Download - outsourcing security survey0706[1]
-
8/14/2019 outsourcing security survey0706[1]
1/28
March 21, 2006New York, NY
DISCUSSION DOCUMENT
Outsourcing Security: Concerns GrowingOutsourcing Security Survey Findings
-
8/14/2019 outsourcing security survey0706[1]
2/28
2
Background on the Booz Allen Hamilton Outsourcing SecuritySurvey
As the use of outsourcing continues to grow, so too do risks to customer and company datathat companies must rely on their outsourcing vendors to protect
In order to better understand how companies are managing the information security and dataprivacy risks of outsourcing, Booz Allen Hamilton surveyed senior executives involved indefining and managing their companies outsourcing strategies
The survey, which reflects the responses of 158 executives from companies across a range of
industries, June-December 2005, was designed to provide insight into: Senior Executive perspectives on the magnitude of information security risk involved in
outsourcing relationships How companies approach the evaluation and monitoring of outsourcing vendors information
security capabilities The information security and data privacy challenges that the outsourcing industry must
address in order to maintain the trust and confidence of customers and clients
The following presentation provides an initial summary of the survey results
-
8/14/2019 outsourcing security survey0706[1]
3/28
3
Key Takeaway: Companies using outsourcing are increasinglyconcerned about information security
Security is an increasingly important issue among outsourcing buyers
While security is a complex issue, respondents almost unanimously agreed on the need for standards and auditing mechanisms
These mechanisms are particularly needed in some key countries where respondents do nottrust the current legal and regulatory infrastructure (e.g. India, China)
Support is growing for government involvement in setting and enforcing security standards
Like financial markets, outsourcing security can benefit from public - private partnerships toprovide regulations, standards and audit capabilities
Outsourcing buyers seem willing to pay a premium for improved security capabilities
Executive Summary
-
8/14/2019 outsourcing security survey0706[1]
4/28
4
Services, pricing and security capabilities are the top threeevaluation factors when selecting an outsourcing partner
117
77
74
63
51
33
17
0 50 100 150
When selecting an outsourcing partner, what are the
most important evaluation factors?
Capabilities and quality of services
Pricing of service and costsavings to the company
Provider's security policies,capabilities and track record
Financial strength andbusiness stability
Reputation, brand andreferences
Provider's regulatory andcompliance history
Geographic factors
Note: Respondents were asked to select all that apply
-
8/14/2019 outsourcing security survey0706[1]
5/28
5
Companies are more concerned about cyber threats than physicalbreaches and natural disasters
101
98
56
56
0 50 100 150
Theft, misuse or damage of company systems anddata from outside the Outsource Provider
(system hacking, viruses, spyware infiltration, etc.)
Theft, misuse or damage of company systemsor data from inside the Outsource Provider
Theft or damage of data or assets via compromisesof physical security (break-ins, vandalism, etc.)
Compromise of operating continuity due to external
factors (natural disasters, political instability, etc.)
When evaluating or managing outsourcing relationships, howconcerned are you about the following type(s) of security threats?
Note: Includes only # of respondents who answered Very Important in each category Note: Respondents were asked to select all that apply
Cyber Threats
Non-cyber Threats
-
8/14/2019 outsourcing security survey0706[1]
6/286
Increased awareness of security risks has led many companies toreview their outsourcing strategies in the last year
58%
42%
YesNo
In the last two years, have you heard of specific examples of outsourcing security
failures and/or breaches of privacy?
As a result of this knowledge, has your company reviewed its overall outsourcing
strategy in the last year?
37%
YesNo
63%
-
8/14/2019 outsourcing security survey0706[1]
7/28 7
The security risk is perceived as significantly higher for providerswith offshore operations
Do you perceive a greater or lesser risk of security threats
for outsourcing providers located offshore?
28%
48%
17%
1%
Moderately Higher
Much Higher
Same
No basisfor comparison
Moderately Lower
76% of respondents consider thesecurity risks when using offshore
providers higher than the risksassociated with domestic providers
2%
Much Lower 4%
-
8/14/2019 outsourcing security survey0706[1]
8/28 8
Providers with operations in India, Asia and South America areparticularly challenged by a legal and regulatory perception gap
North America is seen as having themost robust legal and regulatoryenvironment, followed by Ireland andthe emerging EU countries of easternEurope
India is seen as fair, with room toimprove, as only 27% of respondentsindicated that the area has a robustlegal infrastructure
China, South America, andSoutheast Asia were seen hashaving the biggest legal and
regulatory gap, with 11 percent or fewer respondents indicating theyhad a robust infrastructure
Major FindingsWhich geographies have a robust regulatory and legal infrastructure?
% of Respondents selecting geography
Note: Respondents were asked to check all that apply
83%
52%
42%
27%
11%
9%
6%
5%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
North America
Ireland
Emerging EU
India
Southeast Asia
Other
South America
China
Challenging Regulatory and Legal
Environments
-
8/14/2019 outsourcing security survey0706[1]
9/28 9
Providers security capabilities matter more than providerssecurity budgets .
82
78
68
63
60
33
0 20 40 60 80 100
How important are the following security factors when evaluating and managing an outsourcing relationship?
Providers security team (depth of expertise)
Providers security budget (provider s budgeton security relative to industry best
practices)
Providers compliance with standards and laws
Providers network & system security
Physical security at providers f acilities
Providers personnel security policy and procedures
Note: Includes only # of respondents who answered Very Important in each category Note: Respondents were asked to select all that apply
Verifiable security
management capabilitiesmatter more thanabsolute spending
-
8/14/2019 outsourcing security survey0706[1]
10/28 10
however defining, monitoring, and integrating securitymanagement in outsourcing contracts is a growing challenge
65
58
54
31
26
22
0 20 40 60 80
Establish effective security managementrequirements in the contracts
Monitoring, auditing and evaluating vendor compliance with established security policy
Evaluating and implement security technology andprocess integration
Acquiring and maintaining the right skill sets andcapabilities to manage security
Determining how much to invest in security in anoutsourcing relationship
Delivering effective training in policies and
procedures of Outsourcing Providers
% of respondents putting factor in top 3
Which factors present the biggest management challenges inevaluating and managing security in outsourcing relationships?
-
8/14/2019 outsourcing security survey0706[1]
11/28 11
Companies want more 3 rd party audits and independent securityevaluations of outsourcing providers
105
95
89
80
39
37
0 50 100 150
Site visits and in-person audits of vendor security processes and capabilities
References from other clients
3rd party security certifications(e.g., NASSCOM)
Security industry benchmarks& analyst reports
Vendors security track recordas reported in media, industry press
Vendors self-reported metrics(e.g., RFP responses)
What tools do you feel are most important to use in evaluatingthe security capabilities of outsourcing vendors?
Note: Respondents were asked to select all that apply
Information on vendors sought by companies (pull metrics) is
more reliable than vendor -reported metrics in RFPs or
media (push metrics)
Pull metrics
Push metrics
-
8/14/2019 outsourcing security survey0706[1]
12/28 12
The US government could play an increasing role in creatingsecurity and privacy regulations for outsourcing providers
Should the U.S. create specific regulations for outsourcing providers toensure they meet commonly accepted security and privacy standards?
33%
34%
32%
Yes, across all providers, functionsand service categories
Yes, but only for specific functionsor service categories
No
Two thirds of respondents are opento some form of US regulation of
security standards
-
8/14/2019 outsourcing security survey0706[1]
13/2813
Outsourcers should work with associations and governments todefine and establish security regulations and standards
Who should be responsible for defining andestablishing the standards?
50
46
49
49
31
0 20 40 60
# of Respondents expressing preference
Customer trade groups or industryassociations
Outsourcing service provider coalitionsor industry associations
Government -led from within major industrialized nations (e.g. U.S., Europe)
Government -led from countries with growingoutsourcing industries (e.g. India, China)
Independent experts and outsideconsultants
Industry associations top preference for establishing
security standards
Industry ready for public-private partnerships for setting
standards and regulations
-
8/14/2019 outsourcing security survey0706[1]
14/2814
while leveraging external auditors for monitoring
73
38
41
0 20 40 60 80
Self -enforcement and reportingat the outsourcing company level
External enforcement via regular certifications and auditsby external consultants and auditors
Who should be responsible for certifying,monitoring and enforcing standards?
Nearly 2:1 preferencefor 3 rd party audits over
self-enforcement
# of Respondents expressing preference
External enforcement via active regulationand management by government entities
-
8/14/2019 outsourcing security survey0706[1]
15/2815
Investments should be prioritized for security training andawareness, new technologies and improved policies/procedures
107
85
75
70
51
0 20 40 60 80 100 120
Invest in internal security training, education andawareness initiatives
Invest in new security technologies
Improve published security policies and procedures
Invest in outside, independent assessments to highlightinternal security and compliance track record
Invest in new physical security and other business continuity initiatives
How do you believe outsourcing providers should prioritize their security investments?
Note: Respondents were asked to check all that apply
# of Respondents expressing preference
-
8/14/2019 outsourcing security survey0706[1]
16/28
16
Buyers may be willing to pay a premium for improved securitycapabilities challenging the industry to demonstrate ROI
Would you be willing to pay 10% to 15% more for outsourcing services
if you thought it would ensure superior security?
30%
55%
15%Definitely - proven securityis worth the additional cost
Maybe - would depend on comparisonof security against other factors
No - additional security is either not worththe premium or it is too difficult to validate
85% of respondents may bewilling to pay some premium for
improved security
-
8/14/2019 outsourcing security survey0706[1]
17/28
17
Other Supporting Findings
-
8/14/2019 outsourcing security survey0706[1]
18/28
18
Respondents viewed service disruption, loss of customer trust andbrand impact, and loss of intellectual property as equally importantoutsourcing security risks
What do you believe are the greatest security risks and vulnerabilities to your business from outsourcing?
Disruptions in product delivery or service caused bybreakdowns in mission critical business processes or functions
Loss of customer trust or relationships due to improper or fraudulent use of confidential customer data
94
91
94
92
65
5
0 20 40 60 80 100
Loss of intellectual property or other sensitive information viaeither accidental exposure, theft or misuse of corporate data
Brand or reputation damage that results in loss of goodwillarising from actual or perceived risk of security failures
Risk that your company is liable for improper actions of your outsourcing provider
Other
Note: Respondents were asked to select all that apply
# of Respondents expressing preference
-
8/14/2019 outsourcing security survey0706[1]
19/28
19
Companies are more concerned about theft or misuse of outsourced data than they are about the threat of terrorism
From your perspective, how serious is the threat of
terrorism for the operations of domesticoutsourcing vendors?
LowThreat
VeryConcerned
No Basisfor Evaluation
SeriousThreat
9%
39%
47%
15%
ModerateThreat
SomewhatConcerned
NotConcerned
63%28%
9%
Less than 50% view terrorism as amoderate serious threat, while
91% were somewhat veryconcerned about data theft or
misuse
How concerned are you about theft, misuse or damage
of company systems and data from outside/inside anoutsource provider?
-
8/14/2019 outsourcing security survey0706[1]
20/28
20
There is credibility gap in the security capabilities of providers,with clients in some verticals more skeptical than others
Verification of compliance 2 nd most important
evaluation factor
14%
37%
20%
30%
Yes
Half of respondents
discredit outsourcers
security claims
For your industry, do you find the security capabilityclaims of outsourcing providers credible?
Yes, but onlythe largest
Maybe, but no wayto verify or validate
claims
No
25%
F i n a n c
i a l S e r v i c e s
G o v e r n m e n
t
Less than half of financial servicesrespondents trustedeven the largestproviders securitycapabilities
M a n u
f a c
t u r i n g 67% of manufacturing
respondents foundsome degree of provider security claims to becredible
Governmentrespondents were evenmore skeptical with lessthan 30% trusting all or the largest providers
15%25%
30%30%
25%
18%
36%
36%
9%
25%24%
14%
19%
43%
-
8/14/2019 outsourcing security survey0706[1]
21/28
-
8/14/2019 outsourcing security survey0706[1]
22/28
22
Survey Methodology and Demographics
-
8/14/2019 outsourcing security survey0706[1]
23/28
23
Survey Methodology
Respondent Selection Method: Invitations to participate in the study were distributed viaemail to a select group of contacts:
Booz Allen current and former clients Other comparable senior executives gathered through selective acquisition Registered opt-in subscribers to email lists for knowledge@wharton and strategy+business
magazine Participants in Outsourcing Seminar as part of Conference Boards 2005 BPO Conference
Format: Online survey hosted by Booz Allen Hamilton
Date of Survey: June December 2005
Number of Respondents: 158
-
8/14/2019 outsourcing security survey0706[1]
24/28
24
83% of respondents are currently outsourcing or activelyconsidering doing so
83%
YES
17%
NO
Is your company either currently outsourcing anyfunctions or actively considering outsourcing?
-
8/14/2019 outsourcing security survey0706[1]
25/28
25
Over half of survey respondents were senior executives
Responses by Function
CXO*
Procurement /RegulatoryOfficer
Other
*CXO category includes Chairman, President, CEO, CFO,Controller, COO, CIO, CTO, CISO, VP Operations
53%
32%
15%
-
8/14/2019 outsourcing security survey0706[1]
26/28
26
The 158 respondents to the survey represented 12 differentindustry sectors
Distribution by Industry
4%
17%
3%
2%
6% 8% 15%2%
11%
8%
9%4%
11%
Automotive
Business Services (legal, accounting, architectural, engineering design)
Communications (telecommunication, Internet services)
Computer Services
EducationElectronics
Financial Services
Government
Healthcare
Insurance
Life Sciences
Manufacturing
Other
-
8/14/2019 outsourcing security survey0706[1]
27/28
27
Survey respondents represented companies of all sizes
Distribution by Revenue
39%
24%
18%
19%
$10B+
Distribution by # Employees
42%
27%
18%
5%8%
-
8/14/2019 outsourcing security survey0706[1]
28/28
28
For more information regarding this survey, please contact:
Vinay Couto, Vice President, Chicago (312) 578-4617 [email protected]
Jim Newfrock, Principal, Parsippany, NJ (973) 630-6789 [email protected]
Jon Watts, Principal, New York, NY (212) 551-6644 [email protected]
Martha-Rosalind Stainton, Senior Associate, McLean, VA (703) 902-3815 [email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]