Business process outsourcing may free an organisation from worrying about the minutiae of routine activities, but it doesn't allow companies to ignore security implications. Gartner research director TJ Singh says organisations planning to use BPO need a governance model. He notes that Australian businesses using BPO allocate a smaller share of budget to compliance than Gartner recommends.
Gartner says 6 to 15 per cent of the overall cost is appropriate to spend on governance, but 43 per cent of organisations outsourcing human resources in the Asia-Pacific region spend 5 per cent or less, which is "a recipe for disaster", Singh says.
The governance model is needed to manage the provider and the contract, and must cover the relationship, contract, delivery and technology.
Australian companies - as well as others in the region - tend to think outsourcing means everything becomes the provider's worry. But that is not the case, Singh says. Governance is essential, and associated costs must be built into the planning process. You may expect to save 25 to 30 per cent from BPO, but after accounting for the cost of managing the relationship with the provider, that may drop to 15 or 20 per cent.
But what should companies worry about? Security specialist RSA's country manager for Australia and New Zealand, Mark Pullen, says it is all about risk. For example, moving a process from a company's Sydney offices to a BPO provider in the Philippines changes the risk factors, as the provider may not view security in the same way as the client. This is an issue executives on the business side of the company must address; it's not a technical issue to be left to IT.
Can you trust the provider to adhere to agreed policies? Pullen believes there is a need to audit the provider's practices and to obtain evidence that they match the organisation's policies. Companies may be inclined to do this more rigorously than they would with internal processes, Pullen says.
The extent to which this is done will vary among processes. With procurement, for instance, an organisation will always check that items paid for match those delivered, so there's no real change when procurement is outsourced.
But if customers' credit card data is being stored, Payment Card Industry Data Security Standard rules apply and the level of risk may be greater.
Pullen says the best approach is to consider the risk first, then examine how to manage it.
Security solution provider earthwave's chief executive, Carlo Minassian, says there is no point in expecting providers to do more in security than the client does for itself. It is a matter of complementary actions, so clients should be happy as long as the provider meets their own internal standards.
A provider's reputation is not enough, Minassian says. "You need to check it yourself, because you cannot tell how diligently existing customers have checked the provider's activities," he says.
Pullen recommends asking for audit reports, which will give proof that the provider meets specified standards. Minassian agrees that independent audit reports the outsourcer provides may be an alternative to first-hand inspection.
Pullen says analysts report that about 80 per cent of data losses are accidental, and points out people cannot leak data if they do not have access to it. But if data loss is someone's intent, they "will find a way to get it out," he warns. "The propaganda machine is trying to turn DLP [data loss prevention systems] into a silver bullet."
Although Pullen warns that malicious intent is the hardest thing to guard against, there is always a risk of data loss. Even audited providers have been breached.
Singh encourages clients to audit their providers regularly. These checks should not be limited to compliance with conventional service level agreements (SLAs), but also the physical and data security measures that have been agreed on. Although most organisations rely on the provider's word, they should carry out audits at least annually, he says.
Minassian says a provider may claim that only 10 staff members have access to your data, but the real number may be 500. "There's a big mix of service providers," he says. "[Some] are relaxed [and] don't practise what they say they do." This includes operating from insecure premises. "Serious providers will do the right thing by you," he adds.
Provider staff churn may also be an issue, Minassian says. It is important to ensure that replacements are properly trained, and it may be appropriate to insist on police checks where sensitive information is involved.
Encryption expert Randtronics' chief executive Bob Adhar says staff shortages at Indian BPO providers mean wages are rising, squeezing profits. Although physical security measures are still high at locations he recently visited in New Delhi, Chennai and Mumbai, many providers run on tight margins.
For routine transactional processes, where the provider is in-country, the organisation can probably do its own auditing. Otherwise, a third-party auditor, perhaps from a major accounting firm, should be used. Consequently, audit rights must be included in the contract, along with the required security measures, and SLAs should also be part of the deal. The idea is not to punish providers, rather "it's more to drive [correct] behaviour", Singh says. But when push comes to shove, if it is not in the contract, it cannot be enforced.
Minassian agrees. He says contracts define what the provider will do. And they should also include clear escalation processes in the event of a disagreement; you don't want to head straight to court. BPO is usually a five- to seven-year relationship, so "get a prenuptial upfront", Singh advises.
What's the provider's view? IBM's Jackie Korhonen, general manager, managed business process services, Australia and New Zealand, says: "As a BPO provider, IBM understands our clients' concerns around security. We integrate security into our overall business strategy, and automate processes to protect information and assets while improving user productivity and reducing costs.
"Select BPO partners with a track record of following the highest level of corporate governance and ethical practice to protect your data," she says.
Hewlett-Packard South Pacific director of outsourcing, Simon Gatward, says providers should protect clients' data diligently. Handling confidential information may mean putting physical barriers between staff working on different accounts. For example, the company services Ericsson and Nokia from one building in Kuala Lumpur, but from separate floors with no access between them. Similarly, systems should be separate; HP uses different off-site storage locations to isolate customers' data.
Providers should demonstrate a culture that supports the security principles they espouse, Gatward says.
The thing to remember about security is that, in Singh's words, "at the end of the day, responsibility is still with the buyer".
Although risk is a business issue, there may be technical measures that can reassure clients their provider is doing the right thing. Randtronics' Bob Adhar says: "The answer is for the data owner to own the encryption solution.
"The local BPO database administrator can still carry out his usual administrative tasks, but he can't see the unencrypted data," Adhar says. "The solution separates the encryption function [carried out by the data owner] from the other administrative functions" that the BPO staff carry out.
Such an approach can also alert the client if any user at the outsourcer is requesting the decryption of records faster than would be necessary for normal transactions. Another angle to consider is whether data should be protected by encryption when it is "in flight" (moving across a network) and/or "at rest" (sitting on a storage device). Earthwave's Minassian believes providers should make both types of encryption available.
RSA's Mark Pullen suggests an internet protocol security virtual private network - a method of encrypting transmissions - as a cost-effective means of in-flight protection, but he says to consider carefully whether it is required or sufficient. Some data may need greater protection, but in other cases, the risk may be so slight that even this level of security is unnecessary. The security industry should trade on how it can enhance a business, not on fear, Pullen says.
- All companies using BPO need to develop a governance model to accompany outsourcing.
- A company's concerns should focus on risk, which should be treated as a business issue, not an IT problem.
- Companies considering BPO should:
- Classify data according to sensitivity.
- Not expect the provider to deliver more security than the companies do themselves.
- Ask for audit reports and conduct regular audits.
- Consider technical solutions that allow them to retain data ownership.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.