Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Don't Export Security

It is up to CIOs and CSOs in the companies sending work offshore to define what's an acceptable risk, outline security measures (in the contract wherever possible) and monitor their enforcement with the cooperation and support of the offshore provider.
Page:

Sure, you can save money by working with an outsourcing vendor in a faraway land. But don't trust the outsourcer to install the right security protections. Follow these best practices to verify that your relationship is cost-effective and safe.

This is what it's like to be an employee for Tata Consultancy Services (TCS), an Indian IT services vendor, when working for a big insurance company (in this case CNA):

When you come to work, your bag is searched. You may be too. You hand in your mobile phone to the security guard, to be picked up when you go home.

When you arrive at your desk, there are no traces of the papers you worked on yesterday - they got shredded last night. Don't bother trying to copy a digital picture of your kids onto your work screen (you can't copy or move files). There's nothing but a phone (which can't call anyone but the insurance company's help desk) and a computer with CD-ROM and floppy drives that work fine but are locked to you, as are the Internet and e-mail. And taking home a copy of CNA's confidential business process manual to bone up on in your spare time will get you fired, as one employee recently learned.

"The data and our processes are too sensitive. We can't afford to be lax," says Scott Sysol, director of infrastructure and security architecture for CNA.

While experts disagree wildly about the degree of extra risk involved in offshore outsourcing, companies such as CNA, an insurance giant that entrusts TCS with its sensitive financial and health-care information, are not taking chances with security when they send IT and business process work overseas. They are setting up rigid control processes with high levels of IT security. These initiatives cost money and cause disruption for outsourcers everywhere, but they are also the best ways to limit risks associated with sending such work offshore. (For its part, TCS declined to discuss its work with clients.)

And while practices such as forcing contractors to wall off work areas, slice up server farms and keep employees exclusive to one customer do not serve the basic economic tenets of outsourcing - scale, sharing and repeatability - they are the kinds of risk-mitigating actions that customers and their contractors must take when working with sensitive business data and processes.

Risk Is in the Eye of the Beholder

Not all companies need the kinds of security measures that CNA has in place. It is up to CIOs and CSOs in the companies sending work offshore to define what's an acceptable risk, outline security measures (in the contract wherever possible) and monitor their enforcement with the cooperation and support of the offshore provider. That sounds like a no-brainer. But it turns out that few companies take an active role in what experts say is a classic case of out of sight, out of mind.

"I'd say fewer than 20 percent of my clients audit the security of their providers," says Atul Vashistha, CEO of NeoIT, an offshore outsourcing consulting company. "They just accept the suppliers' defined security plan and don't check to see if they are living up to it."

Steven DeLaCastro, an offshore outsourcing consultant with Tatum Partners, puts the total even lower, at 10 percent. "Sarbanes-Oxley requires the right to audit outsourcers, yet companies aren't putting [audits] into the contract," he says.

Companies routinely underestimate the extra elements of risk introduced into the offshoring equation by issues like poor infrastructure, political instability and legal systems that don't line up with local practices, says Ken Wheatley, vice president, corporate security of Sony Electronics. "People are so focused on saving money and shifting operations that they don't think about the safeguards that need to be put in place," he says. "They assume that people in different countries have the same mind-set and safeguards and sense of due diligence, and that's just not the case."

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: AT Kearney, Citibank, e-Security, Exposure, Forrester Research, Gartner, Inference, INS, ISO, Microsoft, Provision, ProVision, SAS, Sony, Tata, Tata Consultancy Services, VMware

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • SOA and Business Processes: Making the Connection
    Service-Oriented Architecture (SOA) is also complex, and one of its main characteristics is that an SOA system is comprised of multiple applications that are combined to accomplish critical business processes. Discussions of SOA can quickly grow so complex that the system’s main benefits to an organization are difficult to fully understand. This article discusses SOA Suite 11g, a family of products that take SOA to a new level and correct some of the problems caused by the very combination of components and multiplication of languages that make SOA a flexible, agile system.
    Learn more »
  • New Mobility Requires a New Network Strategy
    Computing has gone through several major transitions through the ages, each of which raised the value of the network and dramatically lowered the cost of computing. In the years after its birth in the mainframe era, the computing industry shifted to client/server and then Internet computing. Today, we are beginning yet another major computing revolution: the shift to mobile computing. This revolution already allows us to carry mini computers, called “smartphones,” in our pockets. This shift will drive down the cost of computing even further and drive up the value of the network, forever changing its role in organisations. Read on.
    Learn more »
  • Case Study: HJ Heinz
    Heinz has trusted Sophos to protect its desktop users and email systems from malware and spam for many years. As part of its multi-tier approach to IT security, the company needed more robust protection against web-based threats and the use of unauthorised applications.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.

HP and IDG news, product videos and resources