Date post: | 22-Dec-2015 |
Category: |
Documents |
Upload: | lynn-armstrong |
View: | 214 times |
Download: | 0 times |
March 21, 2006New York, NY
DISCUSSION DOCUMENT
Outsourcing Security: Concerns GrowingOutsourcing Security Survey Findings
2
Background on the Booz Allen Hamilton Outsourcing Security Survey
As the use of outsourcing continues to grow, so too do risks to customer and company data that companies must rely on their outsourcing vendors to protect
In order to better understand how companies are managing the information security and data privacy risks of outsourcing, Booz Allen Hamilton surveyed senior executives involved in defining and managing their companies’ outsourcing strategies
The survey, which reflects the responses of 158 executives from companies across a range of industries, June-December 2005, was designed to provide insight into:– Senior Executive perspectives on the magnitude of information security risk involved in
outsourcing relationships– How companies approach the evaluation and monitoring of outsourcing vendors’ information
security capabilities– The information security and data privacy challenges that the outsourcing industry must
address in order to maintain the trust and confidence of customers and clients
The following presentation provides an initial summary of the survey results
3
Key Takeaway: Companies using outsourcing are increasingly concerned about information security
Security is an increasingly important issue among outsourcing buyers
While security is a complex issue, respondents almost unanimously agreed on the need for standards and auditing mechanisms
These mechanisms are particularly needed in some key countries where respondents do not trust the current legal and regulatory infrastructure (e.g. India, China)
Support is growing for government involvement in setting and enforcing security standards
Like financial markets, outsourcing security can benefit from public - private partnerships to provide regulations, standards and audit capabilities
Outsourcing buyers seem willing to pay a premium for improved security capabilities
Executive Summary
4
Services, pricing and security capabilities are the top three evaluation factors when selecting an outsourcing partner
117
77
74
63
51
33
17
0 50 100 150
When selecting an outsourcing partner, what are the most important evaluation factors?
Capabilities and quality of services
Pricing of service and cost savings to the company
Provider's security policies, capabilities and track record
Financial strength and business stability
Reputation, brand and references
Provider's regulatory and compliance history
Geographic factors
Note: Respondents were asked to select all that apply
5
Companies are more concerned about cyber threats than physical breaches and natural disasters
101
98
56
56
0 50 100 150
Theft, misuse or damage of company systems and data from outside the Outsource Provider
(system hacking, viruses, spyware infiltration, etc.)
Theft, misuse or damage of company systems or data from inside the Outsource Provider
Theft or damage of data or assets via compromises of physical security (break-ins, vandalism, etc.)
Compromise of operating continuity due to external factors (natural disasters, political instability, etc.)
When evaluating or managing outsourcing relationships, how concerned are you about the following type(s) of security threats?
Note: Includes only # of respondents who answered “Very Important” in each category
Note: Respondents were asked to select all that apply
Cyber Threats
Non-cyber Threats
6
Increased awareness of security risks has led many companies to review their outsourcing strategies in the last year
58%
42%
YesNo
In the last two years, have you heard of specific examples of outsourcing security
failures and/or breaches of privacy?
As a result of this knowledge, has your company reviewed its overall outsourcing
strategy in the last year?
37%
YesNo
63%
7
The security risk is perceived as significantly higher for providers with offshore operations
Do you perceive a greater or lesser risk of security threats for outsourcing providers located offshore?
28%
48%
17%
1%
Moderately Higher
Much Higher
Same
No basisfor comparison
Moderately Lower
76% of respondents consider the security risks when using offshore
providers higher than the risks associated with domestic providers
76% of respondents consider the security risks when using offshore
providers higher than the risks associated with domestic providers
2%
Much Lower4%
8
Providers with operations in India, Asia and South America are particularly challenged by a legal and regulatory perception gap
North America is seen as having the most robust legal and regulatory environment, followed by Ireland and the emerging EU countries of eastern Europe
India is seen as fair, with room to improve, as only 27% of respondents indicated that the area has a robust legal infrastructure
China, South America, and Southeast Asia were seen has having the biggest legal and regulatory gap, with 11 percent or fewer respondents indicating they had a robust infrastructure
Major FindingsWhich geographies have a robust regulatory and legal infrastructure?
% of Respondents selecting geography
Note: Respondents were asked to check all that apply
83%
52%
42%
27%
11%
9%
6%
5%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
North America
Ireland
Emerging EU
India
Southeast Asia
Other
South America
China
Challenging Regulatory and Legal
Environments
Challenging Regulatory and Legal
Environments
9
Providers’ security capabilities matter more than providers’ security budgets ….
82
78
68
63
60
33
0 20 40 60 80 100
How important are the following security factors when evaluating and managing an outsourcing relationship?
Provider’s security team (depth of expertise)
Provider’s security budget (provider’s budget on security relative to industry best
practices)
Provider’s compliance with standards and laws
Provider’s network & system security
Physical security at provider’s facilities
Provider’s personnel security policy and procedures
Note: Includes only # of respondents who answered “Very Important” in each category
Note: Respondents were asked to select all that apply
Verifiable security management capabilities
matter more than absolute spending
10
…however defining, monitoring, and integrating security management in outsourcing contracts is a growing challenge
65
58
54
31
26
22
0 20 40 60 80
Establish effective security management requirements in the contracts
Monitoring, auditing and evaluating vendor compliance with established security policy
Evaluating and implement security technology and process integration
Acquiring and maintaining the right skill sets and capabilities to manage security
Determining how much to invest in security in an outsourcing relationship
Delivering effective training in policies and procedures of Outsourcing Providers
% of respondents putting factor in top 3
Which factors present the biggest management challenges in evaluating and managing security in outsourcing relationships?
11
Companies want more 3rd party audits and independent security evaluations of outsourcing providers
105
95
89
80
39
37
0 50 100 150
Site visits and in-person audits of vendor security processes and capabilities
References from other clients
3rd party security certifications (e.g., NASSCOM)
Security industry benchmarks & analyst reports
Vendor’s security track record as reported in media, industry press
Vendor’s self-reported metrics (e.g., RFP responses)
What tools do you feel are most important to use in evaluating the security capabilities of outsourcing vendors?
Note: Respondents were asked to select all that apply
Information on vendors sought by companies (pull metrics) is
more reliable than vendor-reported metrics in RFPs or
media (push metrics)
Information on vendors sought by companies (pull metrics) is
more reliable than vendor-reported metrics in RFPs or
media (push metrics)
Pull metrics
Push metrics
12
The US government could play an increasing role in creating security and privacy regulations for outsourcing providers
Should the U.S. create specific regulations for outsourcing providers to ensure they meet commonly accepted security and privacy standards?
33%
34%
32%
Yes, across all providers, functions and service categories
Yes, but only for specific functions or service categories
No
Two thirds of respondents are open to some form of US regulation of
security standards
Two thirds of respondents are open to some form of US regulation of
security standards
13
Outsourcers should work with associations and governments to define and establish security regulations and standards…
Who should be responsible for defining and establishing the standards?
50
46
49
49
31
0 20 40 60
# of Respondents expressing preference
Customer trade groups or industry associations
Outsourcing service provider coalitions or industry associations
Government-led from within major industrialized nations (e.g. U.S., Europe)
Government-led from countries with growing outsourcing industries (e.g. India, China)
Independent experts and outside consultants
Industry associations top preference for establishing
security standards
Industry associations top preference for establishing
security standards
Industry ready for public-private partnerships for setting
standards and regulations
Industry ready for public-private partnerships for setting
standards and regulations
14
…while leveraging external auditors for monitoring
73
38
41
0 20 40 60 80
Self-enforcement and reporting at the outsourcing company level
External enforcement via regular certifications and audits by external consultants and auditors
Who should be responsible for certifying, monitoring and enforcing standards?
Nearly 2:1 preference for 3rd party audits over
self-enforcement
Nearly 2:1 preference for 3rd party audits over
self-enforcement
# of Respondents expressing preference
External enforcement via active regulation and management by government entities
15
Investments should be prioritized for security training and awareness, new technologies and improved policies/procedures
107
85
75
70
51
0 20 40 60 80 100 120
Invest in internal security training, education and awareness initiatives
Invest in new security technologies
Improve published security policies and procedures
Invest in outside, independent assessments to highlight internal security and compliance track record
Invest in new physical security and other business continuity initiatives
How do you believe outsourcing providers should prioritize their security investments?
Note: Respondents were asked to check all that apply
# of Respondents expressing preference
16
Buyers may be willing to pay a premium for improved security capabilities — challenging the industry to demonstrate ROI
Would you be willing to pay 10% to 15% more for outsourcing services if you thought it would ensure superior security?
30%
55%
15%Definitely - proven security is worth the additional cost
Maybe - would depend on comparison of security against other factors
No - additional security is either not worth the premium or it is too difficult to validate
85% of respondents may be willing to pay some premium for
improved security
85% of respondents may be willing to pay some premium for
improved security
18
Respondents viewed service disruption, loss of customer trust and brand impact, and loss of intellectual property as equally important outsourcing security risks
What do you believe are the greatest security risks and vulnerabilities to your business from outsourcing?
Disruptions in product delivery or service caused by breakdowns in mission critical business processes or functions
Loss of customer trust or relationships due to improper or fraudulent use of confidential customer data
94
91
94
92
65
5
0 20 40 60 80 100
Loss of intellectual property or other sensitive information via either accidental exposure, theft or misuse of corporate data
Brand or reputation damage that results in loss of goodwill arising from actual or perceived risk of security failures
Risk that your company is liable for improper actions of youroutsourcing provider
Other
Note: Respondents were asked to select all that apply
# of Respondents expressing preference
19
Companies are more concerned about theft or misuse of outsourced data than they are about the threat of terrorism
From your perspective, how serious is the threat of terrorism for the operations of domestic
outsourcing vendors?
LowThreat
Very Concerned
No Basis for Evaluation
Serious Threat
9%
39%
47%
15%
Moderate Threat
Somewhat Concerned
Not Concerned
63%28%
9%
Less than 50% view terrorism as a moderate – serious threat, while
91% were somewhat – very concerned about data theft or
misuse
Less than 50% view terrorism as a moderate – serious threat, while
91% were somewhat – very concerned about data theft or
misuse
How concerned are you about theft, misuse or damage of company systems and data from outside/inside an
outsource provider?
20
There is credibility gap in the security capabilities of providers, with clients in some verticals more skeptical than others
Verification of compliance 2nd most important
evaluation factor
Verification of compliance 2nd most important
evaluation factor
14%
37%
20%
30%
Yes
Half of respondents
discredit outsourcers’
security claims
Half of respondents
discredit outsourcers’
security claims
For your industry, do you find the security capability claims of outsourcing providers credible?
Yes, but onlythe largest
Maybe, but no way to verify or validate
claims
No
25%
Fin
anci
al S
ervi
ces
Go
vern
men
t
Less than half of financial services respondents trusted even the largest providers’ security capabilities
Man
ufa
ctu
rin
g 67% of manufacturing respondents found some degree of provider security claims to be credible
Government respondents were even more skeptical with less than 30% trusting all or the largest providers
15%25%
30%30%
25%
18%
36%
36%
9%
25%
24%14%
19%
43%
21
Over the next two years, respondents expect continued growth in the outsourcing market, but are generally divided on whether growth will occur in existing functions, or expand upstream
50% 45%
Fin
anci
al S
ervi
ces
36%
27%
27%
Go
vern
men
t
95% of financial services respondents expect outsourcing market growth to continue, but are divided on expansion into upstream functions
Man
ufa
ctu
rin
g
86% of manufacturing respondents expect outsourcing market growth to continue, but are divided on expansion into upstream functions
Government respondents are less certain, with almost 40% expecting market stagnation or reduction
43%43%
10%
49%
7%
38%
6%
Continued growth, but with little expansion
beyond current functions
For your industry, what do you expect in the outsourcing market in the next two years?
Continued growth and successful expansion of
outsourced functions (e.g., moving upstream into R&D)
Slowing growth or market stagnation
Reduction in the size of the market
5%
9%
5%
23
Survey Methodology
Respondent Selection Method: Invitations to participate in the study were distributed via email to a select group of contacts:
– Booz Allen current and former clients
– Other comparable senior executives gathered through selective acquisition
– Registered opt-in subscribers to email lists for knowledge@wharton and strategy+business magazine
– Participants in Outsourcing Seminar as part of Conference Board’s 2005 BPO Conference
Format: Online survey hosted by Booz Allen Hamilton
Date of Survey: June – December 2005
Number of Respondents: 158
24
83% of respondents are currently outsourcing or actively considering doing so
83%
YES
17%
NO
Is your company either currently outsourcing any functions or actively considering outsourcing?
25
Over half of survey respondents were senior executives
Responses by Function
CXO*
Procurement / Regulatory
Officer
Other
*CXO category includes Chairman, President, CEO, CFO, Controller, COO, CIO, CTO, CISO, VP Operations
53%
32%
15%
26
The 158 respondents to the survey represented 12 different industry sectors
Distribution by Industry
4%
17%
3%
2%
6% 8% 15%2%
11%
8%
9%4%
11%
Automotive
Business Services (legal, accounting, architectural, engineering design)
Communications (telecommunication, Internet services)
Computer Services
Education
Electronics
Financial Services
Government
Healthcare
Insurance
Life Sciences
Manufacturing
Other
27
Survey respondents represented companies of all sizes
Distribution by Revenue
39%
24%
18%
19%
<$100 M
$100M - $1B
$1B-$10B
>$10B+
Distribution by # Employees
42%
27%
18%
5%
8%
<1,000
1,000 - 10,000
10,000 - 50,000
50,001 - 75,000
75,000+
28
For more information regarding this survey, please contact:
Vinay Couto, Vice President, Chicago
– (312) 578-4617
Jim Newfrock, Principal, Parsippany, NJ
– (973) 630-6789
Jon Watts, Principal, New York, NY
– (212) 551-6644
Martha-Rosalind Stainton, Senior Associate, McLean, VA
– (703) 902-3815