Sure, you can save money by working with an outsourcing vendor in a faraway land. But don't trust the outsourcer to install the right security protections. Follow these best practices to verify that your relationship is cost-effective and safe.
This is what it's like to be an employee for Tata Consultancy Services (TCS), an Indian IT services vendor, when working for a big insurance company (in this case CNA):
When you come to work, your bag is searched. You may be too. You hand in your mobile phone to the security guard, to be picked up when you go home.
When you arrive at your desk, there are no traces of the papers you worked on yesterday - they got shredded last night. Don't bother trying to copy a digital picture of your kids onto your work screen (you can't copy or move files). There's nothing but a phone (which can't call anyone but the insurance company's help desk) and a computer with CD-ROM and floppy drives that work fine but are locked to you, as are the Internet and e-mail. And taking home a copy of CNA's confidential business process manual to bone up on in your spare time will get you fired, as one employee recently learned.
"The data and our processes are too sensitive. We can't afford to be lax," says Scott Sysol, director of infrastructure and security architecture for CNA.
While experts disagree wildly about the degree of extra risk involved in offshore outsourcing, companies such as CNA, an insurance giant that entrusts TCS with its sensitive financial and health-care information, are not taking chances with security when they send IT and business process work overseas. They are setting up rigid control processes with high levels of IT security. These initiatives cost money and cause disruption for outsourcers everywhere, but they are also the best ways to limit risks associated with sending such work offshore. (For its part, TCS declined to discuss its work with clients.)
And while practices such as forcing contractors to wall off work areas, slice up server farms and keep employees exclusive to one customer do not serve the basic economic tenets of outsourcing - scale, sharing and repeatability - they are the kinds of risk-mitigating actions that customers and their contractors must take when working with sensitive business data and processes.
Risk Is in the Eye of the Beholder
Not all companies need the kinds of security measures that CNA has in place. It is up to CIOs and CSOs in the companies sending work offshore to define what's an acceptable risk, outline security measures (in the contract wherever possible) and monitor their enforcement with the cooperation and support of the offshore provider. That sounds like a no-brainer. But it turns out that few companies take an active role in what experts say is a classic case of out of sight, out of mind.
"I'd say fewer than 20 percent of my clients audit the security of their providers," says Atul Vashistha, CEO of NeoIT, an offshore outsourcing consulting company. "They just accept the suppliers' defined security plan and don't check to see if they are living up to it."
Steven DeLaCastro, an offshore outsourcing consultant with Tatum Partners, puts the total even lower, at 10 percent. "Sarbanes-Oxley requires the right to audit outsourcers, yet companies aren't putting [audits] into the contract," he says.
Companies routinely underestimate the extra elements of risk introduced into the offshoring equation by issues like poor infrastructure, political instability and legal systems that don't line up with local practices, says Ken Wheatley, vice president, corporate security of Sony Electronics. "People are so focused on saving money and shifting operations that they don't think about the safeguards that need to be put in place," he says. "They assume that people in different countries have the same mind-set and safeguards and sense of due diligence, and that's just not the case."