of risk-mitigating actions that customers and their contractors must take when working with sensitive business data and processes. Risk Is in the Eye of the BeholderNot all companies need the kinds of security measures that CNA has in place. It is up to CSOs and CIOs in the companies sending work offshore to define what's an acceptable risk, outline security measures (in the contract wherever possible) and monitor their enforcement with the cooperation and support of the offshore provider. That sounds like a no-brainer. But it turns out that few companies take an active role in what experts say is a classic case of out of sight, out of mind.

"I'd say fewer than 20 percent of my clients audit the security of their providers," says Atul Vashistha, CEO of NeoIT, an offshore outsourcing consulting company. "They just accept the suppliers' defined security plan and don't check to see if they are living up to it."

Steven DeLaCastro, an offshore outsourcing consultant with Tatum Partners, puts the total even lower, at 10 percent. "Sarbanes-Oxley requires the right to audit outsourcers, yet companies aren't putting [audits] into the contract," he says.

U.S.-based companies routinely underestimate the extra elements of risk introduced into the offshoring equation by issues like poor infrastructure, political instability and legal systems that don't line up with Western practices, says Ken Wheatley, vice president, corporate security of Sony Electronics. "People are so focused on saving money and shifting operations that they don't think about the safeguards that need to be put in place," he says. "They assume that people in different countries have the same mind-set and safeguards and sense of due diligence, and that's just not the case."

In reality, the case varies by the legal and workplace environment of the host country. Take India, for example. The country's IT industry, acutely aware of Western companies' security concerns, has been working since 1998 to get India's legislature to pass general data protection and privacy laws like those in the United States and Europe, without success. Though laws have been passed that prohibit tampering with computer source code and hacking, intellectual property and data protection lag behind the West.

Even if stricter laws eventually passand most experts predict they will, given the importance of outsourcing to India's economytranslating them across borders will still be difficult. Besides, relying on the legal system of any country to protect your corporate assets is misguided. Only your relationship with the vendor matters. "Laws only provide punishment," says Venugopal Iyengar, practice director of e-security consulting for TCS. "Ultimately what we need is the assurance of safety through processes and best practices. Assurance is more important than punishment."

Even the most elaborate security measures will not erase the significant cost savings of going offshore. But companies are inviting disaster if they don't assess their risks up front and factor the security they want into the cost equation.

Below, we look at the security risks of offshore outsourcing and offer best practices for assessing them and mitigating them.Risks to MitigateCSOs should consider these four major categories of risk before negotiating security practices with an offshore vendor.

* The type of work being done offshore. Of the two main categories of IT-related offshore worksoftware development and business process outsourcing (BPO)BPO is considered riskier because it requires more human interaction and often focuses on sensitive data. In software work, the primary risk is intellectual property theft. Few developing countrieswith the notable exception of Singaporehave mature intellectual property protection laws. But intellectual property can be more easily protected with good physical and IT security measures than the BPO data.

* The importance of the work to revenue or innovation. For data, the risk is measured mostly in terms of regulatory weightthe Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act being two hefty examplesand the financial loss that could result if the data is compromised or stolen. Is this new software product that you are developing offshore a bet-the-company innovation? If so, you will want to take every possible security precaution. Are you a manufacturing company outsourcing maintenance and support for a legacy system that is not critical to operations and does not process sensitive data? If so, your security risk is much lower.

* The structure of your offshore services model influences how much security you need. Offshoring pioneers GE and Citibank built their own "captive" subsidiaries in India in the 1990s because they did not consider the local third-party providers mature enough to meet their needs. Experts still consider it safer to hire your own employees and dictate your own policies and procedures than to trust them to outsiders, even though service providersespecially in Indiahave matured to the point where they are on par with Western outsourcers in terms of quality, process and security capabilities.

Captive locationswhich today account for 30 percent of outsourcing employment and 50 percent of outsourcing revenue in India, according to consultancy A.T. Kearneyare expensive, requiring staff from headquarters to train employees, monitor management and build up the corporate infrastructure. They also face challenges in retaining local talent as competition for that talent grows. Some companies have created joint ventures with offshore providers to use the providers' access to local talent and later sell services to others.

More companies sending work offshore today are going to third parties than setting up either captive operations or forming joint ventures, A.T. Kearney says. These still require check-ins by customers. Some third-party vendors use subcontractors to perform worksometimes without their clients' knowledge. Without direct accountability to the customer, subcontractors can be a big security risk.

* Every organization has its own risk tolerance. Companies outside the software, financial services and health-care industries (such as manufacturing and retail) generally face less risk in sending IT and BPO work offshore. But some set up extensive security measures because their culture demands it.

BNSF Railway, which offshores some system maintenance work, has a low risk tolerance and takes extra security steps as a result. The company does not send BPO work offshore, and most of its capital is tied up in locomotives, not mainframes. Yet BNSF doesn't feel comfortable with generally accepted security standards for offshore security. One example: network lines to its offshore providers. Most customers of outsourcers accept shared data pipes that segregate and shield each customer's work from the others. Security experts agree that shared lines are safe if managed properly.

But not BNSF. "We started out with a shared line, and it really limited us," says Beth Bonjour, assistant vice president, technology services for BNSF. "We weren't comfortable letting the outsourcer have access to our production systems over that line." Finally, an agreement was reached with the outsourcer to include a BNSF-managed dedicated line (these lines typically cost 50 percent more than shared lines, according to Forrester Research). BNSF began outsourcing a portion of its support and maintenance for some production systems at a significant cost savings, Bonjour says. "We're getting more value out of the relationship now than we were at the beginning," she says.

Once you've got a handle on your outsourcing relationship, follow these five best practices.Best Practice One: Keep Control In their relationships with offshore outsourcers, companies such as BNSF and CNA have retained control over security. They make the rules, they spec out the infrastructure, and they monitor their outsourcers. They write contracts that spell out how their vendors' employees will use computer networks and how much IT infrastructure will be set aside specifically for their outsourcing work. They perform periodic audits on outsourcers' security measures and background checks on outsourcers' employees after the outsourcers performs their own checks.

The goal: to ensure outsourcers practice the security that they preach. But getting such control isn't always easy. "With large [vendors], there is an assumption on their part that they have good practices and policies in place"and they often do, says Sony's Wheatley. Yet when Wheatley asks for details, "they will take issue with us coming in to have the discussion. The inference is, 'Hey, we're doing business withwhatever famous company you want to name. How dare you come and ask us to do certain things?' But when we've gone in and tested their policies, 100 percent of the time we've found serious issues."

Both CNA and BNSF have staff who work on securing and monitoring the outsourced work. Both manage the networks that the outsourcers work on and provision the servers and PCs used by the providers with software they assemble and update themselves. They monitor network usage themselves and audit that usage as they would for internal employees.

It ain't cheap. For business process outsourcing, which can involve highly sensitive data, risk management measures can eat up 15 percent to 19 percent of the cost savings of going offshore, according to researchers at Tower Group. For software development, which involves less access to sensitive data, due diligence and risk management eat up 6 percent to 10 percent of the savings. Yet even then, the overall savings are there.Best Practice Two: Perform Due Diligence Work Up Front Due diligence does not mean reading a provider's customer list and watching a PowerPoint show about its security practices and metrics. Nor does it mean accepting claims that the vendor adheres to international security standards like COPC, an industry quality standard for customer service contact centers, and Safe Harbor, which covers European Union data privacy protection rules.

Given the dramatic growth and turnover in many offshore companies, customer references age quickly. Worse, customers may not admit to security problems they've experienced offshore because they fear bad publicity if word of the problems reached their own customers and the media. Indeed, very few companies were willing to go on the record for this story or discuss their offshore security practices.

Companies we spoke with said they hire security consultancies that have employees in various offshore destinations to check out the local reputations of the providers and do employee background checks. These companies also hire lawyers in the outsourcing destination country who have a good knowledge of data protection and intellectual property laws. They check up on the outsourcing companies and examine provisions in the contract to see if they will be legally enforceable.