In reality, the case varies by the legal and workplace environment of the host country. Take India, for example. The country's IT industry, acutely aware of Western companies' security concerns, has been working since 1998 to get India's legislature to pass general data protection and privacy laws without success. Though laws have been passed that prohibit tampering with computer source code and hacking, intellectual property and data protection lag behind the West.
Even if stricter laws eventually pass - and most experts predict they will, given the importance of outsourcing to India's economy - translating them across borders will still be difficult. Besides, relying on the legal system of any country to protect your corporate assets is misguided. Only your relationship with the vendor matters. "Laws only provide punishment," says Venugopal Iyengar, practice director of e-security consulting for TCS. "Ultimately what we need is the assurance of safety through processes and best practices. Assurance is more important than punishment."
Even the most elaborate security measures will not erase the significant cost savings of going offshore. But companies are inviting disaster if they don't assess their risks up front and factor the security they want into the cost equation.
Below, we look at the security risks of offshore outsourcing and offer best practices for assessing them and mitigating them.
Risks to Mitigate
CIOs should consider these four major categories of risk before negotiating security practices with an offshore vendor.
» The type of work being done offshore. Of the two main categories of IT-related offshore work - software development and business process outsourcing (BPO) - BPO is considered riskier because it requires more human interaction and often focuses on sensitive data. In software work, the primary risk is intellectual property theft. Few developing countries - with the notable exception of Singapore - have mature intellectual property protection laws. But intellectual property can be more easily protected with good physical and IT security measures than the BPO data.
» The importance of the work to revenue or innovation. For data, the risk is measured mostly in terms of regulatory weight and the financial loss that could result if the data is compromised or stolen. Is this new software product that you are developing offshore a bet-the-company innovation? If so, you will want to take every possible security precaution. Are you a manufacturing company outsourcing maintenance and support for a legacy system that is not critical to operations and does not process sensitive data? If so, your security risk is much lower.
» The structure of your offshore services model influences how much security you need. Offshoring pioneers GE and Citibank built their own "captive" subsidiaries in India in the 1990s because they did not consider the local third-party providers mature enough to meet their needs. Experts still consider it safer to hire your own employees and dictate your own policies and procedures than to trust them to outsiders, even though service providers - especially in India - have matured to the point where they are on par with Western outsourcers in terms of quality, process and security capabilities.
Captive locations - which today account for 30 percent of outsourcing employment and 50 percent of outsourcing revenue in India, according to consultancy AT Kearney - are expensive, requiring staff from headquarters to train employees, monitor management and build up the corporate infrastructure. They also face challenges in retaining local talent as competition for that talent grows. Some companies have created joint ventures with offshore providers to use the providers' access to local talent and later sell services to others.
More companies sending work offshore today are going to third parties than setting up either captive operations or forming joint ventures, AT Kearney says. These still require check-ins by customers. Some third-party vendors use subcontractors to perform work - sometimes without their clients' knowledge. Without direct accountability to the customer, subcontractors can be a big security risk.
» Every organization has its own risk tolerance. Companies outside the software, financial services and health-care industries (such as manufacturing and retail) generally face less risk in sending IT and BPO work offshore. But some set up extensive security measures because their culture demands it.