Looking for Secure Outsource Partners
Senior executives are ready and willing to pay a premium for an outsourcing partner that emphasizes tight security, according to a survey conducted by Booz Allen Hamilton (BAH).
The survey asked 158 senior executives from a variety of companies to rate the most important factors they looked for when evaluating an outsource partner. The top three concerns for these executives were capabilities, pricing, and security policies. The latter two concerns were almost equally ranked, and 85 percent of the respondents said they were willing to pay 10 to 15 percent more to ensure higher security.
“What was surprising…was the set of things that fell away, the things that didn’t matter as much,” according to Jon Watts, a principal at BAH who carried out the survey. “Primarily things like financial strength and business stability, reputation and brand, regulatory and compliance history, and geographic factors.”
Watts says he was particularly surprised that security was rated so high by survey respondents. “We expected it would be in the top five, but we didn’t imagine it would be in the top three,” he says. He notes that traditionally, “security has always been one of those issues that you say you must have,” but then falls by the wayside as outsourcing projects move forward.
Three-quarters of the respondents said they consider security risks to be moderately or much higher when using an offshore provider. Cyberthreats such as theft of data from outside or inside an outsource provider were ranked almost twice as high as physical threats, such as break-ins or vandalism, or those caused by natural disasters.
Watts credits the increasing importance given to cybersecurity to the “constant stream of high-profile security events that have occurred over the past several years,” including cases of data loss and identity theft, as well as concerns about viruses and worms. Indeed, the majority of respondents revealed that their companies had reviewed overall outsourcing strategies as a result of hearing about specific examples of outsourcing security failures and breaches of privacy.
What makes the rising concern over the security of outsource partners a challenge is that while there are industry-led standards such as ISO (the International Organization for Standardization), there is no “single, dominant standard that’s emerged” to help manage and govern an outsource relationship from a security perspective, Watts says.
As a result, companies have no choice but to rely on their own judgment and analysis. Management is making an effort to do this the right way, says Watts. “They actually get on a plane and see what’s going on.”
But this makes for an inadequate framework. “It’s hard to think that you can always keep on top of every third-party relationship, so it seems that industry is starting to point to the need to have some sort of third-party verification,” notes Watt.
He says the survey is intended to stimulate a conversation between the companies that are buying outsourcing services and the companies that are providing these services, “to get further in defining what exactly is the best way to make sure that the proper security controls are in place, and that everybody has the objective confidence that those things are in place so that the industry can continue to grow in the right way.”outsourcing_security_survey0706.ppt