BNSF Railway, which offshores some system maintenance work, has a low risk tolerance and takes extra security steps as a result. The company does not send BPO work offshore, and most of its capital is tied up in locomotives, not mainframes. Yet BNSF doesn't feel comfortable with generally accepted security standards for offshore security. One example: network lines to its offshore providers. Most customers of outsourcers accept shared data pipes that segregate and shield each customer's work from the others. Security experts agree that shared lines are safe if managed properly.
But not BNSF. "We started out with a shared line, and it really limited us," says Beth Bonjour, assistant vice president, technology services for BNSF. "We weren't comfortable letting the outsourcer have access to our production systems over that line." Finally, an agreement was reached with the outsourcer to include a BNSF-managed dedicated line (these lines typically cost 50 percent more than shared lines, according to Forrester Research). BNSF began outsourcing a portion of its support and maintenance for some production systems at a significant cost savings, Bonjour says. "We're getting more value out of the relationship now than we were at the beginning," she says.
Once you've got a handle on your outsourcing relationship, follow these five best practices.
Best Practice One:
Keep ControlIn their relationships with offshore outsourcers, companies such as BNSF and CNA have retained control over security. They make the rules, they spec out the infrastructure, and they monitor their outsourcers. They write contracts that spell out how their vendors' employees will use computer networks and how much IT infrastructure will be set aside specifically for their outsourcing work. They perform periodic audits on outsourcers' security measures and background checks on outsourcers' employees after the outsourcers performs their own checks.
The goal: to ensure outsourcers practice the security that they preach. But getting such control isn't always easy. "With large [vendors], there is an assumption on their part that they have good practices and policies in place" - and they often do, says Sony's Wheatley. Yet when Wheatley asks for details, "they will take issue with us coming in to have the discussion. The inference is: 'Hey, we're doing business with - whatever famous company you want to name. How dare you come and ask us to do certain things?' But when we've gone in and tested their policies, 100 percent of the time we've found serious issues."
Both CNA and BNSF have staff who work on securing and monitoring the outsourced work. Both manage the networks that the outsourcers work on and provision the servers and PCs used by the providers with software they assemble and update themselves. They monitor network usage themselves and audit that usage as they would for internal employees.
It ain't cheap. For business process outsourcing, which can involve highly sensitive data, risk management measures can eat up 15 percent to 19 percent of the cost savings of going offshore, according to researchers at Tower Group. For software development, which involves less access to sensitive data, due diligence and risk management eat up 6 percent to 10 percent of the savings. Yet even then, the overall savings are there.
Best Practice Two:
Perform Due Diligence Work Up FrontDue diligence does not mean reading a provider's customer list and watching a PowerPoint show about its security practices and metrics. Nor does it mean accepting claims that the vendor adheres to international security standards like COPC, an industry quality standard for customer service contact centres, and Safe Harbour, which covers European Union data privacy protection rules.
Given the dramatic growth and turnover in many offshore companies, customer references age quickly. Worse, customers may not admit to security problems they've experienced offshore because they fear bad publicity if word of the problems reached their own customers and the media. Indeed, very few companies were willing to go on the record for this story or discuss their offshore security practices.
Companies we spoke with said they hire security consultancies that have employees in various offshore destinations to check out the local reputations of the providers and do employee background checks. These companies also hire lawyers in the outsourcing destination country who have a good knowledge of data protection and intellectual property laws. They check up on the outsourcing companies and examine provisions in the contract to see if they will be legally enforceable.
Security due diligence takes time, cautions Sony's Wheatley. "People watch too many cop shows. They think we can find answers to security issues in 12 hours," he says. "It doesn't work that way. Seventy to 80 percent of the time we find something that is bad enough not to do the business or get out of it if we're in it. Then we need time to figure out a solution or have the ability to walk away from the deal. Sometimes two weeks turns into four months when we find problems. It can take time to check these things out."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.