What are the key business risks associated with outsourcing in developing countries? What role can security risk management play in mitigating them?
QUESTION POSED ON: 14 OCT 2005
QUESTION ANSWERED BY: Bob Konigsberg
The first thing that comes to my mind is political instability and war (this includes extortion, kidnapping and other violence as well), followed closely by high levels of poverty, which make stealing for survival much more likely. Other risks are currency fluctuations, lack of stable infrastructure (water, electricity, communications, etc.), lack of a trained workforce and the willingness of your employees to venture there.
I'd then wonder what it is you're outsourcing. High- or low-tech manufacturing (e.g., disk drives, chips or consumer electronics vs. textiles, tools or furniture), IT management, software development, clerical work or food processing all call for different approaches, skill sets in the labor force that you have to import or train. Language barriers, time zones, import and export laws of both countries add to the potential difficulties.
On top of that, you may also have to contend with whether or not your outsourced operation represents any threat to your home country and/or its allies. Manufacturing and food processing probably represent the least threat, security-wise. Clerical workers would be next up, because they would have access to many customers' data, which could possibly be translated into profiling or demographic data for some purpose. IT management represents possibly importing a "mole" into your organization, which can gather data while appearing to simply be managing your IT functions. Software development in the wrong hands could plant Trojans or back doors into your products for spread to who knows where.
Now, as for mitigation…
If you outsource your IT functions, keep security domestic and set up extra watch points for unusual activity -- over the long run. Anyone smart enough to do this is going to know that they'll be closely watched at first.
Same with outsourcing software development -- keep a review staff domestic that is paid to monitor software quality and review the code for poor or unclear practices.
Outsourcing manufacture (and the others above) is a little simpler, but the key axiom that applies to all of these is to never put all your eggs in the proverbial one basket.
- All software (purchased or written) must have master copies in your homeland.
- All material suppliers, costs, bills of lading, delivery schedules and quantities must go through the home office.
- All phone calls should be recorded (check local and foreign laws as necessary).
- All communications channels should be audited.
- The physical premises should be secured, monitored and recorded.
- All employees should pass background checks (again, check laws).
- Utilize file integrity-checking software (Tripwire and its equivalents) for all systems.
- Utilize the same level of security you would at home -- or better. Distance makes monitoring and management harder.
Now, as a side note, the July/August 2005 issue of IT Professional (an IEEE publication) has articles on outsourcing IT functionality, how it relates to homeland security, etc. If you can get hold of a copy, I heartily recommend it. It covers things in much more depth than I can (particularly in a Q&A venue).
|
|
|
