{"id":1354,"date":"2012-07-04T16:39:00","date_gmt":"2012-07-04T16:39:00","guid":{"rendered":"http:\/\/localhost\/projects\/horsesforsources\/ito-bpo-security-disasters_070412\/"},"modified":"2012-07-04T16:39:00","modified_gmt":"2012-07-04T16:39:00","slug":"ito-bpo-security-disasters_070412","status":"publish","type":"post","link":"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/","title":{"rendered":"It\u2019s a miracle we&#8217;re yet to see any BPO\/ITO security disasters"},"content":{"rendered":"<p style=\"text-align: left;\"><strong>Name the one person who&#8217;s never present in an outsourcing business case evaluation, provider down-selection or contract terms meeting, but has a real vested interested in the discussion? \u00a0And no, it&#8217;s not your shrink.<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-full wp-image-11383\" style=\"text-align: justify;\" title=\"risk-security\" src=\"http:\/\/www.horsesforsources.com\/wp-content\/uploads\/2012\/07\/risk-security.jpg\" alt=\"\" width=\"240\" height=\"230\" \/><\/p>\n<p>Having the Chief Security Officer (CSO) show-up during your outsourcing meetings is akin to your inviting a cardiac specialist to a no-holds-barred steak dinner with all the trimmings. \u00a0The CSO is the ultimate party-pooper, the much-derided control-freak who cares little for business outcomes, only the potential disasters that may arise along the way. \u00a0Why bring them along to put a spanner in the works (unless that&#8217;s your agenda&#8230;.)?<\/p>\n<p>HfS Research Director, <a href=\"http:\/\/www.hfsresearch.com\/the-team\/james-slaby\" target=\"_blank\" rel=\"noopener\">Jim Slaby<\/a>, never shy to call out the inanities of today&#8217;s quirky corporate cultures, has been working under cover to find out how the CSO party-poopers were being engaged in the whole outsourcing experience&#8230;.<\/p>\n<p><span style=\"font-size: large; color: #ff6600;\"><strong>Managing Security and Risk in BPO Engagements<\/strong><\/span><\/p>\n<p>The most overlooked, swept-aside and brushed-under-the-carpet issue in outsourcing is the lame effort most buyers make to manage their exposure to security risk in outsourcing engagements. As a self-styled security nerd, I\u2019m frequently horrified by the lip service that many outsourcing buyers and providers give to security. Bring up the \u201cS\u201d word with buyers and their eyes glaze over; ask providers for a briefing on the security capabilities of their outsourcing offerings and they run a mile. Why is this topic so eagerly avoided in today\u2019s global business environment? In an increasingly regulated world full of increasingly sophisticated security threats, aren\u2019t buyers and providers alike courting disaster here?<\/p>\n<p>If you work in the enterprise security space long enough, you come to understand Scott Adams\u2019s Dilbert parody of an evil, sadistic Chief Security Officer (CSO), a <a href=\"http:\/\/dilbert.com\/strips\/comic\/2010-05-08\/\" target=\"_blank\" rel=\"noopener\">pointy-eared fellow called Mordac<\/a>, the Preventer of Information Services. Mordac embodies the stereotype of intrusive, overly arcane IT security regimes, the kind that seem designed to hinder useful business processes and add layers of complexity to simple tasks, to say nothing of inflating costs and frankly boring you to death.<\/p>\n<p>For instance, why exactly does your password need to be at least eight characters and include a mix<!-- pagebreak --> of uppercase, lowercase, numbers and special characters? (Actually, that\u2019s not considered great password practice any more: eight characters are pretty easy to crack with brute force, and users have a tendency to scribble hard-to-remember passwords on Post-It notes.) Or, why won\u2019t IT let you connect your iPad to the corporate network when it is less vulnerable to endpoint malware than your Windows laptop? What\u2019s the point of this restrictive new company policy on employee use of social media?<\/p>\n<p>Of course, you probably have an inkling that it\u2019s a scary world out there, full of criminals who look at your databases of customer \/ patient \/ payment-card information like a pack of hungry wolves gazes at a flock of baby lambs. You may recognize that, despite the intricate defenses your CSO has erected around your company\u2019s precious data assets, many breaches occur at the hands of malicious insiders &#8212; but as often through the garden-variety laziness and inattention of otherwise well-meaning employees. You may know rather less about emerging new threats, like the gangs of elite programmers whom the Chinese military is giving unlimited time and funds to discover new ways to penetrate and crash your systems, part of a new strategic front in the geopolitical struggle for world dominance.<\/p>\n<p>And have you considered how many people are touching your critical data assets, with multiple providers comprising hundreds of thousands of employees around the globe managing many of your back office business and IT operations? Have you given any thought to what their subcontractors are doing, whether they present any data privacy or compliance risks that aren\u2019t covered by your contract with your primary provider? Feeling any <em>agita<\/em> yet?<\/p>\n<p>We <a href=\"http:\/\/www.horsesforsources.com\/cloud-hfs-lse1_11210\" target=\"_blank\" rel=\"noopener\">have already demonstrated<\/a> that some of the appeal of those endlessly-hyped cloud-based services is the <em>ease<\/em> with which line-of-business managers can go out and help themselves to cheap, on-demand virtual-server cycles: so easy, so fast, so flexible! Not to mention the appeal of <em>not<\/em> suffering the onerous requirements that IT security is likely to impose if they get involved.<\/p>\n<p>Yes, addressing security concerns up front takes time and adds costs, making the business case for your outsourcing project more challenging. But unlike Mordac, CSOs and smart outsourcing executives are focusing on security for sound business reasons: weighing business risk against business advantage, performing a sober cost-benefit analysis on business processes and the technologies that underpin them. That\u2019s what we\u2019re about, or should be about &#8212; and if your industry is one that comes under regulatory scrutiny of any kind, the stakes get much higher for everybody in a hurry.<\/p>\n<p>Fortunately for us, many of you veteran BPO buyers understand that security and risk management are not just annoying layers of overhead that must grudgingly be accommodated. You recognize that the security threat environment is getting more complicated and sophisticated with every passing quarter. Further, you realize that your management is increasingly aware what\u2019s going on: in particular, compliance scrutiny has a way of tuning the antennae of your C-suite to the adverse effects of security breaches on company profitability, brand equity, and the trust of your partners and customers.<\/p>\n<p>Finally, you grasp that effective security and risk management cannot be properly achieved as a bolt-on, a layer of spackle and paint slapped on after the deal is mostly done. Rather, it has to be imbued in the DNA of every member of the sourcing team, inculcated into the skulls of your legal staff via first-hand experience of the relevant security technologies, settled into the bones of the provider evaluation and contract negotiation processes, kept well-toned after the signing with diligent monitoring and auditing.<\/p>\n<p><span style=\"font-size: large;\"><strong><span style=\"color: #ff6600;\">We spoke to a Fortune 200 company about its security experiences with BPO<\/span><\/strong><\/span><\/p>\n<p>HfS Research was fortunate to have the lead sourcing and security executives from one such security-savvy buyer talk with us at length (under NDA about the company\u2019s identity) about exactly how they achieve these goals. It\u2019s a frank and fascinating look inside the end-to-end BPO sourcing process as managed by a Fortune 200 company in a highly-regulated industry that has, knock wood, managed to avoid a headline-grabbing security breach so far. We believe that their exacting processes and relentless focus on working security into every aspect of their provider vetting, contracting, and auditing processes &#8212; like the long, slow application of low-temperature applewood smoke turns tough, stringy pork shoulder into tender, delicious barbecue \u2013 is directly responsible for that enviable security track record in BPO.<\/p>\n<div id=\"attachment_9363\" class=\"wp-caption alignright\"><a href=\"http:\/\/www.hfsresearch.com\/the-team\/james-slaby\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-9363 \" title=\"jim-slaby\" src=\"http:\/\/www.horsesforsources.com\/wp-content\/uploads\/2011\/10\/james-r-slaby-hfs.png\" alt=\"\" width=\"158\" height=\"224\" \/><\/a><\/p>\n<p class=\"wp-caption-text\">James R Slaby is Research Director, Sourcing Security and Risk Strategies (click for bio)<\/p>\n<\/div>\n<p style=\"text-align: justify;\">Entitled \u201cManaging Security and Risk in BPO Engagements\u201d, it\u2019s a rare, detailed look at how one of the big boys works security and risk management into its BPO sourcing process programmatically, from top-to-bottom and start-to-finish, and thereby does it right. For providers, it offers insight into how to put on the kind of good security showing that wins the favor of such a buyer, gaining entrance to its \u201ccharmed circle\u201d of preferred providers and winning a coveted invitation to compete for all that buyer\u2019s future deals. Regardless of which side of the table you sit on, it\u2019s six pages that are well worth your time.<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: large; color: #0000ff;\"><a href=\"http:\/\/bpo.horsesforsources.com\/managing-security-and-risk-in-bpo\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\"><strong>Click here to access your complimentary copy of\u00a0<\/strong><strong style=\"font-size: medium;\">\u201c<span style=\"color: #0000ff;\"><span style=\"color: #0000ff;\">Managing Security and Risk in BPO Engagements<\/span><\/span>\u201d<\/strong><\/span><\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Name the one person who&#8217;s never present in an outsourcing business case evaluation, provider down-selection or contract terms meeting, but&#8230;<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48,51,63,81,92,832,830],"tags":[463],"ppma_author":[19],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>It\u2019s a miracle we&#039;re yet to see any BPO\/ITO security disasters - Horses for Sources | No Boundaries<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"It\u2019s a miracle we&#039;re yet to see any BPO\/ITO security disasters - Horses for Sources | No Boundaries\" \/>\n<meta property=\"og:description\" content=\"Name the one person who&#8217;s never present in an outsourcing business case evaluation, provider down-selection or contract terms meeting, but...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/\" \/>\n<meta property=\"og:site_name\" content=\"Horses for Sources | No Boundaries\" \/>\n<meta property=\"article:published_time\" content=\"2012-07-04T16:39:00+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/www.horsesforsources.com\/wp-content\/uploads\/2012\/07\/risk-security.jpg\" \/>\n<meta name=\"author\" content=\"Phil Fersht\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@pfersht\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Phil Fersht\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/\",\"url\":\"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/\",\"name\":\"It\u2019s a miracle we're yet to see any BPO\/ITO security disasters - Horses for Sources | No Boundaries\",\"isPartOf\":{\"@id\":\"https:\/\/www.horsesforsources.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/#primaryimage\"},\"thumbnailUrl\":\"http:\/\/www.horsesforsources.com\/wp-content\/uploads\/2012\/07\/risk-security.jpg\",\"datePublished\":\"2012-07-04T16:39:00+00:00\",\"dateModified\":\"2012-07-04T16:39:00+00:00\",\"author\":{\"@id\":\"https:\/\/www.horsesforsources.com\/#\/schema\/person\/c4f084ff7ad43632f537b3b30918e69f\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/#primaryimage\",\"url\":\"http:\/\/www.horsesforsources.com\/wp-content\/uploads\/2012\/07\/risk-security.jpg\",\"contentUrl\":\"http:\/\/www.horsesforsources.com\/wp-content\/uploads\/2012\/07\/risk-security.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.horsesforsources.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"It\u2019s a miracle we&#8217;re yet to see any BPO\/ITO security disasters\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.horsesforsources.com\/#website\",\"url\":\"https:\/\/www.horsesforsources.com\/\",\"name\":\"Horses for Sources | No Boundaries\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.horsesforsources.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.horsesforsources.com\/#\/schema\/person\/c4f084ff7ad43632f537b3b30918e69f\",\"name\":\"Phil Fersht\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.horsesforsources.com\/#\/schema\/person\/image\/86ee0c0ac2d033eed87f327162eb27f7\",\"url\":\"https:\/\/www.horsesforsources.com\/wp-content\/uploads\/2020\/11\/phill-150x150.png\",\"contentUrl\":\"https:\/\/www.horsesforsources.com\/wp-content\/uploads\/2020\/11\/phill-150x150.png\",\"caption\":\"Phil Fersht\"},\"description\":\"Phil Fersht is\u00a0a world-renowned analyst, writer and visionary in\u00a0emerging technologies, automation, digital business models, and the alignment of\u00a0enterprise operations to\u00a0drive customer impact and competitive advantage\",\"sameAs\":[\"http:\/\/hfsresearch.com\/team\/phil-fersht\",\"https:\/\/www.linkedin.com\/in\/pfersht\/\",\"https:\/\/x.com\/pfersht\"],\"url\":\"https:\/\/www.horsesforsources.com\/author\/phil-fherst\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"It\u2019s a miracle we're yet to see any BPO\/ITO security disasters - Horses for Sources | No Boundaries","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/","og_locale":"en_US","og_type":"article","og_title":"It\u2019s a miracle we're yet to see any BPO\/ITO security disasters - Horses for Sources | No Boundaries","og_description":"Name the one person who&#8217;s never present in an outsourcing business case evaluation, provider down-selection or contract terms meeting, but...","og_url":"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/","og_site_name":"Horses for Sources | No Boundaries","article_published_time":"2012-07-04T16:39:00+00:00","og_image":[{"url":"http:\/\/www.horsesforsources.com\/wp-content\/uploads\/2012\/07\/risk-security.jpg"}],"author":"Phil Fersht","twitter_card":"summary_large_image","twitter_creator":"@pfersht","twitter_misc":{"Written by":"Phil Fersht","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/","url":"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/","name":"It\u2019s a miracle we're yet to see any BPO\/ITO security disasters - Horses for Sources | No Boundaries","isPartOf":{"@id":"https:\/\/www.horsesforsources.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/#primaryimage"},"image":{"@id":"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/#primaryimage"},"thumbnailUrl":"http:\/\/www.horsesforsources.com\/wp-content\/uploads\/2012\/07\/risk-security.jpg","datePublished":"2012-07-04T16:39:00+00:00","dateModified":"2012-07-04T16:39:00+00:00","author":{"@id":"https:\/\/www.horsesforsources.com\/#\/schema\/person\/c4f084ff7ad43632f537b3b30918e69f"},"breadcrumb":{"@id":"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/#primaryimage","url":"http:\/\/www.horsesforsources.com\/wp-content\/uploads\/2012\/07\/risk-security.jpg","contentUrl":"http:\/\/www.horsesforsources.com\/wp-content\/uploads\/2012\/07\/risk-security.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.horsesforsources.com\/ito-bpo-security-disasters_070412\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.horsesforsources.com\/"},{"@type":"ListItem","position":2,"name":"It\u2019s a miracle we&#8217;re yet to see any BPO\/ITO security disasters"}]},{"@type":"WebSite","@id":"https:\/\/www.horsesforsources.com\/#website","url":"https:\/\/www.horsesforsources.com\/","name":"Horses for Sources | No Boundaries","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.horsesforsources.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.horsesforsources.com\/#\/schema\/person\/c4f084ff7ad43632f537b3b30918e69f","name":"Phil Fersht","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.horsesforsources.com\/#\/schema\/person\/image\/86ee0c0ac2d033eed87f327162eb27f7","url":"https:\/\/www.horsesforsources.com\/wp-content\/uploads\/2020\/11\/phill-150x150.png","contentUrl":"https:\/\/www.horsesforsources.com\/wp-content\/uploads\/2020\/11\/phill-150x150.png","caption":"Phil Fersht"},"description":"Phil Fersht is\u00a0a world-renowned analyst, writer and visionary in\u00a0emerging technologies, automation, digital business models, and the alignment of\u00a0enterprise operations to\u00a0drive customer impact and competitive advantage","sameAs":["http:\/\/hfsresearch.com\/team\/phil-fersht","https:\/\/www.linkedin.com\/in\/pfersht\/","https:\/\/x.com\/pfersht"],"url":"https:\/\/www.horsesforsources.com\/author\/phil-fherst\/"}]}},"authors":[{"term_id":19,"user_id":3,"is_guest":0,"slug":"phil-fherst","display_name":"Phil Fersht","avatar_url":{"url":"https:\/\/www.horsesforsources.com\/wp-content\/uploads\/2024\/02\/Phil-Fersht-HFS-Updated.jpg","url2x":"https:\/\/www.horsesforsources.com\/wp-content\/uploads\/2024\/02\/Phil-Fersht-HFS-Updated.jpg"},"first_name":"Phil","last_name":"Fersht","user_url":"http:\/\/hfsresearch.com\/team\/phil-fersht","description":"Phil Fersht is\u00a0a world-renowned analyst, writer and visionary in\u00a0emerging technologies, automation, digital business models, and the alignment of\u00a0enterprise operations to\u00a0drive customer impact and competitive advantage"}],"_links":{"self":[{"href":"https:\/\/www.horsesforsources.com\/wp-json\/wp\/v2\/posts\/1354"}],"collection":[{"href":"https:\/\/www.horsesforsources.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.horsesforsources.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.horsesforsources.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.horsesforsources.com\/wp-json\/wp\/v2\/comments?post=1354"}],"version-history":[{"count":0,"href":"https:\/\/www.horsesforsources.com\/wp-json\/wp\/v2\/posts\/1354\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.horsesforsources.com\/wp-json\/wp\/v2\/media?parent=1354"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.horsesforsources.com\/wp-json\/wp\/v2\/categories?post=1354"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.horsesforsources.com\/wp-json\/wp\/v2\/tags?post=1354"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.horsesforsources.com\/wp-json\/wp\/v2\/ppma_author?post=1354"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}