Kip Boyle, Michael Buglewicz, and Steven Lovaas
68.2.1 Effectiveness versus Efficiency
68.3.1 Why Does Outsourcing Fail?
68.3.2 Universal Nature of Risk
68.3.3 Clarity of Purpose and Intent
68.3.6 International Economics
68.4.2 Controlling Outsourcing Risk
68.4.5 Integrity and Authenticity Controls
68.4.6 Confidentiality and Possession Controls
68.4.7 Making the Best of Outsourcing
68.5 OUTSOURCING SECURITY FUNCTIONS
68.5.1 Who Outsources Security?
68.5.2 Why Do Organizations Outsource Security?
68.5.3 What Are the Risks of Outsourcing Security?
68.5.4 How to Outsource Security Functions
68.5.5 Controlling the Risk of Security Outsourcing
The term “outsourcing” has come to identify several distinct concepts, each requiring a different risk management strategy. In this chapter, we examine today's practice of outsourcing and the effects and considerations it has, or should have, on the work of information assurance professionals.
Organizations (companies, nonprofits, government agencies, etc.) outsource to gain efficiencies and effectiveness. The efficiencies gained, however, do have consequences. An outsourcing strategy of implement-it-and-forget-it is unwise, as the outsourcing environment can change quickly and dramatically.
Michael Cooney points out some of the significant considerations and problems facing the outsourcing world at end of the first decade of the 21st century:
Despite the negative overtones that sometimes accompany the practice of outsourcing, there can be great benefits. Here are a few:
Vendor or contractor—an arm's-length entity providing an outsourced service
Organization or business—the entity contracting for its products or services with a vendor
Outsourcing—the fulfillment of a specific business function or functions by contracting with a vendor to perform within the vendor's own facilities
Insourcing—the commonplace use of contract or noncompany employees to fulfill certain business functions within the physical and logical corporate boundaries
The risks and considerations of outsourcing an inbound call center, outsourcing a corporate IT function, insourcing a corporate finance function, insourcing an HR function, or a combination of insourcing and outsourcing of a corporate security function all require different perspectives and tactical activities. Despite the commonalities among outsourcing functions (e.g., connectivity, user management, definition of task, measurements of effectiveness, goals and objectives), the same outsourcing blueprint for an inbound call center would not serve for outsourcing corporate security. The objectives, rules, policies, risks, and rewards for each scenario are distinct and require customized attention.
Outsourcing decisions depend on which functions an organization decides it should perform for itself to maintain effectiveness and which functions would be performed more efficiently or more effectively by a vendor. Outsourcing also implies that an organization does not have, does not want to have, and cannot or will not have a specific expertise as part of its core business missions.
Insourcing is an accepted business practice; the government and many of today's large corporations hire contractors who work as insourcers within the physical and logical boundaries of their organization.
Insourcing poses risks to an organization because the place of work for the insourcer (vendor) is often within the physical boundaries of the organization—well within the physical perimeter, and in many cases, inside the logical perimeter defenses of the corporation. The contract worker is not an employee, but in most cases the contractor enjoys the same accesses as employees for the duration of the contract.
The defenses used for external protection are not as effective (if at all) against an insider with malicious intent. Security considerations regarding an insourced contractor require a different approach, more similar to layered security strategies employed for internal company resources.
Besides traditional IT security concerns, for these outsiders with insider access, the problems of human error, omissions, or complete bungling must be addressed. Security from external sources does not normally include internal human-error considerations. Before considering insourcing, an organization should already have a formal risk management strategy (quality control) for internal human errors as well as for insider espionage and other insider threats.
An insourced contractor is not a full-fledged member of an organization and frequently resides somewhat outside of internal controls, thus requiring a separate and recognized classification and specific handling appropriate to the role. The General Accounting Office recently conducted a study of four federal agencies that rely on contractors to collect certain data on American citizens. The study found that “[a]gencies often do not limit the collection or use of information as required by the Privacy Act of 1974,…agencies don't ensure the accuracy of information…[and] contractors are not bound by those fair information practices and they often don't comply with all of them.”2
Sound risk management requires acknowledgment and recognition that significant and substantial risks exist when insourcing. Attention to detail, a reality-based risk assessment, clearly articulated risks, attainable observations, and concrete audit points are all essential to manage successfully the insourced contractors and their mission. (See Chapters 13 and 45 in this Handbook.)
Nearshoring is the outsourcing of a specific discrete business function to a vendor located within the same, a nearby, or a bordering geographic region.
In some cases, an international outsource vendor will place components of its business in a specific country to acquire work within that country. For example, a U.S.-based outsource vendor will often position its operations in the United States to fulfill contracts from companies in the United States. Nearshoring can also include outsourcing to a bordering or regional country that shares a common cultural knowledge and understanding, as when a U.S. organization outsources to a group in Canada or Mexico.
Many of the largest technology companies in the world are some of the largest nearsourcing vendors. “Productized offerings from the large outsourcers include service desks, desktop management and specialized network offerings. Examples include EDS Agile, HP SMB Services, and IBM Express Advantage.”3
During the opposition to outsourcing that occurred in the first few years of the 21st century, the negative connotations of outsourcing were sometimes blunted, when organizations nearshored their outsourcing work. The move toward globalization, and the painful lessons it taught certain nation-centric IT organizations, seemed easier to comprehend and accept if those jobs went to vendors located within relative proximity.
Offshoring is the outsourcing of specific, discrete business functions to a vendor whose corporate headquarters, or employees who fulfill the out-sourced function, reside and work on another continent, as when a European company outsources to a company based in India.
Perhaps the most controversial kind of outsourcing, offshoring evokes a strong response, both in countries that move work offshore and in offshoring destinations. Nationalism, job security, self-interest, and a host of other emotions, both rational and irrational, seem to be part of every discussion. Those concepts, along with many others, are examined in Thomas Friedman's cornerstone book on outsourcing, The World Is Flat.4 Friedman's perspective organizes the many disparate elements converged to “flatten the world” and to create a truly global work environment.
Regardless of the reasoning behind the decision, offshoring involves different considerations from insourcing and nearshoring. Fundamental business tasks taken for granted in a single geopolitical environment require different considerations when off-shoring. Many of the questions should be asked and answered long before addressing the ability of the offshore vendor and its employees simply to do the job.
Despite all of these complications, offshoring is an established business practice and successfully accomplished every day. However, the rules that make offshoring successful will make any other business successful:
There are two main drivers behind the growth of outsourcing today: the never-ending quests for greater organizational effectiveness and for greater efficiency. These drivers have come to the forefront of our economy because of the shift in strategic business thinking, begun in the 1990s, that is still affecting the way organizations are managing their businesses and serving their customers.
Being efficient implies using an optimal amount of time and energy for getting a task done. In contrast, being effective means accomplishing the intended consequences of the task.
Historically, management has been primarily interested in increasing the efficiency of important business processes. But since the late 1980s, enlightened managers have realized that it can be very wasteful to try to optimize a process that does not lie within the core competency of the organization.
What are an organization's core competencies? A core competency is a mission-critical task or function that an organization is good at. “Mission-critical” refers to functions that are directly related to the strategic goals of the organization; for example, a hospital or a restaurant will consider cleanliness a mission-critical goal, whereas an automobile repair facility probably would not. Examples of core competencies may include reliable processes (e.g., Procter & Gamble's consumer brand management or Toyota's mantra of continuous improvement); a unique way of relating to customers (Nordstom's superior retail service) or to suppliers (Boeing's supply chain management); or the particular look and feel of products or services (Apple's computers and iPods). A core competency also must meet these three conditions:
If all three conditions are met, then a core competency can provide an organization with a true competitive advantage, which is a highly prized organizational asset, and which must be continuously guarded lest the competitive advantage be lost. A corollary is that all other functional areas, which are not within the core, are candidates for outsourcing.
By delegating tasks to vendors, an organization's management may concentrate more fully on its core business. Ideally, this will allow the organization to use its limited financial, talent, and other resources in the most productive manner. Knowing which activities an organization should perform, and which it should not, is the heart of being effective.
Assuming one is doing the right things (i.e., being effective), the next logical question is whether one is doing them as efficiently as possible? Is the organization using the optimal amount of resources while still achieving quality and quantity goals? This question is important to both outsourcing organizations and to vendors performing outsourced work.
How can one measure efficiency? An often-sought-after outcome of efficiency is direct cost minimization. The idea of using outsourcing to achieve direct cost cutting is attractive. For example, according to a 2005 article appearing in Mortgage Strategy, British companies can save up to 40 percent by outsourcing all kinds of jobs to India. These companies report savings of a minimum £10 million pounds each year for every 1,000 jobs they outsource.6
In addition to direct cost reduction, other financial benefits of outsourcing to increase efficiencies include:
Another positive outcome of outsourcing is increased speed or work cycle time. By hiring a vendor located in India to test the quality of software written in the United States, an organization can perform software development work nearly 24 hours per day. Each morning upon return to work, U.S. programmers would have the results of testing in India and could begin making corrections right away. By using this “follow the sun” approach, an organization can gain a speed advantage over its rivals.
Possibly the greatest aspect of efficiency that outsourcing can deliver is management focus. There can be great value in focusing a company's management team directly on those activities that differentiate it from the competition. Whenever a management team is focusing on noncore functions, it is usually operating not from a position of strength but from one of weakness. By definition, the team is not expert at noncore activities. In these cases, the team can spend too much time trying to understand and manage something that does not differentiate the organization from its competitors. If the noncore activities require too much management time and attention, there is a real risk that the core competencies of the organization may decrease in value. In the most serious of cases, an organization can lose its competitive edge completely, driving down sales, revenue, and profits.
Yes, outsourcing can fail. For example:
In 2004, J.P. Morgan Chase & Co. reassumed main technology functions following its merger with Bank One Corp., abandoning a U.S.$5 billion pact with International Business Machines Corp. The same year, Electronic Data Systems Inc. abandoned a U.S.$1 billion deal to run Dow Chemical Co.'s phone and computer networks.7
Deloitte Consulting's 2005 study, “Calling a Change in the Outsourcing Market,” offers evidence that large organizations do not always achieve great efficiencies from outsourcing. The study, based on personal interviews with 25 of the largest organizations across eight industry sectors, reveals that:
There are many risks to outsourcing, but direct cost reduction, often a top goal of outsourcing, can create the greatest risk of all. Indeed, “outsourcing deals most frequently stumble when they focus primarily on reducing costs.”9 Despite this observation, in a set of recent surveys, the rate of cost reduction as a driver for offshoring has been growing. From 2004 to 2006, the rate went from just over 70 percent of respondents to just over 80 percent.10
Total expenditure on outsourcing can meet or exceed the baseline of spending established prior to outsourcing. Although this may not be an inherently bad situation, management may perceive the experiment as a failure if the organization approaches outsourcing opportunities primarily to cut costs. However, if seen from a perspective of effectiveness rather than simply of efficiency, the outsourcing activities may be quite successful.
There are many other business reasons why outsourcing can fail. Looking more closely at the organization's perspective within the typical loss scenarios, in many cases the failure occurs because of one or more of these reasons:
Even when outsourcing appears to succeed from an operational perspective, there may be hidden inefficiencies in information protection that can decrease the overall value of the activity.
Risk is inherent in virtually every human activity. One of the distinct advantages of an organized society is the ability of that society to distribute risk. Thus, not every member of society need manage every single risk.
When outsourcing, the greatest cost is that of ignorance, and the ultimate price is failure. Poorly defined expectations and poor planning, resulting from a fundamental ignorance of a business, will doom any corporate project, including outsourcing.
During early planning phases of the outsourcing project, it is prudent for the information assurance team to assess the entirety of the outsourcing project. However, information assurance does not have to own all aspects of the project; it is enough that the information assurance group should possess an end-to-end perspective, so that it can appropriately assess risk.
To relegate information assurance only to technical security tactics and practices is a serious error. Regardless of the vendor, the ultimate accountability (referred to as responsibility) stays with the firm. “One thing that can't be outsourced—responsibility…. Everything from employee policies to customer satisfaction to ethical and legal issues roots back to the impact on shareholder value. These responsibilities stay with the firm regardless of the functions that have been outsourced.”12
The vendor, however, is accountable for carrying out all elements of the contractual agreement.
Thus at the earliest planning stages, an information assurance review includes the overall scope of the outsourcing project. Questions should include:
The responses to these questions provide the foundation for the outsourcing project as well as the degree of involvement from the information assurance community after that preliminary review.
Planning complex endeavors normally proceeds by careful identification and examination of concepts that move from general to specific. The sections that follow include broad categories for consideration at the onset of the outsourcing project. These categories require in-depth examination, as they relate to the specifics of each unique outsourcing project.
To outsource, one must possess the ability to articulate the task and to focus on creating a mutually beneficial vendor relationship. Poorly defined tasks lead to frustration and to unstructured attempts to meet inchoate needs instead of to measurable objectives—limitations that cause both organization and vendor to fail.
Corporations depend on current employees to articulate the soon-to-be-outsourced task. Ironically, those employees best suited to articulate the task are frequently those whose jobs are most at risk after the successful implementation of the outsourcing project. This conflict of interest is a risk consideration that must be addressed. Several phases of outsourcing include, but are not limited to, the collection and documentation of task knowledge for outsourced functions, vendor solicitation such as the request for information (RFI) or the request for proposal (RFP), vendor selection, and training.
Vendor selection is itself a key and integral part of the risk management of outsourcing, hence the importance of identifying, articulating, and quantifying the outsourcing goals. Once vendor selection occurs, corporate employees train vendor personnel on the outsourced functions. When the vendor personnel are trained and functional, most outsourcing results in the redeployment or release of corporate employees who fulfilled the specific task prior to outsourcing.
Risks related to clarity of purpose and intent include:
One of the largest risks of outsourcing is the formation of an unstable relationship with the vendor. When margins are paper thin, security of corporate data often becomes the first victim. Recent findings from IT research firm Gartner indicate that a significant number of CIOs still look at outsourcing in terms of near-term profitability.
As a result, they're setting themselves up for failure…. By 2008, more than 2.3 million offshore service workers will be employed by U.S. companies. But according to a recent Dun & Bradstreet survey, 20% of those outsourcing relationships will fail in the first two years, and 50% within five years.13
Risks related to price issues include:
The vendor must understand and address the social culture of the outsourced task, and the differences from its own. Vendors must understand, absorb, and fulfill the outsourced task, under the same social norms as the sponsor organization. Cultures around the world have different societal norms, expectations, and nuances regarding confidentiality, possession, integrity, authenticity, availability, and utility. Vendors must be able to respond, react, and live within both the social culture they serve and their home culture.
Risks related to social culture include:
The organization not only needs to understand its corporate and customer economics; it also must have a very deep and forward-looking view into the economic horizon of the vendor's geopolitical economy.
There are many willing vendors in emerging and low-cost labor markets. Without a clear understanding of the economic future of the vendor's country, a corporation can easily find itself tied to a vendor in an eroding or imploding economy.
Risks related to economic issues include:
Regardless if the vendor is nearshore or offshore, the organization must have a very clear understanding, perspective, and acceptance of the political nuances in the vendor's country.
Political nuances and practices differ in every country. Acceptable behavior in one country may be reprehensible in another. Corporations must consider how political nuances intertwine with corporate objectives and policies.
Corporations must also be aware of and acknowledge the new risks and instabilities of the new century, and factor them into every nearshoring and offshoring outsourcing effort.
The terrorist attacks Tuesday on trains in the western India city of Mumbai appeared unlikely to dampen investments and outsourcing to India…. The government also found evidence from terrorists killed in an encounter last year that they were targeting India's successful outsourcing industry.14
Risks related to political issues include:
Site selection is one of the fundamental building blocks in any outsourcing project and a topic worthy of careful examination by itself. (For additional details, see Chapter 23 in this Handbook.)
Risks related to environmental factors include:
Whether nearshore or offshore, outsourcing will likely, and with regularity, send employees to the vendor for training, quality control, and other management functions. Important travel considerations focus on the costs of travel as well as on employee safety and health, addressing such issues as travel safety, food safety, medical preparations (immunizations, malaria pills, etc.), and locally available medical care.
Risks related to travel include:
Labor and workforce risks occur everywhere from Detroit, Michigan, to the Philippines and Bangalore, India. Without a clear understanding of the risks particular to the vendor's region, a corporation could find itself in a quagmire of constant turnover, escalating wages, work stoppages, and unfettered cost growth.
Careful examinations of current and forecasted workforce trends are core to the vendor selection process. As outsourcing sites gain in popularity, wages escalate driven by competition for workers. Once a corporation moves key functions to a vendor, if workforce conditions negatively change, previous cost savings could be lost. Important considerations include current and forecasted worker supply, the vendor's ability to retain employees (as evidenced by annual turnover rates), a propensity for collective bargaining in the vendor's country, as well as the stability of the government and the opposition's tactics.
Additionally, understanding the history of strikes or work stoppages in the vendor's location is a necessary preparation. For example:
Political strife led to a shutdown Oct. 4 of most major outsourcing companies in Bangalore…. In April, Bangalore shut down for two days when citizens rioted following the death of Indian film icon Rajkumar. Published reports said the country's software companies lost $40 million in revenue.15
As mentioned in Section 68.3.6, the economic conditions in the offshore location should be followed carefully. Some countries suffering inflation may push workers toward collective action. For example, in April 2008, 20,000 Vietnamese workers at a factory making shoes for Nike went on strike to demand increased wages to keep pace with inflation.16
Another issue is whether worker exploitation (e.g., wages below a reasonable minimum, child labor, slave labor, unhealthful working conditions) exsist in the offshore location, or is practiced by the outsourcing vendor. Do such practices pose a threat to morale and reputation of the outsourcing organization?17
Although the preceding lists may seem expansive, there are still many other fundamental and significant elements that must be part of any outsourcing decision-making process. Other complex and, in some cases, deeply fundamental considerations are:
Understanding all of the risks allows the prepared organization to knowingly accept, mitigate, transfer, or ignore risks associated with the outsourcing project.
Outsourcing is an area in which the motto “Security transcends technology”18 holds particularly true. Almost none of the threats to information itself, or information technology, is unique to an outsourced environment, although perhaps some may grow more dangerous in far-removed or foreign locales. Outsourcing does involve some serious security issues, but most—at first glance—might appear indirect threats to information assurance.
Most of the security issues of outsourcing involve people, corporations, societies, and governments. Security controls to mitigate the risks of outsourcing have little to do with technology such as computers and a great deal to do with organizational behavior. Since contractors perform crucial tasks but often are geographically far removed from those ultimately accountable for the tasks, the policies, contracts, agreements, and trust relationships that the organization has set up in advance will dictate the success of the endeavor. In particular, the organization's information technology security policy takes on a much more visible role. The technological controls involve the assurance of interpersonal notions like trust and accountability, and are perhaps overshadowed by concern with legal matters, site selection, contractual obligations, politico-economics, and separation of duties.
Many of the risks described in Section 68.4 transcend the boundaries of individual risk types but are similar to other risk areas in the way they map to the six security foundation elements.19 It seems appropriate, then, to couch the discussion of controls in terms of the security foundations. This section focuses on controls that mitigate, for instance, confidentiality concerns in outsourced environments, touching on how the controls might affect the risk classes differently. Since part of the scope of this chapter is the outsourcing of security functions, some of the controls mentioned do not immediately appear to relate to information assurance but may affect other success metrics.
When resources are local, the primary source of problems that can lead to a loss of availability has to do with physical and logical infrastructure. When resources are remote, the infrastructure issues are still important, and can indeed be more problematic. A good example of this difference is the February 2007 trans-Pacific cable cut that made much of Asia inaccessible over the Internet. The farther the vendor from the home company, the more difficult and expensive it can be to acquire an alternate route for communications.20
Mitigation of availability risk revolves around planning. Sound backup strategies and business continuity plans should already be in place for the organization; the outsourcing project should also have these plans, both for the vendor site and for the staff at the home organization responsible for vendor communications. Given the economic, political, and environmental concerns that could lead to total (and possibly permanent) unavailability of the outsourced site, a backup vendor should be in place for disasters. These kinds of controls would be appropriate for natural disasters, labor strikes, terrorism, and a variety of other risks to availability. (For much greater detail on backups, business continuity planning and disaster recovery, see Chapters 57, 58, and 59 in this Handbook.)
If the vendor is in a foreign country where laws and contracts are enforced differently (or not at all), a service-level agreement incorporated into disaster planning might turn out to be a hollow, unenforceable contract.21 Part of the evaluation of any outsourcing decision should be a visit to the site, including inspection of policy documents and physical tours of facilities. The organization needs to be sure that controls at the vendor site really do mirror the vendor's policy and contract documents.
Beyond making sure that plans are in place against unavailability, the organization must be able to check up on the performance of the vendor. The agility required to switch to a backup vendor becomes much more possible with advance notice for at least some of the possible outages. For instance, if the availability of a site relates to escalating economic problems causing workforce shortages, a periodic analysis of the regional news media, and of the vendor's work performance, might give hints of problems on the horizon. Automated checking is appropriate as well, especially to keep track of network resources when access traverses the public Internet. Ultimately, for both people and technology, mitigating the risks of outsourced availability comes down to planning and monitoring.
The utility of information (and of remote resources) hinges mostly on communication—both format and process. Careful version control avoids incompatible data. Encryption recovery agents can avoid the loss of utility if a user forgets a decryption password, but national and international restrictions on encryption must be kept in mind when planning the use of encryption across national borders.22 These utility issues are common to any organization. With outsourcing, incompatible formats become more of a problem, especially with offshoring. If an application written in the United States uses ASCII encoding, but the vendor has applications that use Unicode, format issues can arise that need to be accounted for and solved. Although these problems may not become apparent immediately, planning for them must occur well in advance.
Human communication is also an issue with outsourcing. Even if the organization's native language is spoken by employees in the outsource vendor's site, it may not be their first language. Spoken communication (e.g., at a help desk) can suffer greatly if a technician's accent is too difficult for employees and customers of the outsourcing organization to understand. Similarly, written documentation and regular reports can lead to misunderstandings if language skills are not adequate. Either of these situations becomes manageable through advance planning for workforce training and through on-site liaison from the home organization, especially early in the relationship.
The risk that the organization's data might be changed unknowingly, or replaced with other data, hinges on trust. Any time crucial business functions are given to an outside entity, trust issues arise. The organization must understand how much information is being shared, and with whom. Role-based access control and the principle of least privilege are appropriate here: Based on its role of supporting a particular business function, what is the minimum amount of privilege the vendor needs to do its job? Nevertheless, to be an effective support organization, the vendor may need access to corporate information that could prove damaging if misused.
From the perspective of integrity and authenticity controls, the decision to outsource must be accompanied by a decision about levels of trust. This trust should include an analysis of the vendor's history and reputation as well as a visual inspection of the site. The “trust infrastructure,” which would include access control mechanisms as well as division of labor and delegation of responsibilities, must be designed by the organization. Importantly, the vendor must not be able to make changes in this structure. Changes to trust relationships must be driven by the organization.
Given fluctuation of economies, job markets, and international relations, the decision to trust the outsourced personnel and processes should not be a one-time event. Ongoing monitoring could reveal occasional lapses that might grow into bigger problems. How easy is it for the home organization to check up on the integrity and authenticity of data? Where are logs kept? Are backup copies of the logs (or the originals) sent to the home organization? What about change tracking on servers? Each of these questions should be addressed, and the answers should be written into the contractual language.
Merely by making the decision to outsource partially compromises confidentiality and possession of corporate information, just as the strength of a secret is decreased as soon as it is shared with a trusted confidant. The home organization must decide whether the loss of confidentiality and possession is balanced by the benefits of outsourcing. Within the United States, and in many countries with strong legal systems, laws protecting physical and intellectual property can help support this decision. The penalties enforced by the legal system serve as a deterrent to thieves, and also serve to compensate damages in the event of a successful compromise. In countries where laws protecting intellectual property are weak (or absent), this level of deterrent and compensation is not available, and the balance of risk shifts.
In June 2006, an employee at the HSBC bank call center in Bangalore, India, was arrested and charged with hacking into the bank's computers, breaching confidentiality agreements and privacy laws, and helping to steal £233,000. The accused was discovered to have been hired on the basis of forged school transcripts. According to news reports, the only criterion for hiring personnel into that call center was English-language skills.23
In the absence of strong legal backing, the organization can replace some of the deterrent, normally provided by laws, with language in the contract linking contractual compliance with payments and ongoing business relationships. The vendor should be required to meet security expectations, and the contract should specifically state that parts of the agreement (or the entire agreement) might be voided if security proves inadequate. Coupled with ongoing monitoring to catch problems before they become habitual or endemic, contractually tying security performance to the future of the relationship might prevent a damaging, large-scale loss of confidentiality or possession. And, while this kind of contractual language might not help in a foreign court, it should help protect the organization if the vendor manages to bring suit against the organization in the organization's home jurisdiction.
Controlling the risks of outsourcing any function involves planning and careful implementation, primarily focused on trust and monitoring. The advice to “trust, but verify” applies particularly to outsourcing situations, in which a vendor necessarily gains at least some level of access to the organization's internal information and systems. Planning for risks to availability requires adequate business continuity and disaster recovery planning. Training, liaison, and careful planning well in advance of the outsourcing move are required to mitigate risks to utility. Integrity and authenticity controls, as well as confidentiality and possession controls, hinge on monitoring and enforcement, which can become problematic in different legal climates. Making contracts include business consequences for falling short of security requirements can help control the shortfalls of foreign jurisdictions.
Delegating security functions to an outside vendor can increase the quality of an organization's overall security posture. This is done by leveraging the vendor's security expertise and perspective, which presumably it has acquired by providing a number of in-depth services to a large number of organizations.
Despite the media attention surrounding the outsourcing of some IT security functions, the use of a contracted guard force by organizations has been a common practice for years. As mentioned in Section 68.1.3, this is an example of insourcing: the use of contract or noncompany employees to fulfill certain business functions within physical and logical corporate boundaries.
In the last few years, organizations such as financial institutions have been nearshoring complex and costly IT security functions. This work is very challenging for any organization, as the goal is to guard production networks against a never-ending stream of continuously changing threats. Also, these security functions usually do not pass the core competency tests described in Section 68.2.2, meaning they are good candidates for outsourcing. A leading example would be 24-hour-per-day monitoring and management of firewalls and intrusion-detection systems.
A new twist on a mature outsourcing tactic is offshoring software testing for security vulnerabilities. Assuming the vendor has the necessary tools and talent, outsourcing this function appears to make sense for many of the same reasons that organizations outsource quality assurance testing for any software development project. Not only is it an opportunity to gain effectiveness, but the efficiencies (e.g., faster cycle time and lower cost) can be compelling as well.
In 2004, organizations with annual revenues over US$1 billion outsourced IT security twice as often as smaller ones. In contrast, only 9 percent of small and 8 percent of midsize companies say that outsourcing IT security is a business priority.24
But outsourcing IT security functions is making a big market even bigger. For example, Gartner forecasted the North American market for security services to grow from US$4.1 billion in 2001 to US$9.0 billion in 2006. Consulting will be the largest IT security-services segment, at 40 percent of the projected market in 2006.25 North American revenues for managed-security service providers (MSSPs), such as Counterpane (IDS monitoring) and Postini (anti-spam), will have grown about 20 percent a year from US$950 million in 2004, to US$1.7 billion in 2007.26
According to Levine, the top two reasons why organizations outsource network security are as a strategy for dealing with staffing challenges (effectiveness) and a desire for financial savings (efficiency).27
Getting the most value from a security staff is an enduring challenge. Not only must talented people be found and retained, but they must be deployed so as to gain the greatest benefits. The highest value work for a security team includes those tasks that must be done from deep within the business context such as policy setting, architecture, design, and risk management. These tasks require in-depth knowledge of a business's strategies, strengths, weaknesses, organizational structure, and culture. They are the core competencies of the corporate security team.
Given this situation, one of the best ongoing exercises a security officer or manager can perform to maximize the value of their team is to regularly ask: Are my people exclusively working on tasks that cannot be delegated to anyone else? Another way to ask this is: Are my people doing any tasks that someone with less experience and organizational knowledge could perform at the same level of competency?
An example of a situation that can benefit from outsourcing security is protecting the network in an organization with limited technical resources.
Protecting the organizational network is a demanding job. Securing network connected digital assets (i.e., information systems) requires robust defenses against malicious hackers, viruses, worms, spyware, keystroke loggers, and denial of service attacks, just to name a few specific online threats. It may be difficult or impossible to find and employ enough security staff members who are both effective and efficient at dealing with all these threats.
In addition, understanding and defending against the latest threats requires constant education of staff, proactive monitoring, maintenance, and patching of the organization's network defenses. The capital expenditure for the “care and feeding” of specialized software and equipment can be very high.
Due to the nature and rapid pace of the threats, and a chronic shortage of talented people, there is an ongoing need to replace security staff. This adds additional expense for contract workers, decreased productivity, and increased risk of mistakes. Keeping information assurance specialists around after you have trained them is not easy; other organizations want and need them too. Outsourcing offers one way to transfer the burden of staff training and retention to another organization.
Finally, security service providers offer competent handling of routine security activities (i.e., monitoring and maintenance of hardware and software), and they can prepare the many reports required to document compliance with corporate policies and outside regulations. With these tasks being taken care of by a vendor, organizations can focus their internal efforts and personnel on more critical, high-value IT security functions.
Despite our admonition in Section 68.4.4 to avoid outsourcing as a primary means to achieve direct cost reduction, an MSSP can offer tremendous economic efficiencies. For example, full-time security monitoring can be outsourced for significant cost savings.
A substantial challenge for all but the largest organizations is monitoring IT security 24 hours per day, seven days a week. For financial institutions in particular, this level of monitoring has become the de facto standard of due care. But providing that kind of constant vigilance is nearly impossible for many small organizations, such as community banks.
To provide 24-hour-per-day coverage with internal staff, organizations have to hire at least three full-time professionals, but would likely require twice as many to prevent staff burnout and a high turnover rate over the long term. Having backup coverage in place would require even more employees.
Managing an “average” week of 24-hour-per-day monitoring and response takes a minimum of five fully trained people. To begin with, you need one person for each of the three 8-hour shifts during the week. For weekends, the most economical approach is to have one person for each of two 12-hour shifts. Realistically, due to sickness, vacation, holidays, training, and other demands on staff, there would need to be between 8 and 10 employees to provide reliable coverage.
The economics of this situation are straightforward. In the United States, a nearshore vendor can be hired to manage a small organization's firewalls, as well as run host intrusion detection and perimeter intrusion detection, for between US$25,000 and $50,000 a year.28 In contrast, any organization in the United States would likely spend at least six times that amount on salaries alone to perform those functions with minimal staff. It is common for a highly skilled, in-house security professional to be paid between US$70,000 and US$100,000 a year in salary alone.29 Add money for benefits (20 to 50 percent of base salary) as well as facilities, equipment, and other employment costs (80 to 150 percent of base salary), and the fully burdened cost for each employee can be almost two times what they are paid in direct salary.
At one of our organizations, the fully burdened cost of all employees is calculated every quarter by taking their direct salary and adding 184 percent.30 Using this formula, the fully burdened cost of a security professional paid US$100,000 a year in direct salary is US$284,000.
An organization is best positioned to make decisions regarding IT security when it has the freshest, most complete intelligence (information concerning an enemy or possible enemy31) about emerging threats.
However, the tremendous volume of threat data being released every day can over-whelm all but the largest organizations. Even national governments struggle to keep up, and they usually have dozens or hundreds of people dedicated to gathering and analyzing data. Beyond problems of volume, there is the question of scope: It is difficult to know how any given vulnerability will be applicable to a specific system, if at all. A software maker's estimation of vulnerability severity is generic in nature; it may be more or less severe within the context of another organization. This is where a MSSP can really help.
MSSPs typically have the ability to gauge severity and spot trends based on what is happening to its other customers. One MSSP advertises that it
process[es] over a billion security events every day across more than 7,000 devices, giving our security research group unprecedented internal and external threat visibility across the globe. Using this visibility, [this vendor] maps the latest vulnerabilities and real-world threats to your infrastructure, enabling your team to prevent attacks.32
In Section 68.3.11, “the loss of corporate expertise over tasks” was mentioned as one of the risks of outsourcing. If your organization takes advantage of an MSSP's intelligence capability, and you have the opportunity and resources, a valuable provision in an outsourcing contract would be to transfer the vendor's intelligence-gathering skills to one or more employees of your organization. However, vendors may view such knowledge as proprietary.
Trust is at the heart of the question of outsourcing risks. Can you trust the vendor to whom you are outsourcing, and its employees? Internal employees cannot typically gain the kind of intimacy with these people that they can with each other. This is a barrier to the human desire and tendency to build trust with others through direct interaction and observation.
There are, of course, specific risks in outsourcing security functions. Certainly, total control of an organization's security should never be transferred to an outside vendor. Although it may be possible to delegate (i.e., outsource) some operational duties, most companies find that keeping control of critical functions is vital to a successful security program. Examples of critical functions include firewall administration, direct control over all administrative/root accounts, and direct control over security logging. However, depending on your ability to manage the risk to your organization, you may feel comfortable delegating any of these functions. At the end of the day, outsourcing IT security is a very personal decision.
Some specific risks for IT security outsourcing include:
Although not very different from outsourcing any business process, there are some unique aspects to outsourcing IT security functions. This section describes what is different and provides specific examples. We encourage you to consult with your contracting office or other reputable and knowledgeable sources for a more thorough treatment.
As with any outsourced work, first gather your business requirements and use them to define the outcomes you expect the vendor to deliver. Normally, this information is delivered to the vendor as a statement of work (SOW). Include in your SOW only those functions that do not require intimate knowledge and experience of the specific, mission-critical functions of the organization. As discussed in Section 68.2, outsourcing should allow management to focus on its mission-critical functions; thus it is inappropriate to outsource functions that require great experience and insight in those areas.
One author of this chapter recently delegated responsibility for resetting passwords and creating user accounts to an outside vendor. The business driver to delegate was the result of an analysis of effectiveness of his internal team: There was just too much work to do for the number of employees authorized. In addition to asking whether a less experienced (i.e., less expensive) team could accomplish certain tasks, the security team also considered the risks to the organization if the work were not done correctly.
In a team decision meeting, we determined that resetting passwords and creating accounts for nonadministrative users was of sufficiently low risk that we could delegate those tasks. In contrast, we determined that performing these tasks on administrative and service accounts was too risky to delegate, so we continued to do that work. the fact that the daily volume of administrative account work was relatively low compared to nonadministrative accounts helped justify keeping those tasks in house.
When defining outcomes for operational IT security tasks, focus on the urgency and severity levels of the responses. This is typically driven by the response times required by the organization.
Once we decided to delegate resetting passwords and creating user accounts, we then asked operational business leaders what responsiveness they required. Based on their input, we assigned password resets as severity level 1, requiring no more than four hours to complete upon receipt of request. User account creation is severity level 2, requiring no more than one business day to complete upon receipt of request.
Once your SOW is complete, choose a reliable IT security vendor. Consider these points before you make your final decision:33
Once a reliable vendor is chosen, a strong, precise service-level agreement (SLA) is required. The SLA must specify outcomes desired, response times, roles and responsibilities, metrics, and other requirements. Ideally, the SLA should be written to remain relatively stable over time. Realistically, an SLA needs reliable provisions for change and conflict resolution because the requirements will change over time, no matter how much homework you do.
Include metrics in the SLA that will allow you to measure outcomes; install an independent monitoring system to validate reported metrics and to detect unauthorized behavior by vendor staff. Periodically (weekly at first, then monthly if performance warrants), review the metrics and activities with the vendor's management to ensure that work performed matches the requirements of the SLA; adjust the SLA as necessary to drop metrics that are not useful and add new metrics that are.
We monitor the vendor response times for resetting passwords and creating user accounts by examining the timestamps in the vendor's ticketing system correlated with the events written in the system logs. To ensure the vendor does not tamper with the system logs, we have many events immediately forwarded to a centralized logging server to which the vendor has no access.
Unless you have a good reason not to do so, allow the vendor to determine how it will deliver your desired outcomes. This gives the vendor the ability to determine how to achieve maximize efficiency. Of course, a vendor is inherently motivated to do this in order to be competitive and maximize profits. Be aware that this also means the vendor has incentives to cut corners, which could result in security incidents for you.
Once the vendor has created its procedures, be sure to review and approve how the vendor will do the work. After all, security is based not just on what things you do but how you do them. The ultimate authority in the matter will be your organization's information security policy. Be careful, though, not to criticize vendors just because they do not do things the way your team would. Your priorities are to get the right outcomes with the least risk at an affordable price. Be very careful not to upset your priorities over nothing more than personal preferences.
In outsourcing password resets and account creation, we allowed the vendor to devise its own procedures. In our case, it made sense to permit this level of freedom because the vendor had tools and know-how that our team did not. For instance, we did not have an incident ticketing system, and the vendor already had one up and running. This allowed the vendor to receive, log, and assign work more efficiently than we could.
However, after some time one of the risks we noted in Section 68.6.3.10 reared its ugly head. We found that the vendor sometimes placed passwords in the ticketing system because doing so saved time (it did not have to reset the passwords every time it went into an account) and allowed the ticket to be closed more quickly. Clearly, we were not as motivated by their profit motive as by preserving our security posture. This is why we regularly monitored the vendor's ticketing system by having a console installed directly in our work area.
Finally, be sure to include a strong penalty provision in your SLA to deter careless mistakes by the vendor. If your monitoring tools are effective, you will know about mistakes before the vendor does. Be thoughtful, though, because you do not want to deter the vendor from reporting those mistakes. The point of discussing a mistake should not be to punish as a first recourse, but to correct the vendor in the hope that it will grow in competence and become a better steward of your security work.
Organizations should consider their decision to outsource security in terms of their organization's overall outsourcing strategy, and should determine if their organization has the skill sets and tools necessary to manage the outsourcing relationship. Also, they must realize that contract management skills will be the primary management tool, not IT management expertise.
Ongoing monitoring by the outsourcer will be required. Organizations cannot take for granted the presence and effectiveness of monitoring activity. Provisions must be made to ensure that organizations get the services they are paying for. Should the vendor fail to deliver the services, the organization should be prepared to perform the work once again, quickly and effectively. Once confidence in an IT security vendor has been lost, the vendor's administrative access should be revoked as soon as possible.
Refer to Section 68.4 of this chapter, controlling the risks of IT outsourcing, for more advice.
Outsourcing is a new term for an old concept: We humans have always liked to do what we are good at doing, relying on the skills of others to fill in the gaps in our competencies. We outsource tasks to concentrate on being more effective at our core skills, and we hope to become more efficient as a result. Types of outsourcing—insourcing, nearshoring, offshoring—differ based on how far from the parent organization the outsourcing vendor operates, but there are other much more significant differences when evaluating the risks of outsourcing.
Many organizations have saved significant amounts of money by outsourcing some functions. Hindsight, however, shows that many organizations that outsource solely to save money find themselves with significant problems caused by a lack of careful evaluation of outcomes and risks. Proper planning should include:
Any organization that looks at all these issues well in advance of an outsourcing decision stands a good chance to succeed, despite the potential pitfalls.
The keys to mitigating risks in any outsourcing project—careful planning and constant vigilance—are particularly applicable if security functions are the subject of an outsourcing decision. Depending on the security stance and regulatory environment of the home organization, some security functions may be able to be outsourced in a way that does not put the organization at unacceptable risk. In the end, the great care required to outsource security functions properly has the potential to improve security throughout the organization, and perhaps even make security easier to do well at a vendor site than at the home organization.
Axelrod, C. W. Outsourcing Information Security. Norwood, MA: Artech House, 2004.
Carmel, E., and P. Tjia. Offshoring Information Technology: Sourcing and Outsourcing to a Global Workforce. Cambridge, UK: Cambridge University Press, 2005.
Cohen, L., and A. Young. Multisourcing: Moving Beyond Outsourcing to Achieve Growth and Agility. Cambridge, MA: Harvard Business School Press, 2005.
Cooney, M. “Can You Trust China for Outsourcing?” Network World, May 29, 2006. http://www.networkworld.com/columnists/2006/052906edit.html.
Cullen, S. Intelligent IT Outsourcing: Eight Building Blocks to Success. Woburn, MA: Butterworth-Heineman, 2003.
Dara, N. “Cyber Crime Comes of Age as Foreign Plugs Sell Secrets,” DNA India, October 19, 2005; http://dnaindia.com/report.asp?NewsID=6411.
Greaver, M. F. Strategic Outsourcing: A Structured Approach to Outsourcing Decisions and Initiatives. New York: AMACOM, 1999.
Koulopoulos, T. M., and T. Roloff. Smartsourcing: Driving Innovation and Growth Through Outsourcing. Avon, MA: Platinum Press, 2006.
Power, M. J., K. Desouza, and C. Bonifazi. The Outsourcing Handbook: How to Implement a Successful Outsourcing Process. London, UK: Kogan Page, 2006.
Sood, R. IT, Software and Services: Outsourcing and Offshoring. Austin, TX: AiAiYo Books, 2005.
Stees, J. Outsourcing Security: A Guide for Contracting Services. Woburn, MA: Butterworth-Heineman, 1998.
Vashistha, A. The Offshore Nation: Strategies for Success in Global Outsourcing and Offshoring. New York: McGraw-Hill, 2006.
1. M. Cooney, “Outsourcing Bonanza 2006: 8 Outsourcing Trends You Need to Know About,” Network World, December 13, 2006; www.networkworld.com/news/2006/121306-outsourcing-trends.html.
2. M. Cooney, “Government Agency Outsourcing Firms Don't Respect Private Data, GAO Reports,” Network World, April 5, 2006; www.networkworld.com/news/2006/040506-gao-outsourcing.html.
3. Dan Twing, “10 Reasons Why Small Businesses Should Consider Outsourcing,” Network World, July 5, 2006; www.networkworld.com/newsletters/asp/2006/0703out1.html?page=1.
4. T. L. Friedman, The World Is Flat: A Brief History of the Twenty-first Century (New York: Farrar, Straus and Giroux, 2006), pp. 48–172.
5. G. Hamel and C. K. Prahalad, “The Core Competence of the Corporation,” Harvard Business Review 68, No. 3 (May-June 1990): 79–93.
6. “Tempted by the Call of the East,” Mortgage Strategy, August 22, 2005, p. 3.
7. S. Thurm, “Behind Outsourcing: Promise and Pitfalls,” Wall Street Journal, February 27, 2007.
8. D. E. Levine, “Farming Out Network Security: Outsourcing might save you money if you choose your provider with care,” Security Technology & Design (May 2005); www.securityinfowatch.com/print/Security-Technology-and-Design/Network-Security/Farming-Out-Network-Security/4256SIW2 or http://tinyurl.com/5fshta.
9. Levine, “Farming Out Network Security.”
10. Duke University/Archstone Consulting LLC Offshoring Research Network 2004 and 2005 surveys; Duke University/Booz Allen Hamilton Offshoring Research Network 2006 survey. As reported by Mary Brandel, “Offshoring Grows Up,” Computerworld, March 12, 2007; www.computerworld.com.au/index.php/id;1922874537 or http://tinyurl.com/5zw7ph.
11. D. Winkelman, D. Dole, L. Pinkard, J. Molloy, D. Willey, and M. Davids, “The Outsourcing Source Book,” Journal of Business Strategy 14, No. 3 (May-June 1993): 52.
12. D. Twing, “Reviewing the Security Aspect of Outsourcing,” Network World Outsourcing Newsletter, September 7, 2005.
13. K. Evans-Correia, K., “Outsourcing on Verge of Cultural Evolution,” SearchCIO.com April 18, 2006; http://searchcio.techtarget.com/news/article/0,289142,sid182_gci1179791,00.html or http://tinyurl.com/65blch.
14. “Mumbai Blasts Should Not Affect Investments to India.” IDG News Service, July 12, 2006; http://www.itworld.com/Man/2701/071206mumbai/pfindex.html
15. M. Cooney, “No Outsourcing Today: Strike Closes India's Tech Center,” Network World, October 5, 2006; www.networkworld.com/news/2006/100506-strike-closes-india-tech-center.html or http://tinyurl.com/55pcpx.
16. Associated Press, “20,000 Vietnamese Workers Go on Strike at Nike Contract Factory,” April 1, 2008; www.iht.com/articles/ap/2008/04/01/news/Vietnam-Nike-Strike.php or http://tinyurl.com/6jeru8.
17. F. Fallone, “Overview Child Laborers,” IHS Child Slave Labor News, 2005; http://ihscslnews.org/view_article.php?id=54.
18. (ISC)2, International Information Systems Security Certification Consortium: www.isc2.org
19. We owe a lot to Donn Parker for this new way to look at information assurance. See Chapter 3 in this Handbook for his description of these security elements.
20. H. Timmons, “Cut Cable Disrupts Web and Phones in India and Middle East,” International Herald Tribune, January 31, 2008; www.iht.com/articles/2008/01/31/technology/net.php.
21. See, for example, A. Eunjung Cha, “New Law Gives Chinese Workers Power, Gives Businesses Nightmares,” Washington Post, April 14, 2008; www.washingtonpost.com/wp-dyn/content/article/2008/04/13/AR2008041302214.html or http://tinyurl.com/6x7zzn.
22. See, for example, J. Markoff, “Encryption Tool Rekindles Security Debate,” International Herald Tribune, May 21, 2006; www.iht.com/articles/2006/05/21/business/privacy.php.
23. K. V. Subramanya, “HSBC Scam: U.K. recipient of data is of Indian origin,” The Hindu, June 30, 2006; www.hindu.com/2006/06/30/stories/2006063002920700.htm or http://tinyurl.com/45u23s.
24. G. V. Hulme, “Job Security Curtails Security Outsourcing,” InformationWeek, July 28, 2003; www.informationweek.com/news/software/showArticle.jhtml?articleID=12803139 or http://tinyurl.com/6cb3kk.
25. C. Costanzo, “Internet Security: Outsource or go it alone?” Community Banker 14, No. 6 (June 2005); http://findarticles.com/p/articles/mi_qa5344/is_200506/ai_n21373311/pg_1 or http://tinyurl.com/6n7c2m.
26. Costanzo, “Internet Security.”
27. Levine, “Farming Out Network Security.”
28. Costanzo, “Internet Security.”
29. Costanzo, “Internet Security.”
30. This calculation was current in March 2007. The formula described and the 184 percent figure are the result of our consultation with the finance department at one of the author's employers. The name of the employer is being withheld to protect their confidentiality.
31. Merriam-Webster's Collegiate Dictionary, 11th ed. 2004, p. 650. Also online at www.merriam-webster.com/dictionary/intelligence.
32. Secure Works, “Threat Intelligence Service,” www.secureworks.com/services/threat_intelligence.html.
33. J. Mears, “Is Security Ripe for Outsourcing?” Network World, August 23, 2004; www.networkworld.com/news/2004/082304outsecure.html or http://tinyurl.com/6yc3tl.
3.141.35.238