Name the one person who's never present in an outsourcing business case evaluation, provider down-selection or contract terms meeting, but has a real vested interested in the discussion? And no, it's not your shrink.
Having the Chief Security Officer (CSO) show-up during your outsourcing meetings is akin to your inviting a cardiac specialist to a no-holds-barred steak dinner with all the trimmings. The CSO is the ultimate party-pooper, the much-derided control-freak who cares little for business outcomes, only the potential disasters that may arise along the way. Why bring them along to put a spanner in the works (unless that's your agenda....)?
HfS Research Director, Jim Slaby, never shy to call out the inanities of today's quirky corporate cultures, has been working under cover to find out how the CSO party-poopers were being engaged in the whole outsourcing experience....
Managing Security and Risk in BPO Engagements
The most overlooked, swept-aside and brushed-under-the-carpet issue in outsourcing is the lame effort most buyers make to manage their exposure to security risk in outsourcing engagements. As a self-styled security nerd, I’m frequently horrified by the lip service that many outsourcing buyers and providers give to security. Bring up the “S” word with buyers and their eyes glaze over; ask providers for a briefing on the security capabilities of their outsourcing offerings and they run a mile. Why is this topic so eagerly avoided in today’s global business environment? In an increasingly regulated world full of increasingly sophisticated security threats, aren’t buyers and providers alike courting disaster here?
If you work in the enterprise security space long enough, you come to understand Scott Adams’s Dilbert parody of an evil, sadistic Chief Security Officer (CSO), a pointy-eared fellow called Mordac, the Preventer of Information Services. Mordac embodies the stereotype of intrusive, overly arcane IT security regimes, the kind that seem designed to hinder useful business processes and add layers of complexity to simple tasks, to say nothing of inflating costs and frankly boring you to death.
For instance, why exactly does your password need to be at least eight characters and include a mix of uppercase, lowercase, numbers and special characters? (Actually, that’s not considered great password practice any more: eight characters are pretty easy to crack with brute force, and users have a tendency to scribble hard-to-remember passwords on Post-It notes.) Or, why won’t IT let you connect your iPad to the corporate network when it is less vulnerable to endpoint malware than your Windows laptop? What’s the point of this restrictive new company policy on employee use of social media?
Of course, you probably have an inkling that it’s a scary world out there, full of criminals who look at your databases of customer / patient / payment-card information like a pack of hungry wolves gazes at a flock of baby lambs. You may recognize that, despite the intricate defenses your CSO has erected around your company’s precious data assets, many breaches occur at the hands of malicious insiders -- but as often through the garden-variety laziness and inattention of otherwise well-meaning employees. You may know rather less about emerging new threats, like the gangs of elite programmers whom the Chinese military is giving unlimited time and funds to discover new ways to penetrate and crash your systems, part of a new strategic front in the geopolitical struggle for world dominance.
And have you considered how many people are touching your critical data assets, with multiple providers comprising hundreds of thousands of employees around the globe managing many of your back office business and IT operations? Have you given any thought to what their subcontractors are doing, whether they present any data privacy or compliance risks that aren’t covered by your contract with your primary provider? Feeling any agita yet?
We have already demonstrated that some of the appeal of those endlessly-hyped cloud-based services is the ease with which line-of-business managers can go out and help themselves to cheap, on-demand virtual-server cycles: so easy, so fast, so flexible! Not to mention the appeal of not suffering the onerous requirements that IT security is likely to impose if they get involved.
Yes, addressing security concerns up front takes time and adds costs, making the business case for your outsourcing project more challenging. But unlike Mordac, CSOs and smart outsourcing executives are focusing on security for sound business reasons: weighing business risk against business advantage, performing a sober cost-benefit analysis on business processes and the technologies that underpin them. That’s what we’re about, or should be about -- and if your industry is one that comes under regulatory scrutiny of any kind, the stakes get much higher for everybody in a hurry.
Fortunately for us, many of you veteran BPO buyers understand that security and risk management are not just annoying layers of overhead that must grudgingly be accommodated. You recognize that the security threat environment is getting more complicated and sophisticated with every passing quarter. Further, you realize that your management is increasingly aware what’s going on: in particular, compliance scrutiny has a way of tuning the antennae of your C-suite to the adverse effects of security breaches on company profitability, brand equity, and the trust of your partners and customers.
Finally, you grasp that effective security and risk management cannot be properly achieved as a bolt-on, a layer of spackle and paint slapped on after the deal is mostly done. Rather, it has to be imbued in the DNA of every member of the sourcing team, inculcated into the skulls of your legal staff via first-hand experience of the relevant security technologies, settled into the bones of the provider evaluation and contract negotiation processes, kept well-toned after the signing with diligent monitoring and auditing.
We spoke to a Fortune 200 company about its security experiences with BPO
HfS Research was fortunate to have the lead sourcing and security executives from one such security-savvy buyer talk with us at length (under NDA about the company’s identity) about exactly how they achieve these goals. It’s a frank and fascinating look inside the end-to-end BPO sourcing process as managed by a Fortune 200 company in a highly-regulated industry that has, knock wood, managed to avoid a headline-grabbing security breach so far. We believe that their exacting processes and relentless focus on working security into every aspect of their provider vetting, contracting, and auditing processes -- like the long, slow application of low-temperature applewood smoke turns tough, stringy pork shoulder into tender, delicious barbecue – is directly responsible for that enviable security track record in BPO.
Entitled “Managing Security and Risk in BPO Engagements”, it’s a rare, detailed look at how one of the big boys works security and risk management into its BPO sourcing process programmatically, from top-to-bottom and start-to-finish, and thereby does it right. For providers, it offers insight into how to put on the kind of good security showing that wins the favor of such a buyer, gaining entrance to its “charmed circle” of preferred providers and winning a coveted invitation to compete for all that buyer’s future deals. Regardless of which side of the table you sit on, it’s six pages that are well worth your time.