Under what circumstances, if any, would it make sense for a business to outsource information-security functions offshore?
Our advice: The question is a two-pronged one because it involves making two decisions:
Whether to outsource the security function, and;
Whether to outsource offshore as opposed to onshore.
What Security To Outsource?Intrusion-detection systems that monitor your network for suspicious activity and prevent attacks
VPNs that secure the privacy of data communications
Strong authentication devices that identify users before granting access to information resources, and permit remote users to securely connect to corporate intranets
Virus, vandal, and Web-site-blocking services that filter malicious data and control website access; and
Network scanning services that scan your network to identify potential vulnerabilities and recommend fixes.
Here are the typical services of a security-services vendor:
Any and all of the above may be outsourced for cost savings, increased reliability, and better monitoring.
However, when it comes to moving the security function offshore, several other considerations come into play.
In outsourcing the security function offshore, one can control the incidence of virus attacks, system failures, denial-of-service attacks, Web-site and E-mail intrusion, etc. The greatest cost of security breaches, however, is the loss of confidential data. By outsourcing security offshore, are you opening yourself to the possibility of further loss of confidential data by involving a third party, which could possibly be located half-way around the globe, to "secure" your network and IT infrastructure?
Challenges Of Offshoring SecurityThe geographic distance results in a partial loss of control on the security function.
Laws and government philosophies may not be in alignment with what we are familiar and comfortable with in the U.S.
It requires additional due diligence, above and beyond that required for onshore outsourcing of the security function.
There are currently an insufficient number of qualified information-security resources in offshore destinations.
The challenges associated with working with an offshore security-services partner include:
Overcoming These Challenges
There are challenges if you choose to offshore security. Remember, "offshoring begins onshore." Here are some suggestions:
Conduct all the due diligence required during the qualification stage, prior to signing an outsourcing contract. Integrate security clauses upfront.
Be heavily involved in the initial stages of security technology selection and procurement.
Continuously supervise and monitor the security function and related processes. Periodically conduct detailed audits to ensure compliance with corporate security standards.
Maintain a close working relationship between onshore management and the offshore provider.
Work to mitigate the cultural issues in industry compliance and regulation.
Perform background checks on local staff, including checking criminal records.
Conclusions And RecommendationsWhen there is a well-defined security function within the organization, with clear parameters and standards that can be communicated via the outsourcing service-level agreement.
When there's synergy between the business and the vendor, and both have conducted their due diligence to ensure the ability to comply with the information security function.
When the business is willing and able to allocate resources to the management and supervision, including periodic audits, of the outsourced security function; and
When the business is willing and able to take ultimate responsibility for any possible breakdown in the information-security function, onshore or offshore.
Under what circumstances does it make sense for a business to outsource the information security function offshore?
Don't give away the keys to the kingdom, but rather use diligent outsourcing of information security to enable you to focus on your core competencies.
Beth Cohen, TAC Thought Leader, has more than 20 years of experience building strong IT-delivery organizations from user and vendor perspectives. Having worked as a technologist for BBN, the company that literally invented the Internet, she not only knows where technology is today but where it's heading in the future.
Sanjay Anand, TAC Expert, has more than 20 years of IT and business-process management experience as a strategic adviser, certified consultant, speaker, and published author. More than 100 personal clients, large and small, have included companies from a diverse array of industries and geographies, from academia to technology and from Asia to the Americas. Often referred to as a "consultant's consultant" for training and mentoring skills. He is author of books "The Sarbanes-Oxley Guide for Finance and Information Technology Professionals" and "J.D. Edwards OneWorld: A Beginner's Guide."