As organisations pursue cost savings and operational efficiencies with their existing business processes, they often turn to service providers either in their home countries or abroad to reap additional savings. Alternatively, some organisations choose to move their operations to off-shore locations but retain control over their infrastructure, staff and processes.
In either case, organisations need to manage the risks associated with safeguarding their assets and their information while complying with the regulations and laws that govern their industry.
All business initiatives have an associated degree of risk. The risk associated with safeguarding the confidentiality, integrity and availability of information assets is a component of the overall business risk picture for all organisations. Ensuring that people, processes and technology are properly managed to address this risk is a challenge faced by information security professionals. There are, however, some unique risks associated with outsourcing that need to be addressed by various organisational stakeholders. These risks:
- Political and country risk: if the outsourcing is going to be done in a country other than the country in which the sourcing organisation is located, it may be necessary to examine the political environment of the service provider's country.
- Cultural risk is introduced with language differences, varying communication protocols, differing work ethics and cultural norms. Organisations may be vulnerable to different types of ethics associated with information sharing.
- Contractual risk: if contracts are not specific or flexible enough to accommodate changes in the business environment, the organisation may face risks. In addition, the viability of enforcing the contracts if the service provider is in a location other than their home country may be difficult.
- Operations risk: organisations face the risk of sub-par level service quality, cost overruns or business interruptions. Information security risk and compliance risks are often subsumed under operational risk.
- Compliance risk: the sanctions and/or material loss of any kind that any organisation may experience if it fails to comply with the set of laws, industry standards and internal requirements that govern its environment/sector. For the purpose of this definition, reputational risk is considered part of material risk.
- Business continuity risk: the risk associated with an organisation's ability to recover and/or restore partially or completely interrupted critical functions within a predetermined time after a disaster or extended disruption.
Organisations need to develop a strategy for understanding and managing these risks, which are dynamic and fluid. There is an inverse relationship between the degree of control and ownership and the amount of risk; the risk associated with outsourcing increases as the degree of ownership and control over business processes is diminished.
That said, risks can be effectively managed with governance programmes and with programme management offices that provide oversight and management of all elements of the outsourcing initiative. Whether outsourcing a specific function or a range of operations, attention must be paid to ensure that all aspects of the decision are analysed and documented. Various outsourcing lifecycles to manage outsourcing initiatives have emerged as organisations increasingly participate in outsourcing activities. Nearly all of them share a common theme: information security controls need to be part of any and all outsourcing activities.
Information security professionals often speak of an "information security outsourcing lifecycle". This approach to outsourcing, that is, examining the lifecycle from an information security practitioner's perspective, typically is not adopted by most organisations, as the decision to outsource is a business decision driven by a focus on cost savings not necessarily risk management. Instead a more effective approach to ensure that information security risk is addressed is one where information security practitioners integrate their requirements and recommendations into the "business" outsourcing lifecycle process.
The likelihood of an organisation following a methodical and logical process to manage its outsourcing/off-shoring efforts depends on the organisation's maturity in this space. Most organisations do not have a formal, documented process for managing outsourcing/ off-shoring. And generally, information security professionals are not engaged, if they are engaged at all, until well into the process.
In an effort to manage the extremely high cost to organisations associated with retro-fitting information security controls into an outsourced/off-shored agreement, organisations are increasingly searching for best practices and adopting an outsourcing/ off-shoring lifecycle that is a series of methodical steps which, if followed, can streamline the process of engaging a third party to provide services for an organisation.
The lifecycle outlined below represents a common sense view to help manage the complexities associated with outsourcing. Although there is no "one size fits all" answer for effectively managing outsourcing initiatives, following the steps while customising them to suit the organisation's particular culture, may lead to effective outsourcing.
The outsourcing lifecycle has four stages each with its own series of actions. These include: preparation, implementation, operation and review.
Preparation The journey begins with strategy development. During this step, senior and business management evaluate and determine whether it may be profitable for the organisation to outsource, off-shore outsource or create an off-shore captive centre. The business then creates a strategic steering committee to manage the exploratory initiative, develop an outsourcing project management (PMO) governance office to operate the exploratory initiative and determine which business/IT functions may be profitably outsourced, off-shore outsourced or managed by an off-shore captive centre.
Traditionally, information security has no involvement at this stage of the process as well as the next step the organisation takes which is the development of the business case. Multiple stakeholders are involved during this step. The PMO identifies all relevant stakeholders, all aspects of risk to be managed if functions are outsourced, and performs a detailed cost benefit analysis to determine what option makes the most sense. In addition, there needs to be legal analyses of the regulatory compliance implications for outsourcing, off-shore outsourcing and off-shore captive centre operations. Senior management then makes the final decision about what business/IT functions to outsource, off-shore outsource or develop a captive centre off-shore.
In a mature organisation, information security begins to get involved at the next stage — scope definition. Multiple stakeholders participate in defining the scope of activities to be undertaken. The PMO identifies all processes, operations and technology associated with the functions to be outsourced, applications associated with the functions to be outsourced and retained processes, operations, technology, applications, etc. Information security performs risk assessments to address confidentiality, integrity and availability of information assets to be outsourced.
Partner selection and negotiation of the contract make up the next step in the journey — structuring the deal. Multiple stakeholders are involved during this step which involves the selection process, crafting the Request for Proposal (RFP) to outline requirements and identify metrics to measure success. Legal then ensures all relevant terms and conditions clauses are in the contract. Once a provider is identified, negotiation happens and the contract is eventually signed.
Implementation After the decision is made to outsource, the organisation begins the transition of the functions to be delivered by the service provider. The PMO plans and manages the transition schedule, begins to transition the function to the service provider and creates a process to do ongoing cost benefit analysis. Information security builds security into processes, builds an incident reporting/management process and builds a process for ongoing monitoring (security and compliance). Information security should be heavily involved at this stage of the process.
Operation Ongoing management and maintenance of the outsourced services is performed by several stakeholders, although overall coordination is done by the PMO who implements an ongoing cost benefit analysis process, updates exiting processes and operations to manage the retained organisation, and manages the partnership relationship through meetings and reporting structure. Information security performs an in-depth site audit of the selected service provider's security control environment, performs annual (or more frequent) audits of the service provider, implements an incident reporting / management process, implements ongoing monitoring processes and manages the relationship with authorities.
Review As the contract draws to a close, an organisation may choose to renew or exit the contract. If the organisation chooses to renew the contract and continue its relationship with the service provider, the PMO must evaluate the success of the outsourcing initiative (financial, operational, regulatory, etc); legal must re-negotiate terms as needed; and senior management must determine whether to renew the contract.
If an organisation decides to terminate the relationship with the service provider and re-acquire the functions, it is necessary to manage the transition process. The PMO must plan the transition process; legal must validate IP ownership as defined in the contract; and information security must perform a risk analysis of the functions and processes to be re-integrated into the organisation and audit the service provider to ensure all data is retrieved.
Information security has a significant contribution to make to this outsourcing/off-shoring lifecycle. The contributions include but are not limited to performing risk assessments to address confidentiality, integrity and availability of information assets to be outsourced, analysing the security controls of the short list of service providers and performing in-depth site audits of the selected service provider's security control environment.
Failure to involve information security at various points in the outsourcing/off-shoring lifecycle may result in higher costs for retroactive controls implementation, insufficient and non-empirical metrics and performance standards, dispute over intellectual property ownership, not knowing that the service provider had subcontracted the function to another provider, difficulty managing cross-border data flow issues and inadequate security of intellectual property.
Organisations need to be prudent in their pursuit of cost savings and efficiencies. The strategies that maximise profit must include risk management and compliance components. Senior management needs to ensure that the potential benefits associated with outsourcing are balanced with the costs associated with risk management. Including security and compliance considerations into the outsourcing lifecycle will ensure that common pitfalls are avoided.