Offshore outsourcing is an emotive topic, and the security and privacy risks specific to offshoring can often be perceived, rather than real. Indeed, many companies have significant challenges managing security requirements with third parties regardless of location, writes Arabella Hallawell, research vice-president at Gartner.
There are multiple reasons for the challenges. First, typically security requirements are never detailed in contracts with third parties. Security is often brought in after the deal is negotiated, when requirements are difficult to put in after the fact.
Other companies have gone to the other extreme, and insisted on draconian, and expensive, measures for offshore outsourcers because of perceptions of elevating risks, often slowing down the process, and never implementing on-going assessments to ensure security controls agreed to, are actually instituted.
While there can be country-specific security challenges, typically related to the ability to conduct background checks, government track record of interception of data, or the IP protection landscape, most, with the exception of government interception, can be largely mitigated by additional security controls at the provider or within the organisation.
Companies with a well-defined process have a much better chance of protecting their business by putting in place a well-constructed process that includes:
- Working with legal and procurement departments to ensure security requirements go into every contract before a deal is made and security is involved to define the security requirements and selection criteria for providers.
- Ensuring budget is allocated for security diligence and ongoing assessment of providers.
- Having a process that includes consistent controls for all third parties, especially for outsourcers, be they domestic or offshore providers. If a particular destination is determined to have elevated security risks via a defined country risk evaluation, additional controls can be instituted either internally or via the provider.
- Customising security requirements for the type of outsourcing being conducted, ie, application security methodologies and the use of third parties to test code before acceptance should be emphasised in application development contracts. Employee screening, training, monitoring and identity management procedures and how tools such as encryption and data-loss prevention (DLP) are deployed, are more significant for business process outsourcing (BPO) or IT operations outsourcing.
This was first published in June 2009