csh6 ch68 outsourcing - m. e. kabay · defining tasks are ones to be fired after outsourcing!...

1 Copyright © 2015 M. E. Kabay. All rights reserved.

OUTSOURCINGCSH6 Chapter 68

“Outsourcing & Security”Kip Boyle, Michael Buglewicz,

& Steven Lovaas


Topics

IntroductionWhy Outsource?Can Outsourcing

Fail?Controlling the

RisksOutsourcing

Security Functions


IntroductionOpening

RemarksDefinitionsDistinctionsInsourcingNearshoringOffshoring


Opening Remarks (1)“Outsourcing” encompasses different conceptsNeed different risk-management strategiesOutsource for efficiencies & effectivenessConsequences: environment can change fastKey issues for early 21st century for

outsourcing:Security problemsChina’s riseIndia’s growth & turmoilBlundersH-1B visa problemsSmall business outsourcingManaged services


Opening Remarks (2)Benefits possible:Self-knowledge improves when forced to articulate

needs, mission Clarify/institutionalize roles, goals, metricsRisk identification & mitigationFocus on core competenciesEffectivenessEfficienciesFocusDiscipline

Cost savings


DefinitionsVendor / contractor:Arm’s-length entityProvides specific outsourced service(s)

Organization / business:Entity contracting for products / services

with vendorOutsourcing:Fulfillment of specific business

function(s)By contracting with vendorTo perform in vendor’s facilities

Insourcing:Use of contract / noncompany employees

for specific in-house functions


DistinctionsMany applications of

out/insourcing possibleCall centerCorporate ITCorporate financeCorporate security

Must not impose one rigid framework

Different needs imply different priorities & methods

Identify core business missionsConsider moving non-core functions outside Or hiring contractors


InsourcingCommonplace to hire contractorsRisksWorkplace for outside

employees is inside security perimeterHigh potential for abuse if contractor

dishonestMay not have same trust in contractors as in

employeesPlan for coping with errors by contractors

May need specific / separate security classifications for employees, contractors

Contractors may fail to comply with regulatory / legal requirements if policies unclear


NearshoringOutsourcing specific discrete business

function to Same geographical

regionNearby regionBordering region

E.g., US nearshoring could include contracting

out to US firmOr Canadian or Mexican firms

Many large companies nearshore servicesEDS Agile, HP SMB Services, IBM Express

Advantage


OffshoringOutsourcing specific, discrete business

functions to vendor on another continentE.g., EU company outsources a function to

Indian companyConsiderable emotion in discussions Important to evaluate possibilities carefullyUnderstand your businessArticulate outsourcing / nearshoring /

insourcing goalsClear analysis of risks & management

issues


Why Outsource?

Effectiveness vs EfficiencyBeing EffectiveBeing Efficient


Effectiveness vs EfficiencyEfficiency: using optimal resources for

specific taskEffectiveness: getting the work done as

intended


Being Effective (1)Optimizing processes outside core competency is

wastefulCore competenciesMission-critical tasks / functionsDirectly related to strategic goalsE.g., hospital / restaurant considers cleanliness

mission-criticalThat organization good at _____E.g., for specific firms,Brand managementContinuous improvementSuperior retail serviceSupply chain managementLook / feel of products 14 Copyright © 2015 M. E. Kabay. All rights reserved.

Being Effective (2)Core competency requirementsCan be used to develop entirely new

products / servicesProvides significant customer

benefitsDifficult for customers to duplicateAt least for a time

Core competency can provide competitive advantage(s)Therefore all other functions

candidates for outsourcingFocus resources on what counts


Being EfficientMeasuring efficiencyDirect cost minimizationE.g., UK companies save

~40% costs by using labor in IndiaSave ₤10M for every

1,000 jobs outsourcedBenefits of outsourcingDecreased capital investmentDecreased fixed costsIncreased variable costs vs fixed costsPay by volume of service / products

Increased speed / reduction work cycle timeManagement focus – emphasize competitiveness


Can Outsourcing Fail?Yes, Outsourcing Can FailWhy Does Outsourcing Fail?Universal Nature of RiskClarity of Purpose & IntentPriceSocial Culture International EconomicsPolitical IssuesEnvironmental FactorsTravelLaborAdditional Risks


Yes, Outsourcing Can FailJP Morgan Chase (2004) Terminated U$5B contract with IBM

EDS (Electronic Data Systems)Terminated U%1B contract to run Dow Chemical

phone / computer networks


HealthCare.gov Failure (1)http://www.inquisitr.com/1211143/kathleen-sebelius-admits-obamacare-website-was-not-ready/


HealthCare.gov Failure (2)


Deloitte Consulting 2005 Study“Calling a Change in the Outsourcing Market”Interviews with 25 large organizations in 8

sectors70% respondents looking more cautiously at

outsourcing due to bad experiences25% canceled outsourcing when promised

savings / higher efficiency failed44% saw no cost savings


Why Does Outsourcing Fail?Danger when focusing primarily on cost reduction

But in 2004-2006, rate of cost-savings as primary driver rose from70% to 80% respondents

But including effectiveness can change evaluation

ProblemsMeasuring performance difficultFailure to create win/win situationDifficult to align goals of organization & vendorMust master new / more complicated communicationsMaintaining sufficient knowledge / skill in outside

workforceInsecurity perceived by internal employees & unionsContract termination can be disruptive to clients (lower

QoS)22 Copyright © 2015 M. E. Kabay. All rights reserved.

Universal Nature of RiskGreatest cost: ignoranceGreatest price: failurePoorly defined expectations / poor

planning = doomPlanningIA team should assess entire outsourcing

projectIA not only team involvedBut must not restrict IA merely to technical

detailsLiability remains with firm, not outsourcing

provider


IA Review of Proposals

What information assets at risk?Value / sensitivity of

assetsCurrent / future “risk

shadow” due to outsourcing?


Clarity of PurposeMust articulate tasksRely on employees to define specificsConflict of interest: often those

defining tasks are ones to be fired after outsourcing!

PhasesAnalysis – define/document

workRFI (request for information)RFP (request for proposal)Vendor selectionTraining

Focus on mutually beneficial vendor relations


Risks Related to Clarity of PurposePoor identification / definition of

task(s)Employees defining tasks may be

training their replacementsWorkforce reduction traumaticUncertaintyUnrestResentment

Lowered morale may have consequencesLost productivity (water-cooler

discussions)Insider sabotage


PriceBeware paper-thin profit

marginsVendor must also

survive and profitOtherwise see constant

corner-cuttingBeware short-term profit

evaluationsTake long-term viewClient must see

significant long-term profit


Social CultureVendor must cope with client cultureBe conscious of social norms across

international boundariesClient must evaluate differences in beliefs /

attitudes / behaviorsEspecially important for outsourced client

contacts such as technical supportParkerian HexadParticularly timelinessSome hostility developing in USA towards

foreign accents (e.g., Indian) in support


International EconomicsKeep long-term economic developments in mindCollapsing economy may terminate contractsVendor may go out of businessSocial disruption may stop

all businessOnce functions

outsourced, business continuity affected if supplier fails

Changes in exchange rate may affect costs if contract fails to stipulate client’s currency for charges


Political IssuesGraft / bribery vs national laws

(e.g., US legal restrictions on such payments)Foreign Corrupt Practices Act of

1977 (FCPA) (15 U.S.C. §§ 78dd-1, et seq.)

Opposing political forces’ attitudes to outsourcing vendors

Terrorism causing increasing concerns for vendors & clientsE.g., Taliban defines anyone doing business with

US / Intl armed forces as targetsRule of law: is there any (e.g., China, Burma)?


Environmental FactorsHow likely are natural disasters in remote

location?Could natural disaster trigger political

collapse?What is host country’s capacity for recovery

from environmental disaster?Will regional infrastructure cope with

disruptions to maintain QoS / SLA?


TravelEmployees will have to visit vendor or

clientTrainingQuality controlManagement coordination

Keep in mindTravel costs ($$, productivity,

morale)Employee safety / health (food,

disease, war, insurrection, kidnapping)Delays for travel documents (e.g.,

visas)


LaborRisksTurnover (requiring more

training)Escalating wagesWork stoppagesCost growth

Examine history & forecastsSupply of workersWorker exploitation (may violate

client country’s laws & affect public image, employee morale –or lead to boycotts)


Additional RisksLoss of corporate

expertiseLoss of direct

control Internal changes

in corporate purposeMoving from doers

to managers of doersOverhead of ongoing contract management


Controlling the RisksControls on What?Controlling

Outsourcing RiskAvailability ControlsUtility ControlsIntegrity & Authenticity

ControlsConfidentiality &

Possession ControlsMaking the Best of

Outsourcing


Controls on What?PlayersPeopleCorporationsSocietiesGovernments

Focus primarily on organizational behaviorPolicies, contracts, agreements, trust relations

criticalInformation security policy criticalCoordinate with legal dept: contracts / site

selection / politics / economics / separation of duties


Controlling Outsourcing Risk

Use Parkerian Hexad as framework for analysis / remediationConfidentialityControl or Possession IntegrityAuthenticityAvailabilityUtility


Availability Controls & Outsourcing Infrastructure can be determinantE.g., trans-Pacific cable cut Feb 2007Most of Asia inaccessible to North America via

InternetDistance increases risk of interruption

Backup strategy criticalBCP essential for vendor & client sitesConsider backup vendor contracts

SLA may be unenforceable if no rule of lawEvaluate possible vendor(s) carefullySite visitsNews / government reports

Monitor situation in vendor locale continuously38 Copyright © 2015 M. E. Kabay. All rights reserved.

US Dept of State Country Reports

http://www.state.gov/countries/


Utility Controls & OutsourcingCareful version controlEncryption recovery (for forgotten keys)Beware national/international restrictions

on encryption technologiesBeware incompatible formatsLanguage issuesAccentsWord usageWriting


Integrity & Authenticity Controls & Outsourcing Prevent unauthorized or accidental modifications Analyze vendor’s history / reputation But effective collaboration may required access to sensitive

corporate data Trust infrastructure

Access control mechanismsRBAC* / least privilege important

Division of laborDelegation of responsibilitiesVendor must not be able to change

structure Monitoring incorporated into contracts

Audits – preferably unannouncedWhere are backups kept?Change-tracking on servers *Role-based access control


Confidentiality & Possession Controls & Outsourcing (1)Outsourcing inherently compromises

confidentiality & controlDecide if balance is positiveLaws may protect balance – if

there is in fact rule of law on both sides

HSBC call center – Bangalore, India – 2006Employee arrestedHacked into bank’s computersStole ₤233,000Hired because of forged high-school transcriptsOnly criterion for hiring was English skills


Confidentiality & Possession Controls & Outsourcing (2)Constant monitoring / auditClear terms of contractUnannounced auditsMonitor log files, real-time

security toolsMay replace absent laws by

contract termsFailure of security termination of contractMay not help if legal process in vendor’s countryBut could help in client’s country


Making the Best of OutsourcingCareful planningCareful implementationFocus on trust & monitoring“Trust, but verify”

Plan for threats to availabilityBCP / DRP

Training, liason Integrate security into contract terms


Outsourcing Security FunctionsOverview of Security OutsourcingWho Outsources Security?Why do Organizations Outsource

Security?Risks of Outsourcing SecurityHow to Outsource Security FunctionsControlling Risk of Security

Outsourcing


Overview of SecurityOutsourcingCan improve overall securityTake advantage of specialized security

expertise / experience / perspectiveDepends on vendor’s history / reputation

Contracted security-guard force commonplaceExample of insourcing

Increasing use of security-service vendorsNearshoringIncludes software testing for security

vulnerabilities


Outsourcing Security (1)

The following snapshots are from the document shown here.

Link (abbreviated) is:

http://tinyurl.com/opfemca






Why do Organizations Outsource Security? (1)Staffing ChallengesTraining & retentionKey to success is deep

understanding of specific businessShould always look for ways of focusing

employees on mission-critical functionsDistribute less taxing, routine jobs to othersSave on constant training costs by shifting to

outsourcing firmFinancial SavingsCan be significant, esp for 24 hr monitoringFinding savings of 6x by outsourcing


Why do Organizations Outsource Security? (2)Threat intelligence / additional perspectivesEnormous volume of threat infoDifficult to keep up without full-time focus /

teamSmaller organizations cannot keep up

Managed System Security Providers (MSSPs) can helpMuch larger staff dedicated to intelligence

gathering / analysisMay be able to negotiate training for in-house

staffBut not always – vendors may consider info

proprietary


Risks of Outsourcing SecurityConflict of interest: profit rises as detection decreasesWhere is your organization on vendor’s priority list in

emergency?Are costs determined by number

of events? If so, how to monitor & prevent abuse?

Where are vendor’s employees? Offshore?

Is theft of intellectual property &industrial espionage major issue? (e.g., China, India)

How carefully does vendor verify employee backgrounds / qualifications?

Who monitors vendor’s employees when they are accessing your data?


How to Outsource Security Functions (1)SOW (Statement of Work)Consider work volume

when partitioning responsibilitiesE.g., 1 case had

administrative passwords stay under control of in-house staffNon-administrative passwords delegated to vendor

Determine desired outcomesQoS: Quality of ServiceSLAs: Service Level AgreementsE.g., reset password within 4 hours in 99% of cases


How to Outsource Security Functions (2)Choose reliable vendorEvaluateFinancial healthReliable infrastructureCompetent staffSatisfied customersVendor independenceAppropriate SLALegal safeguards


How to Outsource Security Functions (3)SLA (Service Level Agreement)Outcomes desiredResponse timesRoles & responsibilitiesMetricsStatistical quality control

Continuous process improvementEnsure that vendor is free to report mistakesFocus on improvement, not penalties


Controlling Risk of Security OutsourcingContract-management skills essentialOngoing monitoring by clientCoordination with legal department Prepare for failure of SLAs or QoS

Coordination with in-house security staffContinuity of operations part of BCPBe sure staff know what to do if service goes bad

Immediate revocation of access to service-provider’s copy of data & services if contract annulledEspecially important for high-level administrative

accounts


DISCUSSION

csh6 ch68 outsourcing - m. e. kabay · defining tasks are ones to be fired after outsourcing!...

Documents