Offshore Outsourcing| Offshore Outsourcing Services| Flex Developer
OUTSOURCING
description
Transcript of OUTSOURCING
1 Copyright © 2014 M. E. Kabay. All rights reserved.
OUTSOURCING
CSH5 Chapter 68“Outsourcing & Security”
Kip Boyle, Michael Buglewicz, & Steven Lovaas
2 Copyright © 2014 M. E. Kabay. All rights reserved.
TopicsIntroductionWhy Outsource?Can Outsourcing
Fail?Controlling the
RisksOutsourcing
Security Functions
3 Copyright © 2014 M. E. Kabay. All rights reserved.
IntroductionOpening
RemarksDefinitionsDistinctionsInsourcingNearshoringOffshoring
4 Copyright © 2014 M. E. Kabay. All rights reserved.
Opening Remarks (1)“Outsourcing” encompasses different conceptsNeed different risk-management strategiesOutsource for efficiencies & effectivenessConsequences: environment can change fastKey issues for early 21st century for
outsourcing:Security problemsChina’s riseIndia’s growth & turmoilBlundersH-1B visa problemsSmall business outsourcingManaged services
5 Copyright © 2014 M. E. Kabay. All rights reserved.
Opening Remarks (2)Benefits possible:Self-knowledge improves when forced to articulate
needs, mission Clarify/institutionalize roles, goals, metricsRisk identification & mitigationFocus on core competencies
EffectivenessEfficienciesFocusDiscipline
Cost savings
6 Copyright © 2014 M. E. Kabay. All rights reserved.
DefinitionsVendor / contractor:
Arm’s-length entityProvides specific outsourced service(s)
Organization / business:Entity contracting for products / services
with vendorOutsourcing:
Fulfillment of specific business function(s)
By contracting with vendorTo perform in vendor’s facilities
Insourcing:Use of contract / noncompany employees
for specific in-house functions
7 Copyright © 2014 M. E. Kabay. All rights reserved.
DistinctionsMany applications of
out/insourcing possibleCall centerCorporate ITCorporate financeCorporate security
Must not impose one rigid framework
Different needs imply different priorities & methods
Identify core business missionsConsider moving non-core functions outside Or hiring contractors
8 Copyright © 2014 M. E. Kabay. All rights reserved.
InsourcingCommonplace to hire contractorsRisks
Workplace for outside employees is inside security perimeter
High potential for abuse if contractor dishonest
May not have same trust in contractors as in employees
Plan for coping with errors by contractorsMay need specific / separate security
classifications for employees, contractorsContractors may fail to comply with regulatory /
legal requirements if policies unclear
9 Copyright © 2014 M. E. Kabay. All rights reserved.
NearshoringOutsourcing specific discrete business
function to Same geographical
regionNearby regionBordering region
E.g., US nearshoring could include contracting
out to US firmOr Canadian or Mexican firms
Many large companies nearshore servicesEDS Agile, HP SMB Services, IBM Express
Advantage
10 Copyright © 2014 M. E. Kabay. All rights reserved.
OffshoringOutsourcing specific, discrete business
functions to vendor on another continentE.g., EU company outsources a function to
Indian companyConsiderable emotion in discussions Important to evaluate possibilities carefully
Understand your businessArticulate outsourcing / nearshoring /
insourcing goalsClear analysis of risks & management
issues
11 Copyright © 2014 M. E. Kabay. All rights reserved.
Why Outsource?
Effectiveness vs EfficiencyBeing EffectiveBeing Efficient
12 Copyright © 2014 M. E. Kabay. All rights reserved.
Effectiveness vs EfficiencyEfficiency: using optimal resources for
specific taskEffectiveness: getting the work done as
intended
13 Copyright © 2014 M. E. Kabay. All rights reserved.
Being Effective (1)Optimizing processes outside core competency is
wastefulCore competencies
Mission-critical tasks / functionsDirectly related to strategic goalsE.g., hospital / restaurant considers cleanliness
mission-criticalThat organization good at _____E.g., for specific firms,
Brand managementContinuous improvementSuperior retail serviceSupply chain managementLook / feel of products
14 Copyright © 2014 M. E. Kabay. All rights reserved.
Being Effective (2)Core competency requirements
Can be used to develop entirely new products / services
Provides significant customer benefits
Difficult for customers to duplicateAt least for a time
Core competency can provide competitive advantage(s)Therefore all other functions
candidates for outsourcingFocus resources on what counts
15 Copyright © 2014 M. E. Kabay. All rights reserved.
Being EfficientMeasuring efficiency
Direct cost minimizationE.g., UK companies save
~40% costs by using labor in India
Save ₤10M for every 1,000 jobs outsourced
Benefits of outsourcingDecreased capital investmentDecreased fixed costsIncreased variable costs vs fixed costs
Pay by volume of service / productsIncreased speed / reduction work cycle timeManagement focus – emphasize competitiveness
16 Copyright © 2014 M. E. Kabay. All rights reserved.
Can Outsourcing Fail?Yes, Outsourcing Can FailWhy Does Outsourcing Fail?Universal Nature of RiskClarity of Purpose & IntentPriceSocial Culture International EconomicsPolitical IssuesEnvironmental FactorsTravelLaborAdditional Risks
17 Copyright © 2014 M. E. Kabay. All rights reserved.
Yes, Outsourcing Can FailJP Morgan Chase (2004)
Terminated U$5B contract with IBMEDS (Electronic Data Systems)
Terminated U%1B contract to run Dow Chemical phone / computer networks
18 Copyright © 2014 M. E. Kabay. All rights reserved.
HealthCare.gov Failure (1)http://www.inquisitr.com/1211143/kathleen-sebelius-admits-obamacare-website-was-not-ready/
19 Copyright © 2014 M. E. Kabay. All rights reserved.
HealthCare.gov Failure (2)
20 Copyright © 2014 M. E. Kabay. All rights reserved.
Deloitte Consulting 2005 Study“Calling a Change in the Outsourcing Market”
Interviews with 25 large organizations in 8 sectors
70% respondents looking more cautiously at outsourcing due to bad experiences
25% canceled outsourcing when promised savings / higher efficiency failed
44% saw no cost savings
21 Copyright © 2014 M. E. Kabay. All rights reserved.
Why Does Outsourcing Fail? Danger when focusing primarily on cost reduction
But in 2004-2006, rate of cost-savings as primary driver rose from70% to 80% respondents
But including effectiveness can change evaluation
ProblemsMeasuring performance difficultFailure to create win/win situationDifficult to align goals of organization & vendorMust master new / more complicated communicationsMaintaining sufficient knowledge / skill in outside
workforceInsecurity perceived by internal employees & unionsContract termination can be disruptive to clients (lower
QoS)
22 Copyright © 2014 M. E. Kabay. All rights reserved.
Universal Nature of RiskGreatest cost: ignoranceGreatest price: failure
Poorly defined expectations / poor planning = doom
PlanningIA team should assess entire outsourcing
projectIA not only team involvedBut must not restrict IA merely to technical
detailsLiability remains with firm, not outsourcing
provider
23 Copyright © 2014 M. E. Kabay. All rights reserved.
IA Review of ProposalsWhat information
assets at risk?Value / sensitivity of
assetsCurrent / future “risk
shadow” due to outsourcing?
24 Copyright © 2014 M. E. Kabay. All rights reserved.
Clarity of PurposeMust articulate tasks
Rely on employees to define specificsConflict of interest: often those
defining tasks are ones to be fired after outsourcing!
PhasesAnalysis – define/document
workRFI (request for information)RFP (request for proposal)Vendor selectionTraining
Focus on mutually beneficial vendor relations
25 Copyright © 2014 M. E. Kabay. All rights reserved.
Risks Related to Clarity of PurposePoor identification / definition of
task(s)Employees defining tasks may be
training their replacementsWorkforce reduction traumatic
UncertaintyUnrestResentment
Lowered morale may have consequencesLost productivity (water-cooler
discussions)Insider sabotage
26 Copyright © 2014 M. E. Kabay. All rights reserved.
PriceBeware paper-thin profit
marginsVendor must also
survive and profitOtherwise see constant
corner-cuttingBeware short-term profit
evaluationsTake long-term viewClient must see
significant long-term profit
27 Copyright © 2014 M. E. Kabay. All rights reserved.
Social CultureVendor must cope with client culture
Be conscious of social norms across international boundaries
Client must evaluate differences in beliefs / attitudes / behaviorsEspecially important for outsourced client
contacts such as technical supportParkerian HexadParticularly timelinessSome hostility developing in USA towards
foreign accents (e.g., Indian) in support
28 Copyright © 2014 M. E. Kabay. All rights reserved.
International EconomicsKeep long-term economic developments in mind
Collapsing economy may terminate contractsVendor may go out of businessSocial disruption may stop
all businessOnce functions
outsourced, business continuity affected if supplier fails
Changes in exchange rate may affect costs if contract fails to stipulate client’s currency for charges
29 Copyright © 2014 M. E. Kabay. All rights reserved.
Political IssuesGraft / bribery vs national laws
(e.g., US legal restrictions on such payments)Foreign Corrupt Practices Act of
1977 (FCPA) (15 U.S.C. §§ 78dd-1, et seq.)
Opposing political forces’ attitudes to outsourcing vendors
Terrorism causing increasing concerns for vendors & clientsE.g., Taliban defines anyone doing business with
US / Intl armed forces as targetsRule of law: is there any (e.g., China, Burma)?
30 Copyright © 2014 M. E. Kabay. All rights reserved.
Environmental FactorsHow likely are natural disasters in remote
location?Could natural disaster trigger political
collapse?What is host country’s capacity for recovery
from environmental disaster? Will regional infrastructure cope with
disruptions to maintain QoS / SLA?
31 Copyright © 2014 M. E. Kabay. All rights reserved.
TravelEmployees will have to visit vendor or
clientTrainingQuality controlManagement coordination
Keep in mindTravel costs ($$, productivity,
morale)Employee safety / health (food,
disease, war, insurrection, kidnapping)
Delays for travel documents (e.g., visas)
32 Copyright © 2014 M. E. Kabay. All rights reserved.
LaborRisks
Turnover (requiring more training)
Escalating wagesWork stoppagesCost growth
Examine history & forecastsSupply of workersWorker exploitation (may violate
client country’s laws & affect public image, employee morale – or lead to boycotts)
33 Copyright © 2014 M. E. Kabay. All rights reserved.
Additional RisksLoss of corporate
expertiseLoss of direct
control Internal changes
in corporate purposeMoving from doers
to managers of doersOverhead of ongoing contract management
34 Copyright © 2014 M. E. Kabay. All rights reserved.
Controlling the RisksControls on What?Controlling Outsourcing
RiskAvailability ControlsUtility ControlsIntegrity & Authenticity
ControlsConfidentiality &
Possession ControlsMaking the Best of
Outsourcing
35 Copyright © 2014 M. E. Kabay. All rights reserved.
Controls on What?Players
PeopleCorporationsSocietiesGovernments
Focus primarily on organizational behaviorPolicies, contracts, agreements, trust relations
criticalInformation security policy criticalCoordinate with legal dept: contracts / site
selection / politics / economics / separation of duties
36 Copyright © 2014 M. E. Kabay. All rights reserved.
Controlling Outsourcing RiskUse Parkerian Hexad as framework for analysis / remediationConfidentialityControl or Possession IntegrityAuthenticityAvailabilityUtility
37 Copyright © 2014 M. E. Kabay. All rights reserved.
Availability Controls & Outsourcing Infrastructure can be determinant
E.g., trans-Pacific cable cut Feb 2007Most of Asia inaccessible to North America via
InternetDistance increases risk of interruption
Backup strategy criticalBCP essential for vendor & client sitesConsider backup vendor contracts
SLA may be unenforceable if no rule of lawEvaluate possible vendor(s) carefully
Site visitsNews / government reports
Monitor situation in vendor locale continuously
38 Copyright © 2014 M. E. Kabay. All rights reserved.
US Dept of State Country Reports
http://www.state.gov/countries/
39 Copyright © 2014 M. E. Kabay. All rights reserved.
Utility Controls & OutsourcingCareful version controlEncryption recovery (for forgotten keys)
Beware national/international restrictions on encryption technologies
Beware incompatible formatsLanguage issues
AccentsWord usageWriting
40 Copyright © 2014 M. E. Kabay. All rights reserved.
Integrity & Authenticity Controls & Outsourcing Prevent unauthorized or accidental modifications Analyze vendor’s history / reputation But effective collaboration may required access to sensitive
corporate data Trust infrastructure
Access control mechanismsRBAC* / least privilege important
Division of laborDelegation of responsibilitiesVendor must not be able to change
structure Monitoring incorporated into contracts
Audits – preferably unannouncedWhere are backups kept?Change-tracking on servers
*Role-based access control
41 Copyright © 2014 M. E. Kabay. All rights reserved.
Confidentiality & Possession Controls & Outsourcing (1)Outsourcing inherently compromises
confidentiality & controlDecide if balance is positiveLaws may protect balance – if
there is in fact rule of law on both sides
HSBC call center – Bangalore, India – 2006Employee arrestedHacked into bank’s computersStole ₤233,000Hired because of forged high-school transcriptsOnly criterion for hiring was English skills
42 Copyright © 2014 M. E. Kabay. All rights reserved.
Confidentiality & Possession Controls & Outsourcing (2)
Constant monitoring / auditClear terms of contractUnannounced auditsMonitor log files, real-time
security toolsMay replace absent laws by
contract termsFailure of security termination of contractMay not help if legal process in vendor’s countryBut could help in client’s country
43 Copyright © 2014 M. E. Kabay. All rights reserved.
Making the Best of OutsourcingCareful planningCareful implementationFocus on trust & monitoring
“Trust, but verify”Plan for threats to availability
BCP / DRPTraining, liason Integrate security into contract terms
44 Copyright © 2014 M. E. Kabay. All rights reserved.
Outsourcing Security FunctionsOverview of Security OutsourcingWho Outsources Security?Why do Organizations Outsource
Security?Risks of Outsourcing SecurityHow to Outsource Security FunctionsControlling Risk of Security
Outsourcing
45 Copyright © 2014 M. E. Kabay. All rights reserved.
Overview of Security OutsourcingCan improve overall security
Take advantage of specialized security expertise / experience / perspective
Depends on vendor’s history / reputationContracted security-guard force commonplace
Example of insourcing Increasing use of security-service vendors
NearshoringIncludes software testing for security
vulnerabilities
46 Copyright © 2014 M. E. Kabay. All rights reserved.
Who Outsources Security?2004 study
Large firms (revenues U$12B/year)Outsource security 2x as often as
smaller firmsGartner predicted doubling of US market
2001-2009Managed-security service providers (MSSPs)
Grew 20%/year 2004-2007Counterpane (IDS monitoring)Postini (antispam)
47 Copyright © 2014 M. E. Kabay. All rights reserved.
Why do Organizations Outsource Security? (1)Staffing Challenges
Training & retentionKey to success is deep
understanding of specific business
Should always look for ways of focusing employees on mission-critical functions
Distribute less taxing, routine jobs to othersSave on constant training costs by shifting to
outsourcing firmFinancial Savings
Can be significant, esp for 24 hr monitoringFinding savings of 6x by outsourcing
48 Copyright © 2014 M. E. Kabay. All rights reserved.
Why do Organizations Outsource Security? (2)Threat intelligence / additional perspectives
Enormous volume of threat infoDifficult to keep up without full-time focus /
teamSmaller organizations cannot keep up
Managed System Security Providers (MSSPs) can helpMuch larger staff dedicated to intelligence
gathering / analysisMay be able to negotiate training for in-house
staffBut not always – vendors may consider info
proprietary
49 Copyright © 2014 M. E. Kabay. All rights reserved.
Risks of Outsourcing SecurityConflict of interest: profit rises as detection decreasesWhere is your organization on vendor’s priority list in
emergency?Are costs determined by number
of events? If so, how to monitor & prevent abuse?
Where are vendor’s employees? Offshore?
Is theft of intellectual property &industrial espionage major issue? (e.g., China, India)
How carefully does vendor verify employee backgrounds / qualifications?
Who monitors vendor’s employees when they are accessing your data?
50 Copyright © 2014 M. E. Kabay. All rights reserved.
How to Outsource Security Functions (1)SOW (Statement of Work)
Consider work volume when partitioning responsibilities
E.g., 1 case had administrative passwords stay under control of in-house staff
Non-administrative passwords delegated to vendorDetermine desired outcomes
QoS: Quality of ServiceSLAs: Service Level AgreementsE.g., reset password within 4 hours in 99% of cases
51 Copyright © 2014 M. E. Kabay. All rights reserved.
How to Outsource Security Functions (2)Choose reliable vendorEvaluate
Financial healthReliable infrastructureCompetent staffSatisfied customersVendor independenceAppropriate SLALegal safeguards
52 Copyright © 2014 M. E. Kabay. All rights reserved.
How to Outsource Security Functions (3)SLA (Service Level Agreement)
Outcomes desiredResponse timesRoles & responsibilitiesMetrics
Statistical quality controlContinuous process improvement
Ensure that vendor is free to report mistakesFocus on improvement, not penalties
53 Copyright © 2014 M. E. Kabay. All rights reserved.
Controlling Risk of Security OutsourcingContract-management skills essentialOngoing monitoring by clientCoordination with legal department
Prepare for failure of SLAs or QoSCoordination with in-house security staff
Continuity of operations part of BCPBe sure staff know what to do if service goes bad
Immediate revocation of access to service-providers’s copy of data & services if contract annulled
Especially important for high-level administrative accounts
54 Copyright © 2014 M. E. Kabay. All rights reserved.
DISCUSSION