Just because you aren't directly offshoring any of your core systems or processes doesn't mean your third-party service provider isn't.
It's a given that most organization's outsource critical functions - particularly technology - as a means to reduce IT expense. Yet, even if organizations outsource these functions to U.S.-based service providers, many of these vendors in turn outsource work to offshore partners. As these offshore service providers take on additional responsibilities, it becomes paramount that their information security programs be held to the same standards - or higher -- as those of the clients.
So, as vendor management peaks in importance, it makes good business sense for organizations to take a good, hard look at the true costs and benefits of offshore outsourcing.
Register for this Webinar and learn:
The impact of political & cultural realities of overseas outsourcing;
The logistical difficulties involved;
The differences between direct & indirect outsourcing;
In country limitations surrounding background checks;
A general lack of data privacy laws in many nations providing outsourcing services;
Responsible outsourcing (maximizing your returns while minimizing risk);
Patriotism as a competitive advantage;
The law of diminishing returns.
Offshore Outsourcing: Do You Know Where Your Data is and How it's Managed? -- this webinar takes a comprehensive look at the costs of offshoring. This is not strictly a CFO decision limited to the fact that foreign labor is cheaper than their domestic counterparts.
Overseas outsourcing introduces a slew of complexities related to logistics which can negatively impact the availability of your company's critical systems. BCP and general system up time issues will be impacted by the fact that foreign countries just don't have the infrastructure that is on par with that of the United States.
Security is a major issue, due to the fact that in many cases, it is the foreign-based company that is charged with the administration of their own security. A colloquial analogy would be, 'putting the fox in charge of the hen house'. Another saying is while you may be outsourcing the work you are still 'in sourcing' the liability. The 39 states that currently have data breach disclosure laws all hold the data owner liability if the outsourced vendor suffers a data breach.
Be aware of situations where your vendor might have vendors, sending your data to 4th parties without your knowledge. Do you know if your domestic vendor is sending your data to yet another vendor located in a foreign country? Companies with whom you do not have contractual relationship with and that may not meet your security standards.
Foreign counties are not 'mini-Americas'. The cultural and political differences of the specific country your company is considering establishing an outsourcing relationship need to be taken into account. Consider the impact of the assassination of Benazir Bhutto in late December 2007. Foreign relations are also impacted by who is in the White House at any given time. This is even more uncertain, as we're in the midst of the Presidential election cycle.
There are also in-country limitations that you need to be aware of, ranging from background checks to a general lack of data security laws.
The wages in India - the primary offshore venue -- are rising at a rate that is far outpacing those here in the United States for similar engineering skills. Where in 2003 the ratio was deemed to be 8 to 1, in 2007 that figure was down to 4 to 1. At this rate, within the next 3 - 5 years the spread may drop to a point where the added data risks may far outweigh the dollar savings.
Alexander began his career back in the late 1980s while serving in the U.S. military. Since then he has worked in both the public and private sectors in positions including engineer, project manager, security architect, and IT director. He currently works as an information security officer for the UMC Health System.