1 Copyright © 2015 M. E. Kabay. All rights reserved.
OUTSOURCINGCSH6 Chapter 68
“Outsourcing & Security”Kip Boyle, Michael Buglewicz,
& Steven Lovaas
2 Copyright © 2015 M. E. Kabay. All rights reserved.
Topics
IntroductionWhy Outsource?Can Outsourcing
Fail?Controlling the
RisksOutsourcing
Security Functions
3 Copyright © 2015 M. E. Kabay. All rights reserved.
IntroductionOpening
RemarksDefinitionsDistinctionsInsourcingNearshoringOffshoring
4 Copyright © 2015 M. E. Kabay. All rights reserved.
Opening Remarks (1)“Outsourcing” encompasses different conceptsNeed different risk-management strategiesOutsource for efficiencies & effectivenessConsequences: environment can change fastKey issues for early 21st century for
outsourcing:Security problemsChina’s riseIndia’s growth & turmoilBlundersH-1B visa problemsSmall business outsourcingManaged services
5 Copyright © 2015 M. E. Kabay. All rights reserved.
Opening Remarks (2)Benefits possible:Self-knowledge improves when forced to articulate
needs, mission Clarify/institutionalize roles, goals, metricsRisk identification & mitigationFocus on core competenciesEffectivenessEfficienciesFocusDiscipline
Cost savings
6 Copyright © 2015 M. E. Kabay. All rights reserved.
DefinitionsVendor / contractor:Arm’s-length entityProvides specific outsourced service(s)
Organization / business:Entity contracting for products / services
with vendorOutsourcing:Fulfillment of specific business
function(s)By contracting with vendorTo perform in vendor’s facilities
Insourcing:Use of contract / noncompany employees
for specific in-house functions
7 Copyright © 2015 M. E. Kabay. All rights reserved.
DistinctionsMany applications of
out/insourcing possibleCall centerCorporate ITCorporate financeCorporate security
Must not impose one rigid framework
Different needs imply different priorities & methods
Identify core business missionsConsider moving non-core functions outside Or hiring contractors
8 Copyright © 2015 M. E. Kabay. All rights reserved.
InsourcingCommonplace to hire contractorsRisksWorkplace for outside
employees is inside security perimeterHigh potential for abuse if contractor
dishonestMay not have same trust in contractors as in
employeesPlan for coping with errors by contractors
May need specific / separate security classifications for employees, contractors
Contractors may fail to comply with regulatory / legal requirements if policies unclear
9 Copyright © 2015 M. E. Kabay. All rights reserved.
NearshoringOutsourcing specific discrete business
function to Same geographical
regionNearby regionBordering region
E.g., US nearshoring could include contracting
out to US firmOr Canadian or Mexican firms
Many large companies nearshore servicesEDS Agile, HP SMB Services, IBM Express
Advantage
10 Copyright © 2015 M. E. Kabay. All rights reserved.
OffshoringOutsourcing specific, discrete business
functions to vendor on another continentE.g., EU company outsources a function to
Indian companyConsiderable emotion in discussions Important to evaluate possibilities carefullyUnderstand your businessArticulate outsourcing / nearshoring /
insourcing goalsClear analysis of risks & management
issues
11 Copyright © 2015 M. E. Kabay. All rights reserved.
Why Outsource?
Effectiveness vs EfficiencyBeing EffectiveBeing Efficient
12 Copyright © 2015 M. E. Kabay. All rights reserved.
Effectiveness vs EfficiencyEfficiency: using optimal resources for
specific taskEffectiveness: getting the work done as
intended
13 Copyright © 2015 M. E. Kabay. All rights reserved.
Being Effective (1)Optimizing processes outside core competency is
wastefulCore competenciesMission-critical tasks / functionsDirectly related to strategic goalsE.g., hospital / restaurant considers cleanliness
mission-criticalThat organization good at _____E.g., for specific firms,Brand managementContinuous improvementSuperior retail serviceSupply chain managementLook / feel of products 14 Copyright © 2015 M. E. Kabay. All rights reserved.
Being Effective (2)Core competency requirementsCan be used to develop entirely new
products / servicesProvides significant customer
benefitsDifficult for customers to duplicateAt least for a time
Core competency can provide competitive advantage(s)Therefore all other functions
candidates for outsourcingFocus resources on what counts
15 Copyright © 2015 M. E. Kabay. All rights reserved.
Being EfficientMeasuring efficiencyDirect cost minimizationE.g., UK companies save
~40% costs by using labor in IndiaSave ₤10M for every
1,000 jobs outsourcedBenefits of outsourcingDecreased capital investmentDecreased fixed costsIncreased variable costs vs fixed costsPay by volume of service / products
Increased speed / reduction work cycle timeManagement focus – emphasize competitiveness
16 Copyright © 2015 M. E. Kabay. All rights reserved.
Can Outsourcing Fail?Yes, Outsourcing Can FailWhy Does Outsourcing Fail?Universal Nature of RiskClarity of Purpose & IntentPriceSocial Culture International EconomicsPolitical IssuesEnvironmental FactorsTravelLaborAdditional Risks
17 Copyright © 2015 M. E. Kabay. All rights reserved.
Yes, Outsourcing Can FailJP Morgan Chase (2004) Terminated U$5B contract with IBM
EDS (Electronic Data Systems)Terminated U%1B contract to run Dow Chemical
phone / computer networks
18 Copyright © 2015 M. E. Kabay. All rights reserved.
HealthCare.gov Failure (1)http://www.inquisitr.com/1211143/kathleen-sebelius-admits-obamacare-website-was-not-ready/
19 Copyright © 2015 M. E. Kabay. All rights reserved.
HealthCare.gov Failure (2)
20 Copyright © 2015 M. E. Kabay. All rights reserved.
Deloitte Consulting 2005 Study“Calling a Change in the Outsourcing Market”Interviews with 25 large organizations in 8
sectors70% respondents looking more cautiously at
outsourcing due to bad experiences25% canceled outsourcing when promised
savings / higher efficiency failed44% saw no cost savings
21 Copyright © 2015 M. E. Kabay. All rights reserved.
Why Does Outsourcing Fail?Danger when focusing primarily on cost reduction
But in 2004-2006, rate of cost-savings as primary driver rose from70% to 80% respondents
But including effectiveness can change evaluation
ProblemsMeasuring performance difficultFailure to create win/win situationDifficult to align goals of organization & vendorMust master new / more complicated communicationsMaintaining sufficient knowledge / skill in outside
workforceInsecurity perceived by internal employees & unionsContract termination can be disruptive to clients (lower
QoS)22 Copyright © 2015 M. E. Kabay. All rights reserved.
Universal Nature of RiskGreatest cost: ignoranceGreatest price: failurePoorly defined expectations / poor
planning = doomPlanningIA team should assess entire outsourcing
projectIA not only team involvedBut must not restrict IA merely to technical
detailsLiability remains with firm, not outsourcing
provider
23 Copyright © 2015 M. E. Kabay. All rights reserved.
IA Review of Proposals
What information assets at risk?Value / sensitivity of
assetsCurrent / future “risk
shadow” due to outsourcing?
24 Copyright © 2015 M. E. Kabay. All rights reserved.
Clarity of PurposeMust articulate tasksRely on employees to define specificsConflict of interest: often those
defining tasks are ones to be fired after outsourcing!
PhasesAnalysis – define/document
workRFI (request for information)RFP (request for proposal)Vendor selectionTraining
Focus on mutually beneficial vendor relations
25 Copyright © 2015 M. E. Kabay. All rights reserved.
Risks Related to Clarity of PurposePoor identification / definition of
task(s)Employees defining tasks may be
training their replacementsWorkforce reduction traumaticUncertaintyUnrestResentment
Lowered morale may have consequencesLost productivity (water-cooler
discussions)Insider sabotage
26 Copyright © 2015 M. E. Kabay. All rights reserved.
PriceBeware paper-thin profit
marginsVendor must also
survive and profitOtherwise see constant
corner-cuttingBeware short-term profit
evaluationsTake long-term viewClient must see
significant long-term profit
27 Copyright © 2015 M. E. Kabay. All rights reserved.
Social CultureVendor must cope with client cultureBe conscious of social norms across
international boundariesClient must evaluate differences in beliefs /
attitudes / behaviorsEspecially important for outsourced client
contacts such as technical supportParkerian HexadParticularly timelinessSome hostility developing in USA towards
foreign accents (e.g., Indian) in support
28 Copyright © 2015 M. E. Kabay. All rights reserved.
International EconomicsKeep long-term economic developments in mindCollapsing economy may terminate contractsVendor may go out of businessSocial disruption may stop
all businessOnce functions
outsourced, business continuity affected if supplier fails
Changes in exchange rate may affect costs if contract fails to stipulate client’s currency for charges
29 Copyright © 2015 M. E. Kabay. All rights reserved.
Political IssuesGraft / bribery vs national laws
(e.g., US legal restrictions on such payments)Foreign Corrupt Practices Act of
1977 (FCPA) (15 U.S.C. §§ 78dd-1, et seq.)
Opposing political forces’ attitudes to outsourcing vendors
Terrorism causing increasing concerns for vendors & clientsE.g., Taliban defines anyone doing business with
US / Intl armed forces as targetsRule of law: is there any (e.g., China, Burma)?
30 Copyright © 2015 M. E. Kabay. All rights reserved.
Environmental FactorsHow likely are natural disasters in remote
location?Could natural disaster trigger political
collapse?What is host country’s capacity for recovery
from environmental disaster?Will regional infrastructure cope with
disruptions to maintain QoS / SLA?
31 Copyright © 2015 M. E. Kabay. All rights reserved.
TravelEmployees will have to visit vendor or
clientTrainingQuality controlManagement coordination
Keep in mindTravel costs ($$, productivity,
morale)Employee safety / health (food,
disease, war, insurrection, kidnapping)Delays for travel documents (e.g.,
visas)
32 Copyright © 2015 M. E. Kabay. All rights reserved.
LaborRisksTurnover (requiring more
training)Escalating wagesWork stoppagesCost growth
Examine history & forecastsSupply of workersWorker exploitation (may violate
client country’s laws & affect public image, employee morale –or lead to boycotts)
33 Copyright © 2015 M. E. Kabay. All rights reserved.
Additional RisksLoss of corporate
expertiseLoss of direct
control Internal changes
in corporate purposeMoving from doers
to managers of doersOverhead of ongoing contract management
34 Copyright © 2015 M. E. Kabay. All rights reserved.
Controlling the RisksControls on What?Controlling
Outsourcing RiskAvailability ControlsUtility ControlsIntegrity & Authenticity
ControlsConfidentiality &
Possession ControlsMaking the Best of
Outsourcing
35 Copyright © 2015 M. E. Kabay. All rights reserved.
Controls on What?PlayersPeopleCorporationsSocietiesGovernments
Focus primarily on organizational behaviorPolicies, contracts, agreements, trust relations
criticalInformation security policy criticalCoordinate with legal dept: contracts / site
selection / politics / economics / separation of duties
36 Copyright © 2015 M. E. Kabay. All rights reserved.
Controlling Outsourcing Risk
Use Parkerian Hexad as framework for analysis / remediationConfidentialityControl or Possession IntegrityAuthenticityAvailabilityUtility
37 Copyright © 2015 M. E. Kabay. All rights reserved.
Availability Controls & Outsourcing Infrastructure can be determinantE.g., trans-Pacific cable cut Feb 2007Most of Asia inaccessible to North America via
InternetDistance increases risk of interruption
Backup strategy criticalBCP essential for vendor & client sitesConsider backup vendor contracts
SLA may be unenforceable if no rule of lawEvaluate possible vendor(s) carefullySite visitsNews / government reports
Monitor situation in vendor locale continuously38 Copyright © 2015 M. E. Kabay. All rights reserved.
US Dept of State Country Reports
http://www.state.gov/countries/
39 Copyright © 2015 M. E. Kabay. All rights reserved.
Utility Controls & OutsourcingCareful version controlEncryption recovery (for forgotten keys)Beware national/international restrictions
on encryption technologiesBeware incompatible formatsLanguage issuesAccentsWord usageWriting
40 Copyright © 2015 M. E. Kabay. All rights reserved.
Integrity & Authenticity Controls & Outsourcing Prevent unauthorized or accidental modifications Analyze vendor’s history / reputation But effective collaboration may required access to sensitive
corporate data Trust infrastructure
Access control mechanismsRBAC* / least privilege important
Division of laborDelegation of responsibilitiesVendor must not be able to change
structure Monitoring incorporated into contracts
Audits – preferably unannouncedWhere are backups kept?Change-tracking on servers *Role-based access control
41 Copyright © 2015 M. E. Kabay. All rights reserved.
Confidentiality & Possession Controls & Outsourcing (1)Outsourcing inherently compromises
confidentiality & controlDecide if balance is positiveLaws may protect balance – if
there is in fact rule of law on both sides
HSBC call center – Bangalore, India – 2006Employee arrestedHacked into bank’s computersStole ₤233,000Hired because of forged high-school transcriptsOnly criterion for hiring was English skills
42 Copyright © 2015 M. E. Kabay. All rights reserved.
Confidentiality & Possession Controls & Outsourcing (2)Constant monitoring / auditClear terms of contractUnannounced auditsMonitor log files, real-time
security toolsMay replace absent laws by
contract termsFailure of security termination of contractMay not help if legal process in vendor’s countryBut could help in client’s country
43 Copyright © 2015 M. E. Kabay. All rights reserved.
Making the Best of OutsourcingCareful planningCareful implementationFocus on trust & monitoring“Trust, but verify”
Plan for threats to availabilityBCP / DRP
Training, liason Integrate security into contract terms
44 Copyright © 2015 M. E. Kabay. All rights reserved.
Outsourcing Security FunctionsOverview of Security OutsourcingWho Outsources Security?Why do Organizations Outsource
Security?Risks of Outsourcing SecurityHow to Outsource Security FunctionsControlling Risk of Security
Outsourcing
45 Copyright © 2015 M. E. Kabay. All rights reserved.
Overview of SecurityOutsourcingCan improve overall securityTake advantage of specialized security
expertise / experience / perspectiveDepends on vendor’s history / reputation
Contracted security-guard force commonplaceExample of insourcing
Increasing use of security-service vendorsNearshoringIncludes software testing for security
vulnerabilities
46 Copyright © 2015 M. E. Kabay. All rights reserved.
Outsourcing Security (1)
The following snapshots are from the document shown here.
Link (abbreviated) is:
http://tinyurl.com/opfemca
47 Copyright © 2015 M. E. Kabay. All rights reserved.
Outsourcing Security (2)
48 Copyright © 2015 M. E. Kabay. All rights reserved.
Outsourcing Security (3)
49 Copyright © 2015 M. E. Kabay. All rights reserved.
Why do Organizations Outsource Security? (1)Staffing ChallengesTraining & retentionKey to success is deep
understanding of specific businessShould always look for ways of focusing
employees on mission-critical functionsDistribute less taxing, routine jobs to othersSave on constant training costs by shifting to
outsourcing firmFinancial SavingsCan be significant, esp for 24 hr monitoringFinding savings of 6x by outsourcing
50 Copyright © 2015 M. E. Kabay. All rights reserved.
Why do Organizations Outsource Security? (2)Threat intelligence / additional perspectivesEnormous volume of threat infoDifficult to keep up without full-time focus /
teamSmaller organizations cannot keep up
Managed System Security Providers (MSSPs) can helpMuch larger staff dedicated to intelligence
gathering / analysisMay be able to negotiate training for in-house
staffBut not always – vendors may consider info
proprietary
51 Copyright © 2015 M. E. Kabay. All rights reserved.
Risks of Outsourcing SecurityConflict of interest: profit rises as detection decreasesWhere is your organization on vendor’s priority list in
emergency?Are costs determined by number
of events? If so, how to monitor & prevent abuse?
Where are vendor’s employees? Offshore?
Is theft of intellectual property &industrial espionage major issue? (e.g., China, India)
How carefully does vendor verify employee backgrounds / qualifications?
Who monitors vendor’s employees when they are accessing your data?
52 Copyright © 2015 M. E. Kabay. All rights reserved.
How to Outsource Security Functions (1)SOW (Statement of Work)Consider work volume
when partitioning responsibilitiesE.g., 1 case had
administrative passwords stay under control of in-house staffNon-administrative passwords delegated to vendor
Determine desired outcomesQoS: Quality of ServiceSLAs: Service Level AgreementsE.g., reset password within 4 hours in 99% of cases
53 Copyright © 2015 M. E. Kabay. All rights reserved.
How to Outsource Security Functions (2)Choose reliable vendorEvaluateFinancial healthReliable infrastructureCompetent staffSatisfied customersVendor independenceAppropriate SLALegal safeguards
54 Copyright © 2015 M. E. Kabay. All rights reserved.
How to Outsource Security Functions (3)SLA (Service Level Agreement)Outcomes desiredResponse timesRoles & responsibilitiesMetricsStatistical quality control
Continuous process improvementEnsure that vendor is free to report mistakesFocus on improvement, not penalties
55 Copyright © 2015 M. E. Kabay. All rights reserved.
Controlling Risk of Security OutsourcingContract-management skills essentialOngoing monitoring by clientCoordination with legal department Prepare for failure of SLAs or QoS
Coordination with in-house security staffContinuity of operations part of BCPBe sure staff know what to do if service goes bad
Immediate revocation of access to service-provider’s copy of data & services if contract annulledEspecially important for high-level administrative
accounts
56 Copyright © 2015 M. E. Kabay. All rights reserved.
DISCUSSION