The Risks of Outsourcing

Back to Contents of Issue: October 2004

UNLESS YOU WERE in hibernation or have been exploring the planets, you have probably heard the hype, promise, constraints and failures associated with the outsourcing of information systems development.

by Kevin C.Desouza, Yukika Awazu and John Mehling

IN ORDER TO REMAIN competitive in today's global marketplace, organizations are turning their focus towards their core competencies and looking to outsource functions in which they lack expertise to maintain effective cost structures and to improve their bottom lines. In particular, the practice of information system (IS) outsourcing has become fashionable.

The most commonly cited reasons for the increase in IS outsourcing include cost savings associated with cheaper labor and infrastructure, reduced burden on the organization to manage and develop a viable information systems function, the move from a fixed cost to a variable cost model and the ability to develop better customized information systems through the use of specialized vendors.

Maintaining an internal IS staff is no easy feat. The dynamic nature of information technology (IT) work, the high labor cost and the constant need to re-train employees to keep their skills at par puts understandable pressures on an organization's resources. By various estimates, IS development and maintenance costs represent a third of overall organizational expenditures. Any effort to reduce these helps free up resources for other projects.

Organizations such as Bank of America, Dell, British Airways, Standard Charted, HSBC and others have claimed significant benefits from engaging in offshore IS development projects. Countries like India and China are leading the outsourcing world. Organizations in these countries have developed significant capabilities that make them the most efficient and effective producers of information systems.

As dictated by basic economics, entities will seek to maximize their returns by sacrificing the minimum required. Business organizations are under pressure to show profitability, hence if work can be done more cheaply offshore without sacrificing quality, sourcing -- especially offshore outsourcing -- will remain fashionable.

Of course, if it were that simple, we could end here. But while the increase in offshore outsourcing endeavors will continue in the foreseeable future, we caution organizations to be aware of the security issues involved in these dealings.

Most organizations are na•ve in their efforts to secure the outsourcing deal. In our research and discussions with outsourcing clients, consulting firms and academicians, we continue to hear horror stories due to lack of care for security protocols in an outsourcing engagement. Owing to the galore of attractive benefits, much of the innate security risks often tend to get overlooked or simply ignored.

When viewed at an individual level, security risks are summarily dismissed due to their low probability. But in today's world, an information technology breach could bring down an organization in seconds. Moreover, depending on the organization sending the work offshore, such breaches could be considered an act of cyber-terrorism and undermine national security.

We would like to draw attention to some of the risks associated with offshore IT outsourcing. It is our contention that while offshore outsourcing is a viable opportunity, managers need to address the security aspects involved in these engagements.

Security risks..............................................................................

While security risks are inherent regardless of where information systems are created or maintained, the risks are greater when systems are beyond one's control, both physically and psychologically. In an outsourcing engagement (especially those that are conducted offshore) the commissioning organization has little if any control over the IS vendor. Geographical distance, costs, time and resources prevent the client organization from exerting appropriate control over the vendor.

The first security issue one must contend with is the lack of adherence to security and quality standards. As more software code gets written by offshore development companies, the lack of supervision of how exactly the code is written could be a concern. Since the competitive positions of the offshore developers depend on providing information systems at the lowest possible cost for the highest achievable quality in the quickest delivery time, much of the software development integrity may be violated.

Corners will be cut and sacrifices will be made to ensure a "product" is delivered, even though it may not be the most "reliable product" or "complete product." Many of these offshore development companies have multiple clients; there is no guarantee that a contracting organization's data, programs and applications will not be duplicated for other clients. Duplication and re-use of code is one of the easiest ways to ensure the increased productivity of code writing, which helps to keep costs low.

Second, if cost savings are what motivate the offshore contracts, organizations are less likely to spend the time and effort to conduct a thorough validation and testing of the code when a finished product is developed. This increases the possibility of malicious code being placed and going undetected, which may be a source of information or data leaks.

This is especially a concern when we are dealing with sensitive organizations such as national defense departments or national research labs and critical innovation factories. For example, if one was to put malicious code into an IS sponsored by Japan's Ministry of Defense, the damage could be serious and profound for the entire nation. We are living in a time of national turmoil, and there is no telling how the next war will be fought. But we do know that the use of technology will be a viable component of the battle. If humans can be taken hostage, there is no reason why technology systems should be any different.

Third, physical control over security regarding systems and facilities is limited when work is done at offshore sites. It is nearly impossible to guarantee that security measures will ensure the data and systems are not compromised. Since outsourcing companies are primarily concerned about perimeter and host security (i.e. the technical solutions), the human aspects of security are often ignored. Moreover the necessity to keep costs low and remain competitive gives rise to the prominence of unlawful practices such as password sharing for access to copyrighted material, multiple users per system, et cetera. These could lead to data leaks and system damage, which in many cases could bring an organization to a halt.

Fourth, intellectual property theft is on the rise today. Recently we have seen events of espionage from the most prestigious national research laboratories, such as Los Alamos in the United States. While the occurrence of these within the country can be mitigated through the local legal system, the laws outside our confines are less palatable to such thefts.

When an employee leaves a company or project, experience and knowledge are lost. For example, in the United States, legal agreements between employees and employers are typically put in place in order to prevent intellectual property (IP) from being placed into the hands of a competitor. Protecting intellectual property rights in foreign countries can be difficult. Even in countries where the government feels that it is in their own long-term interest to protect the IP of a foreign investor, this is often not easily done due to legal, cultural, or political issues and/or business practices.

From Los Alamos, computer hard drives containing information about US and Russian nuclear weapons were unaccounted for. While evidence of espionage was not found by the FBI, it was determined that nuclear emergency officers were allowed to remove and replace secret classified hard drives from a secure vault without signing for them. This weakness in security control demonstrates that intellectual property representing national security can be mishandled at a domestic level.

If this type of incident can happen at an institution where security controls and their maintenance should be handled at an extreme level, it can undoubtedly happen in an offshore institution where security controls are not maintained under a watchful eye. In addition to physical theft of IP, one must contend with issues of copyright infringement.

For instance, while China does have copyright laws in place, they tend to favor Chinese companies. IP laws in offshore countries are notoriously difficult to deal with, in turn creating a risk for US firms that outsource to these countries. We have witnessed cases where an employee of an offshore vendor attempted to sell proprietary software to a competitor. The deal would have gone through if not for some extraordinary local law enforcement professionals who detested the norm of keeping quiet by taking bribes.

Another salient issue is the notion of tacit IP. In order for an offshore vendor to produce a piece of software for a domestic firm, it must possess some level of knowledge about the domestic firm's business and systems. What guarantees exist to ensure that these will not be shared with other clients, or left exposed? In short, none.

In acts of industrial espionage, the greatest losses belonged to companies with information regarding manufacturing processes and Research and Development (R&D). The manner in which these foreign companies acquire this process and R&D information is partially through foreign research facilities and software development companies working on commercial programs.

Lastly, while considering where to outsource, one must consider the geopolitical stability of the environment. In many of the offshore contracts, political instability is common. This, coupled with the fact that employees working on the projects are underpaid, is culturally challenging. And in some cases, employees have hostilities towards the home countries of their clients, leading to a disastrous mix.

Let us hypothesize a situation: A disgruntled employee working in Pakistan is approached by a terrorist group. This group offers him 100 times what he earns in exchange for dropping a worm into a server that secretly leaks information and eventually controls a government organization's server.

This situation is not too far from reality and could lead to grave and serious consequences. In December of 2002, US Customs officials raided the offices of the Ptech Corporation, a Boston based company, which handled sensitive military and national security information, including software development on products used by an FBI counter-terrorism unit.

It was then reported that Yassin Al Qadi, a Saudi millionaire with possible ties to Bin Laden, underwrites that company. Political unrest and war could have a devastating effect on an organization, considering that a large portion of client data and operations will be residing in that region. Countries currently leading in offshore developing efforts ironically have the highest ranking on the geopolitical risk meter. Consider the case of India: The heated tensions between India and Pakistan continue to mount, with new talks being directed towards nuclear armament.

Steps towards securing outsourcing...........................................

Rather than continuing on with the security issues in outsourcing, let us stop and postulate some guidelines as to how to secure the outsourcing beast. Harping on the negatives will not get us anywhere; we must be cognizant of how to exploit outsourcing as a strategic weapon by countering or minimizing the negatives.

Security risks associated with sending work offshore are grave and need to be accounted for. The success of offshore endeavors will depend on how an organization addresses and maneuvers around these security risks. Organizations need to intimately know two things: who they select as an offshore developer, and their own needs for security.

For example, a company that manufactures wire coat hangers and a company that builds rocket delivery systems for the US military will probably have different security needs. Once the security needs are recognized and the offshore developer has been researched, a service level agreement (SLA) can be prepared.

The SLA is the first step in ensuring success, as it offers a contractual agreement that will measure performance, while also covering legal concerns regarding intellectual property and national/international security laws. Aside from having a strong SLA put together, we propose the following simple steps. Taken in isolation, many may seem trivial -- but if executed as a set, they can becme a successful offshore campaign:

1. Engage with offshore vendors with a local (onshore) development facility that can take over operations in case of catastrophe, thereby reducing risk. Make sure monthly backups are done of all programs and data. Upon completion, these backups should be shipped and stored in a locally housed repository for safekeeping.

2. In devising the SLA, one must make provisions for termination clauses due to acts of terrorism, national security and domestic unrest. Moreover, preemptive measures must be devised on how data, systems and people will be migrated to a more secure location in these situations. If in-house resources are not available to evaluate the security levels of the offshore vendor, hire an outside firm to perform an initial security assessment in addition to follow-up security audits. This will ensure that security measures are maintained at the levels outlined in the SLA.

3. Backup and documentation have always been critical aspects of system design. These become even more critical as one moves work offshore. The quality of backups and documentation will determine whether an organization will withstand and survive damage caused by exogenous forces such as war. For instance, the more recent the backup of the system that is taken, the quicker one can reload data with minimum data loss or delay. On the other hand, if the backup was taken a month back, depending on the data, the organization will be out of business. It is important that an organization take the necessary steps to ensure that knowledge processes and practices are documented. An organization should not leave these issues to chance. If a contract goes sour, an organization must have the necessary knowledge to be able to manage the work independent of the outsourcer. This will be impossible if the knowledge is not captured in an explicit format.

4. Management must devise a liaison or a project manager who works closely with the offshore vendor. Their task would involve ensuring compliance to SLA and monitoring performance. In addition, this person must have engrained knowledge of the offshore culture and climate so as to proactively advise management on how to deal with issues such as political unrest, worker strikes, et cetera. An organization should not blindly rely on certifications and assurances provided by a vendor. Just as we would not simply hire a person because they possess a bachelor's degree from a prestigious institution, we cannot rely blindly on certifications. If an organization possesses a certification, such as a Capability Maturity Level for software development, it is a good start and may be used to pre-screen vendors for contract negotiations. However, before signing, the organization must physically inspect the security protocols in place to ensure that what is documented in paper is actually practiced.

5. Do not rely exclusively on one vendor. The more an outsourcing vendor knows about your organization, the more they can gain. Moreover, relying exclusively on one vendor could result in the organization being taken hostage by the vendor. It is better to work with multiple vendors and manage the coordination between these entities. In this way no one vendor will have all the knowledge of your organization. In addition, if one vendor should not perform up to par, work can be shifted to other parties with relative ease. If an organization exclusively relies on one vendor, it will be difficult for a new vendor to take over operations, as the newcomer has to begin by learning from scratch.

6. Offshore outsourcing should not be used for developing systems that are highly specific and strategic to the organization. Management must realize and appreciate the fact that these systems are critical assets for the organization, and as such they must be respected and given due attention both in terms of cost and governance.

7. Lastly, an organization would always be better off maintaining a small local IS staff and keeping their skills up-to-date. Even if an organization outsources all facets of systems development, the local IS staff can help in governance of the outsourcing projects and also serve as a backup to pull work back into the organization, should there be problems with the vendor. The local staff can also ensure that appropriate security protocols are being met and can communicate changes in protocol between the vendor and the management staff.

8. Offshore outsourcing should not be used to scapegoat problems. If there are problems within a segment of business, try to smooth out the issues before shipping it offshore. While getting rid of the problems may save headaches and money, it will probably make it more difficult to fix the problems in the future.

We hope to have put offshore security risks in perspective. The challenge is for you to frame your perspective on the risks, based on the needs of your organization, and put the perspective into practice. Remember, offshore outsourcing is here to stay, and as management we must recognize this and do our best to conduct such engagements in a secure manner. @

About the Authors
Kevin C. Desouza is the President and founder of The Engaged Enterprise, and is the director of its research institute -- Institute for Engaged Business Research [IEBR]. Desouza has authored over 80 articles for prestigious business and academic journals. In addition, he has written Managing Knowledge with Artificial Intelligence (Quorum Books, 2002), and has co-authored Managing Information in a Complex World (M.E. Sharpe Inc., 2004).

Yukika Awazu is the Vice President and co-founder of The Engaged Enterprise and is a senior research fellow at IEBR. Awazu has authored a dozen articles for prestigious business and academic journals.

John Mehling is a technology enthusiast who has held various positions in prestigious information systems and technology organizations.

Note: The function "email this page" is currently not supported for this page.