CAMBRIDGE, MASS. -- Outsourcing -- whether domestic or offshore -- carries significant potential risks to security, confidentiality and regulatory compliance. However, careful consideration of IT governance can mitigate those risks, and provide attractive returns on the organization's outsourcing investment.
Steve Suther, director of information security management for American Express, detailed strategies for successful global outsourcing yesterday at the 32nd meeting of the Information Systems Audit and Control Association (ISACA) in Cambridge, Mass. Suther is responsible for managing the company's IT security policies and standards, and led the security governance portion of the company's $7.5 billion outsourcing deal with IBM Global Services.
Outsourcing continues to grow rapidly in popularity, since it can lower costs and allow organizations to reallocate resources. However, outsourcing can represent several kinds of risks to an organization. "The organization may have little influence on the outsourcing vendor's security and internal controls," warned Suther. Loss of intellectual property and confidentiality issues are also concerns.
These issues get more complicated in certain situations. For example, the organization may have certain governmental regulations or auditing requirements to satisfy, but how do these obligations extend to the vendor? Offshore vendors may have issues of political stability and safety, as well as concerns about meeting federal regulations.
Suther said local enabling agreements (LEAs) can also create obstacles: importing and exporting encryption technology that may be part of an organization's operation. Outsourcers who subcontract multiplies the difficulties. Finally, there is the possibility that government may be placing restrictions on outsourcing: 35 states have introduced more than 100 bills, and there are another dozen pending on the federal level.
Suther recommended taking a big picture view of not only the process being outsourced, but how to handle all the implications and unforeseen circumstances that may arise. This means a lot of up-front planning and analysis. Other parts of the organization -- including legal and finance -- must get involved in due diligence from the beginning to avoid problems later. IT should also draw on the experience other departments, such as procurement and manufacturing, may have with outsourcing.
"The organization and the vendor should align their IT and business strategies to ensure they are working toward the same mutual ends," advised Suther. Mechanisms should be present to handle disputes and contract modifications.
Once outsourcing begins, monitoring and auditing are crucial for mitigating risk on an ongoing basis. Both groups should agree on pertinent metrics, and how to gather them. It's a tricky balance, since the organization probably wants near-constant monitoring of the vendor using its own favorite tools, while the vendor probably wants complete control and as little intrusion as possible. This needs to be spelled out and formalized in sufficient detail right from the start. The organization should also have the right to audit as necessary, and define what would represent satisfactory information.
As the contract continues, issues will arise. For example, the vendor may wish to have its own subcontractors handle parts of the process. The organization must consider its position very carefully here, because its influence over a subcontractor will be far less than that over the original vendor. "Many organizations now use clauses in their contracts giving them the right to approve or remove subcontractors," said Suther.
Another consideration: The organization should develop an IT governance group dedicated to outsourced vendor management -- one that should encourage the vendor in the use of best practices and improving its personnel and processes. The result will be satisfaction in all areas of the outsourcing experience, not just cost.