OUTSOURCING

1 Copyright © 2014 M. E. Kabay. All rights reserved.

OUTSOURCING

CSH5 Chapter 68“Outsourcing & Security”

Kip Boyle, Michael Buglewicz, & Steven Lovaas


TopicsIntroductionWhy Outsource?Can Outsourcing

Fail?Controlling the

RisksOutsourcing

Security Functions


IntroductionOpening

RemarksDefinitionsDistinctionsInsourcingNearshoringOffshoring


Opening Remarks (1)“Outsourcing” encompasses different conceptsNeed different risk-management strategiesOutsource for efficiencies & effectivenessConsequences: environment can change fastKey issues for early 21st century for

outsourcing:Security problemsChina’s riseIndia’s growth & turmoilBlundersH-1B visa problemsSmall business outsourcingManaged services


Opening Remarks (2)Benefits possible:Self-knowledge improves when forced to articulate

needs, mission Clarify/institutionalize roles, goals, metricsRisk identification & mitigationFocus on core competencies

EffectivenessEfficienciesFocusDiscipline

Cost savings


DefinitionsVendor / contractor:

Arm’s-length entityProvides specific outsourced service(s)

Organization / business:Entity contracting for products / services

with vendorOutsourcing:

Fulfillment of specific business function(s)

By contracting with vendorTo perform in vendor’s facilities

Insourcing:Use of contract / noncompany employees

for specific in-house functions


DistinctionsMany applications of

out/insourcing possibleCall centerCorporate ITCorporate financeCorporate security

Must not impose one rigid framework

Different needs imply different priorities & methods

Identify core business missionsConsider moving non-core functions outside Or hiring contractors


InsourcingCommonplace to hire contractorsRisks

Workplace for outside employees is inside security perimeter

High potential for abuse if contractor dishonest

May not have same trust in contractors as in employees

Plan for coping with errors by contractorsMay need specific / separate security

classifications for employees, contractorsContractors may fail to comply with regulatory /

legal requirements if policies unclear


NearshoringOutsourcing specific discrete business

function to Same geographical

regionNearby regionBordering region

E.g., US nearshoring could include contracting

out to US firmOr Canadian or Mexican firms

Many large companies nearshore servicesEDS Agile, HP SMB Services, IBM Express

Advantage


OffshoringOutsourcing specific, discrete business

functions to vendor on another continentE.g., EU company outsources a function to

Indian companyConsiderable emotion in discussions Important to evaluate possibilities carefully

Understand your businessArticulate outsourcing / nearshoring /

insourcing goalsClear analysis of risks & management

issues


Why Outsource?

Effectiveness vs EfficiencyBeing EffectiveBeing Efficient


Effectiveness vs EfficiencyEfficiency: using optimal resources for

specific taskEffectiveness: getting the work done as

intended


Being Effective (1)Optimizing processes outside core competency is

wastefulCore competencies

Mission-critical tasks / functionsDirectly related to strategic goalsE.g., hospital / restaurant considers cleanliness

mission-criticalThat organization good at _____E.g., for specific firms,

Brand managementContinuous improvementSuperior retail serviceSupply chain managementLook / feel of products


Being Effective (2)Core competency requirements

Can be used to develop entirely new products / services

Provides significant customer benefits

Difficult for customers to duplicateAt least for a time

Core competency can provide competitive advantage(s)Therefore all other functions

candidates for outsourcingFocus resources on what counts


Being EfficientMeasuring efficiency

Direct cost minimizationE.g., UK companies save

~40% costs by using labor in India

Save ₤10M for every 1,000 jobs outsourced

Benefits of outsourcingDecreased capital investmentDecreased fixed costsIncreased variable costs vs fixed costs

Pay by volume of service / productsIncreased speed / reduction work cycle timeManagement focus – emphasize competitiveness


Can Outsourcing Fail?Yes, Outsourcing Can FailWhy Does Outsourcing Fail?Universal Nature of RiskClarity of Purpose & IntentPriceSocial Culture International EconomicsPolitical IssuesEnvironmental FactorsTravelLaborAdditional Risks


Yes, Outsourcing Can FailJP Morgan Chase (2004)

Terminated U$5B contract with IBMEDS (Electronic Data Systems)

Terminated U%1B contract to run Dow Chemical phone / computer networks


HealthCare.gov Failure (1)http://www.inquisitr.com/1211143/kathleen-sebelius-admits-obamacare-website-was-not-ready/

http://www.inquisitr.com/1211143/kathleen-sebelius-admits-obamacare-website-was-not-ready/

http://www.inquisitr.com/1211143/kathleen-sebelius-admits-obamacare-website-was-not-ready/


HealthCare.gov Failure (2)


Deloitte Consulting 2005 Study“Calling a Change in the Outsourcing Market”

Interviews with 25 large organizations in 8 sectors

70% respondents looking more cautiously at outsourcing due to bad experiences

25% canceled outsourcing when promised savings / higher efficiency failed

44% saw no cost savings


Why Does Outsourcing Fail? Danger when focusing primarily on cost reduction

But in 2004-2006, rate of cost-savings as primary driver rose from70% to 80% respondents

But including effectiveness can change evaluation

ProblemsMeasuring performance difficultFailure to create win/win situationDifficult to align goals of organization & vendorMust master new / more complicated communicationsMaintaining sufficient knowledge / skill in outside

workforceInsecurity perceived by internal employees & unionsContract termination can be disruptive to clients (lower

QoS)


Universal Nature of RiskGreatest cost: ignoranceGreatest price: failure

Poorly defined expectations / poor planning = doom

PlanningIA team should assess entire outsourcing

projectIA not only team involvedBut must not restrict IA merely to technical

detailsLiability remains with firm, not outsourcing

provider


IA Review of ProposalsWhat information

assets at risk?Value / sensitivity of

assetsCurrent / future “risk

shadow” due to outsourcing?


Clarity of PurposeMust articulate tasks

Rely on employees to define specificsConflict of interest: often those

defining tasks are ones to be fired after outsourcing!

PhasesAnalysis – define/document

workRFI (request for information)RFP (request for proposal)Vendor selectionTraining

Focus on mutually beneficial vendor relations


Risks Related to Clarity of PurposePoor identification / definition of

task(s)Employees defining tasks may be

training their replacementsWorkforce reduction traumatic

UncertaintyUnrestResentment

Lowered morale may have consequencesLost productivity (water-cooler

discussions)Insider sabotage


PriceBeware paper-thin profit

marginsVendor must also

survive and profitOtherwise see constant

corner-cuttingBeware short-term profit

evaluationsTake long-term viewClient must see

significant long-term profit


Social CultureVendor must cope with client culture

Be conscious of social norms across international boundaries

Client must evaluate differences in beliefs / attitudes / behaviorsEspecially important for outsourced client

contacts such as technical supportParkerian HexadParticularly timelinessSome hostility developing in USA towards

foreign accents (e.g., Indian) in support


International EconomicsKeep long-term economic developments in mind

Collapsing economy may terminate contractsVendor may go out of businessSocial disruption may stop

all businessOnce functions

outsourced, business continuity affected if supplier fails

Changes in exchange rate may affect costs if contract fails to stipulate client’s currency for charges


Political IssuesGraft / bribery vs national laws

(e.g., US legal restrictions on such payments)Foreign Corrupt Practices Act of

1977 (FCPA) (15 U.S.C. §§ 78dd-1, et seq.)

Opposing political forces’ attitudes to outsourcing vendors

Terrorism causing increasing concerns for vendors & clientsE.g., Taliban defines anyone doing business with

US / Intl armed forces as targetsRule of law: is there any (e.g., China, Burma)?


Environmental FactorsHow likely are natural disasters in remote

location?Could natural disaster trigger political

collapse?What is host country’s capacity for recovery

from environmental disaster? Will regional infrastructure cope with

disruptions to maintain QoS / SLA?


TravelEmployees will have to visit vendor or

clientTrainingQuality controlManagement coordination

Keep in mindTravel costs ($$, productivity,

morale)Employee safety / health (food,

disease, war, insurrection, kidnapping)

Delays for travel documents (e.g., visas)


LaborRisks

Turnover (requiring more training)

Escalating wagesWork stoppagesCost growth

Examine history & forecastsSupply of workersWorker exploitation (may violate

client country’s laws & affect public image, employee morale – or lead to boycotts)


Additional RisksLoss of corporate

expertiseLoss of direct

control Internal changes

in corporate purposeMoving from doers

to managers of doersOverhead of ongoing contract management


Controlling the RisksControls on What?Controlling Outsourcing

RiskAvailability ControlsUtility ControlsIntegrity & Authenticity

ControlsConfidentiality &

Possession ControlsMaking the Best of

Outsourcing


Controls on What?Players

PeopleCorporationsSocietiesGovernments

Focus primarily on organizational behaviorPolicies, contracts, agreements, trust relations

criticalInformation security policy criticalCoordinate with legal dept: contracts / site

selection / politics / economics / separation of duties


Controlling Outsourcing RiskUse Parkerian Hexad as framework for analysis / remediationConfidentialityControl or Possession IntegrityAuthenticityAvailabilityUtility


Availability Controls & Outsourcing Infrastructure can be determinant

E.g., trans-Pacific cable cut Feb 2007Most of Asia inaccessible to North America via

InternetDistance increases risk of interruption

Backup strategy criticalBCP essential for vendor & client sitesConsider backup vendor contracts

SLA may be unenforceable if no rule of lawEvaluate possible vendor(s) carefully

Site visitsNews / government reports

Monitor situation in vendor locale continuously


US Dept of State Country Reports

http://www.state.gov/countries/




Utility Controls & OutsourcingCareful version controlEncryption recovery (for forgotten keys)

Beware national/international restrictions on encryption technologies

Beware incompatible formatsLanguage issues

AccentsWord usageWriting


Integrity & Authenticity Controls & Outsourcing Prevent unauthorized or accidental modifications Analyze vendor’s history / reputation But effective collaboration may required access to sensitive

corporate data Trust infrastructure

Access control mechanismsRBAC* / least privilege important

Division of laborDelegation of responsibilitiesVendor must not be able to change

structure Monitoring incorporated into contracts

Audits – preferably unannouncedWhere are backups kept?Change-tracking on servers

*Role-based access control


Confidentiality & Possession Controls & Outsourcing (1)Outsourcing inherently compromises

confidentiality & controlDecide if balance is positiveLaws may protect balance – if

there is in fact rule of law on both sides

HSBC call center – Bangalore, India – 2006Employee arrestedHacked into bank’s computersStole ₤233,000Hired because of forged high-school transcriptsOnly criterion for hiring was English skills


Confidentiality & Possession Controls & Outsourcing (2)

Constant monitoring / auditClear terms of contractUnannounced auditsMonitor log files, real-time

security toolsMay replace absent laws by

contract termsFailure of security termination of contractMay not help if legal process in vendor’s countryBut could help in client’s country


Making the Best of OutsourcingCareful planningCareful implementationFocus on trust & monitoring

“Trust, but verify”Plan for threats to availability

BCP / DRPTraining, liason Integrate security into contract terms


Outsourcing Security FunctionsOverview of Security OutsourcingWho Outsources Security?Why do Organizations Outsource

Security?Risks of Outsourcing SecurityHow to Outsource Security FunctionsControlling Risk of Security

Outsourcing


Overview of Security OutsourcingCan improve overall security

Take advantage of specialized security expertise / experience / perspective

Depends on vendor’s history / reputationContracted security-guard force commonplace

Example of insourcing Increasing use of security-service vendors

NearshoringIncludes software testing for security

vulnerabilities


Who Outsources Security?2004 study

Large firms (revenues U$12B/year)Outsource security 2x as often as

smaller firmsGartner predicted doubling of US market

2001-2009Managed-security service providers (MSSPs)

Grew 20%/year 2004-2007Counterpane (IDS monitoring)Postini (antispam)


Why do Organizations Outsource Security? (1)Staffing Challenges

Training & retentionKey to success is deep

understanding of specific business

Should always look for ways of focusing employees on mission-critical functions

Distribute less taxing, routine jobs to othersSave on constant training costs by shifting to

outsourcing firmFinancial Savings

Can be significant, esp for 24 hr monitoringFinding savings of 6x by outsourcing


Why do Organizations Outsource Security? (2)Threat intelligence / additional perspectives

Enormous volume of threat infoDifficult to keep up without full-time focus /

teamSmaller organizations cannot keep up

Managed System Security Providers (MSSPs) can helpMuch larger staff dedicated to intelligence

gathering / analysisMay be able to negotiate training for in-house

staffBut not always – vendors may consider info

proprietary


Risks of Outsourcing SecurityConflict of interest: profit rises as detection decreasesWhere is your organization on vendor’s priority list in

emergency?Are costs determined by number

of events? If so, how to monitor & prevent abuse?

Where are vendor’s employees? Offshore?

Is theft of intellectual property &industrial espionage major issue? (e.g., China, India)

How carefully does vendor verify employee backgrounds / qualifications?

Who monitors vendor’s employees when they are accessing your data?


How to Outsource Security Functions (1)SOW (Statement of Work)

Consider work volume when partitioning responsibilities

E.g., 1 case had administrative passwords stay under control of in-house staff

Non-administrative passwords delegated to vendorDetermine desired outcomes

QoS: Quality of ServiceSLAs: Service Level AgreementsE.g., reset password within 4 hours in 99% of cases


How to Outsource Security Functions (2)Choose reliable vendorEvaluate

Financial healthReliable infrastructureCompetent staffSatisfied customersVendor independenceAppropriate SLALegal safeguards


How to Outsource Security Functions (3)SLA (Service Level Agreement)

Outcomes desiredResponse timesRoles & responsibilitiesMetrics

Statistical quality controlContinuous process improvement

Ensure that vendor is free to report mistakesFocus on improvement, not penalties


Controlling Risk of Security OutsourcingContract-management skills essentialOngoing monitoring by clientCoordination with legal department

Prepare for failure of SLAs or QoSCoordination with in-house security staff

Continuity of operations part of BCPBe sure staff know what to do if service goes bad

Immediate revocation of access to service-providers’s copy of data & services if contract annulled

Especially important for high-level administrative accounts


DISCUSSION

OUTSOURCING

Documents

Transcript of OUTSOURCING