For many organizations, outsourcing has been essential to prospering and, often, surviving. While the social and economic aspects of these business strategies continue to be argued, from a security point of view, the trend has not been without risk.

Today, given the current unprecedented global economic turmoil and uncertainty, the risk/benefit equation has shifted dramatically. Organizations faced with unprecedented challenges from deteriorating economies, cut-throat global competition and disgruntled shareholders have increasingly succumbed to forsaking prudence for economic gain.

The IT Governance Institute’s Governance of Outsourcing survey in 2005 found that the primary reason for outsourcing had changed from cost considerations to addressing the shortage of specialized technical expertise. Today, organizations faced with shrinking revenues and slashed budgets will again fuel the growth of outsourcing and offshoring based largely on costs.

The decision to outsource is often justified as a strategic one based on the notion that focusing on activities core to the organization’s business is essential to survival. This perspective has resulted in any activity deemed non-core becoming a candidate for being transferred to the lowest-cost third party.

Should security be outsourced?

Given that even in recent better times, information security has not been adequate to stem the rising tide of cybercrime, it should be of considerable concern in the context of current global risk. Many organizations continue to consider information security a low-level technical activity relegated to IT or operational middle management. Consequently, many aspects of information security are considered non-core and have been outsourced along with much or all of IT.

Many organizations have failed to recognize the strategic implications of security in the broadest sense of both protecting information assets and ensuring the preservation of the organization. This has led to an absence of effective security governance both internally and in outsourced functions.

The aforementioned study conducted by the IT Governance Institute found outsourcing practices to be inconsistent and typically not well governed. The study also showed that to achieve satisfactory results from outsourcing, it was essential to ensure that organizational governance “provides the mechanism to balance risk, service demand, service provisions and cost.” For organizations without an executive-level security or risk management function, the balance can be expected to suffer for perceived short-term cost savings.

For the last several decades, a reasonable level of security has been an essential component of an organization’s long-term success. The absolute dependence of virtually all organizations on the systems that process, transport and store information is incontrovertible, and the lack of strategic oversight for many of these systems and functions is of concern.

External breaches on the rise

In most sectors, evidence shows that managing risk to information resources is not perceived as critical. This is evidenced by the incessant headlines of spectacular security and control failures resulting in ever-increasing internet-related losses. A panel of experts meeting in Switzerland at the World Economic Forum ’09 estimated that these losses have reached 1 trillion annually. It is not coincidental that the Ponemon’s annual Cost of a Data Breach study for 2008 pegs inadequate information security among third-party service providers, including outsourcers, consultants and business partners as a significant cause of breaches. External breaches accounted for 44% of all losses – up 4% from 2007, and a whopping 29% from 2006.

Given that most outsourcing has historically been driven by cost, it is not surprising that a significant percentage of losses are the result of information security failures by service providers. Effective security comes at a price, and is often the least visible component of any service function until it fails. Service providers under cost pressures will typically axe information security before cutting the more visible performance elements.

Part of the problem lies with the criteria, specifications and general governance that organizations use for outsourcing. Some of the responsibility for a large number of information security compromises falls to service providers employing a strategy of bidding too low in the intensely competitive scramble for contracts.

While few executives would select a surgeon for open-heart surgery based on the low-cost bidder, the same executives will often select outsourcing solutions based largely or solely on cost. If security at an executive level does not exist to provide a balanced perspective, there is likely to be a lack of appreciation for risks inherent in the various options and the strategic importance of security in managing them.

Admittedly, good IT and security outsourcing contracts that anticipate every potential circumstance are notoriously difficult to create and typically don’t do a great job. In part, that is due to a lack of senior security contract oversight. It is also due to the fact that the current rapidly shifting risk landscape renders it impossible to anticipate circumstances even in the near future. The spate of terrorist attacks during the past few years in India, culminating in the Mumbai massacre, is an example of unanticipated events likely to affect outsourcing relationships. While these events may not directly affect service levels, both actual and perceived risks will influence the effectiveness of outsourcing operations there.

Show me the money

And finally, regardless of how good the intentions, the provider and the recipient organization have fundamentally conflicting interests. The information security provider must deliver the minimum services at the highest cost, while the recipient must get the maximum levels of service at the lowest cost. While in practice, adequate accommodation is generally the rule, under financial stress the conflict is likely to become more pronounced.

The most successful outsourcing arrangements are, not surprisingly, the ones subject to the best governance. Governance as defined by the IT Governance Institute is:

“… the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.”

To manage information security risks successfully, governance of outsourced relationships requires the same ongoing oversight, risk management and metrics.

Increased risk in troubled times

While geopolitical and economic risks to offshoring have always existed, the current level of volatility and concomitant political strife, particularly in lower-cost regions, has not been the norm for decades. There will be areas of dramatically increased information security risk that organizations will need to consider for both existing and anticipated outsourcing arrangements.

For example, the current highly volatile exchange rate could negate the savings anticipated by an offshore arrangement. The Australian dollar fell around 40% against the greenback in 2008, which could dramatically alter the viability of contractual relationships depending on how payments are denominated.

The gains experienced by one side of an agreement might be so unfavorable to another that the contract is breached or the service provider ceases operations. The British pound has had a similar decline against the dollar and the Euro, undoubtedly affecting many contractual relationships with east European providers. Pressures to revalue the Chinese Yuan may also constitute a risk for organizations with operations there.

Another consideration is the unprecedented number of business failures that can leave an organization suddenly without a vital service and without the in-house expertise to deal with the consequences. This adds financial viability as another major risk consideration.

It is notable that while India is a primary outsourcing destination for IT services, the 2006 Global State of Information Security Governance study of more than 7000 organizations by the IT Governance Institute found that information security there was generally among the least mature. This situation may have improved in the intervening years as clients using their services have demanded better information security in some measure due to a number of embarrassing breaches that recently came to light. In any event, due diligence is warranted when considering offshoring PII or other sensitive information.

As if all this was not enough, organizations must face a broad range of other information security considerations. These range from being increasingly targeted by ever more resourceful global cyber crooks, to the inevitable growth of regulatory requirements as governments attempt to stem mounting fraud and financial losses and sagging consumer confidence.

Although regulatory constraints may not seem to be in the direct purview of information security, many of the existing and anticipated legal restrictions are contradictory, and they must be considered collectively wherever an organization operates. They must then be treated as any other risk would. The impact must be assessed to provide the basis for prudent business decisions, and a cogent risk-based strategy must be developed to deal with them.

The upshot is that prudent organizations will have information security governance processes in place that assess the security implications of various scenarios from a strategic perspective. They will balance the probable risk costs against the anticipated outsourcing savings, provide aggressive governance processes and oversight, and, finally, have a viable plan B for any outsourced activity important to the organization.