How many different ways can you spin the wonders of accounts payable outsourcing… or the delights of application testing services? Yes, folks, the outsourcing talk-track can get a little wearing these days. With 97% of enterprises today outsourcing varying degrees of IT and business support operations, the discussion about effective global sourcing needs to move to areas that have a broader business impact, such as how sourcing environments can help or hinder greater finance effectiveness, or more innovative technology, or better talent development… and especially a more secure, risk-effective global environment.
It’s this last area we’ve been intensively focused on bringing to the global sourcing discussion table – with the onset of Cloud, the additions of new sourcing locations, the political and economic instability in today’ world, the quagmire or new regulations and compliance standards.
I’m personally delighted to unveil a very special talent to the sourcing industry – a respected veteran of the infrastructure security world and now seeking to ply his knowledge and experience to supporting global sourcing environments: Jim Slaby. Jim can frequently be found chitchatting with the finest cocktail bar staff in Boston, both before and after (and these days during) a miserable experience enduring the Boston Red Sox. Anyhow, without any further introduction, let’s hand over to Jim himself to explain why he’s joined HfS and what we can expect to see in the coming months…
“The game done changed.”
“Game’s the same, just got more fierce.”
The Wire, Season 3, “Amsterdam”
As a newly-minted member of the fast-growing HfS Research team, I’ve been asked to share a few thoughts about my coverage area, Sourcing Security & Risk Strategies. I’m thrilled to have a chance to delve into the area of security and risk as it relates to sourcing, which HfS CEO Phil Fersht has been urging me to investigate since we worked together some years ago. In a sentence, I aim to help buyers and providers to better understand, quantify, and mitigate the security threats in sourcing engagements, and find ways to size and share appropriately the concomitant risks among buyers and providers.
In my Giga and Forrester days, I was stubbornly focused on security in the traditional enterprise data center and network environment. But in my most recent stint prior to HfS, running the security and networking practices at tech research firm TheInfoPro, I spent a lot of time interviewing senior IT budget-holders at Fortune 500 companies. One of the most resonant themes that emerged from those conversations was how their enthusiasm for cloud services was muted by their uncertainty about measuring and managing the associated risk. Time and again, security came up as the number one obstacle by a wide margin among large enterprises to moving to the cloud.
So when Phil called me this summer about joining HfS, the timing seemed right. The research community has not paid enough attention to the intersection of sourcing and risk, which suggests an ugly, multi-car pileup is in the offing there. It’s a hotspot that HfS feels uniquely positioned to explicate. Not to pander like a stadium rocker here (“Thank you, Kansas City, you really know how to party!”), but I’m also excited about gaining access to HfS’s subscriber base, the 60,000 highly-engaged business and IT professionals working at the front lines of this issue. Throw in the talent on the HfS Research team (like IT outsourcing maven Robert McNeill, whom I worked with in our salad days at Giga Information Group and Forrester Research), and I feel like I’m not spelunking this particular cave without some very solid backup.
So what are the foundational sourcing security issues that buyers should focus on when evaluating their overall sourcing options and considering service providers? The evaluation framework I intend to build will start with table stakes: assessing a provider’s physical security regime, its mechanisms to quash insider abuse, and its infrastructure for mitigating attacks against the network, the virtualization layer, applications, access controls and mobile platforms. I’ll also be delving into compliance issues across regulatory domains, ensuring we understand where data resides and how it is protected in transit and at rest. In the wake of April’s Amazon EC2 outage, there also appears to be new urgency around understanding provider architectures in reliability and disaster recovery terms. In addition, I will be assessing the global risks of operational interruptions that can be caused by many non- IT factors, such as industrial action, natural disasters and – perhaps most pertinent today – political risk.
I believe (or at least fervently hope) that most buyers grasp the fundamental security and risk trade-offs in sourcing projects, that exploiting their advantages in cost, flexibility, and service time-to-market requires placing a lot of trust in providers. As important, I hope we’re crystal-clear that no matter how much operational control you hand off to a provider, you still own the risk. In the event of a breach, regulators and customers will come looking for your head, not your provider’s. Monetary damages can be cold comfort if your provider’s security failings corrode your company’s brand and customer relationships, to say nothing of your career prospects.
This suggests that buyers need to demand better visibility into how their providers are delivering on their contractual obligations around security and risk, ideally in the form of credible audits, monitoring and reporting tools, and other mechanisms to build trust in their ability to protect your data from a welter of threats. Many buyers are finding new issues to worry about, too: attacks from state-sponsored actors, the rise of activist cracking groups like WikiLeaks and Anonymous, and data leakage via social-media channels like Twitter and Facebook.
So I look forward to working with you, the HfS subscriber, to understand your hopes and fears around security and risk in the sourcing arena, to hear your war stories on how providers have succeeded or failed at meeting your expectations around those issues, and to learn what tools, processes, and contractual tactics might improve your trust in them. Uncertainty and opacity around security and risk remain among the thorniest thickets on the path to sourcing; I look to your insight and experience to help me take a chainsaw to them.
Jim Slaby is Research Director, Sourcing Security & Risk Strategies. You can view his bio here.