Finance sector poor at achieving outsourcing success

As if the banks didn't have enough to contend with at the moment, they now stand accused of being the least effective when it comes to outsourcing IT projects.

A major study has shown that half of all outsourcing projects commissioned by financial services companies end up being cancelled, and in about a third of cases, companies take legal action against their suppliers. The main reason for these woes is that the companies fail to write their contracts properly in the first place, the report concludes.

Summary of best practices for outsourcing of application development

* Take time upfront to consider the baseline goals for each project, especially regarding requirements related to staff expertise at outsourcer.

* Establish the appropriate level of security that must be built into development procedures for each application and write these into the contract.

* Ensure that remediation processes are built into the contract defining actions to be taken should things go wrong. 

* Define the appropriate application development tools and procedures to be used and stipulate these in the contract, including the right to audit the application. 

* Specify in the contract what security tools and techniques must be used in order to guard against applications being delivered that contain vulnerabilities.

* Make outsourcers responsible for initial testing of applications and specify what outsourcers should test for and what testing methods they should use. 

* Do not leave all testing up to the outsourcer. Organisations should perform their own tests or require independent validation prior to acceptance. 

* Extend the same best practices to fast-emerging forms of outsourcing, such as cloud computing or Software as a Service. 

* In such environments, demand greater controls over the physical security of outsourcing providers.
The study examined outsourcing policies at 200 of the largest organisations in the UK and the US, 100 in each country. It selected 20 organisations in each country from five specific sectors - public sector, retail, transport, finance and 'other' large enterprises.

"Finance companies are putting themselves at serious risk," said Fran Howarth, principal analyst at research company Quocirca, who carried out the study. She said that by failing to specify in clear detail what was expected from applications, financial services companies were more likely to get applications that were insecure and unfit for their purpose.

By contrast, the retail and public sectors achieved a much higher proportion of successful projects, said Howarth, mainly because they had more experience of the process and had learned how to write proper contracts.

"The importance of getting the contract right cannot be stressed enough," said Howarth. "Organisations with the most experience stipulate the most stringent functional and security requirements in the outsourcing contract."

The best companies also go through stringent testing of code once they receive it from the outsourcers. Among the leaders in the retail and public sectors, 62.5 per cent do automated code scanning, compared with just 32.5 per cent in the finance sector. And while 82.5 per cent of retailers test for cross-site scripting, one of the most common code vulnerabilities, this is done at only 40 per cent of financial services companies.

The research was sponsored by Ounce Labs Inc., which specialises in code checking. The founder and CTO of the software risk analysis company, Jack Danahy, said: "A lot of companies don't understand the problem well enough, so they end up having a fist-fight with the outsourcing company when a vulnerability is found."

Danahy also rejected any notion that the problem was worse for companies having applications developed offshore, saying specifications and contracts need to be watertight, wherever the outsourcer is based, and need to go into specific detail. "For instance, if you don't ever want the CVC code on a credit card to be stored, you have to put it in the contract," he said.

Danahy added that Ounce has produced boilerplate contracts that companies can download from its website, and tailor to their needs.

Howarth, of Quocirca, also warned that the growing trend towards cloud computing and software as a service will require the same standard of care when drawing up service contracts. "Some companies fail to realise that cloud computing and SaaS are forms of outsourcing, too," she said.

That means specifying who has access to your data – which only 47.5 per cent of finance companies do, compared with 70 per cent in the public sector – and demanding some level of recognised certification. While 82.5 per cent of public and retail sector organisations demand certification, only 37.5 per cent of financial sector firms think to ask for it.

Both Howarth and Dalahy emphasised the need for companies to test applications in their own environments. "Testing typically accounts for a third of the cost of development, and you should expect the outsourcer to carry out the bulk of it," said Howarth. "But you always need to check it yourself as well, especially as you need to see how it operates in the production environment and connects to other systems."

The full report 'Winning Outsourcing Strategies' is available for download at

Read more on Security policy and user awareness