Left alone, outsourcing could sink your organization

Left alone, outsourcing could sink your organization

Summary: Outsourcing to third-party vendors top the list of security risks for organizations. But how do you mitigate it? At Forrester IT Forum 2011, analysts weigh in.


LAS VEGAS -- This just in: your outsourcing operations could be dangerous to your company.

Now what?

Speaking here at the 2011 Forrester IT Forum, analysts Jan Erik Aase and Chris McClean agreed that third-party vendor activity -- from access management to data security to app development -- tops the list of risks for most companies.

The question: how best should you manage that risk?

"None of these issues are new," McClean said. "They've been going on as long as business has. But the ecosystem is getting a lot more complicated. The number and complexity of the issues is getting tougher."

In an age where "Mass. hospital contractor loses data for 800K people" is no longer a surprising headline, third-party vendors are under increasing scrutiny by the companies that employ them.

But are they really?

As it turns out, many organizations are entering into relationships with outside vendors without adequately protecting themselves from catastrophe triggered by vendor instability.

What's more, with an influx of new, small startup companies, it's hard to know who to trust.

"They don't have the process in place that I'm used to. They don't even have a security officer. They don't have the wherewithal to meet our security requirements," Aase said. "So what do we do: engage, or not?"

Attempting to hammer out a set of best practices, Aase and McClean said the impost important thing is to figure out what is and isn't essential to your security policy, then create a new plan to handle these unorthodox new partners.

For example: what if a startup doesn't have proof of financial stability? Would you end the discussion right there? Folks in the room agreed that obtaining a competitive edge sometimes trumped security concerns.

Still, no one in the room was willing to deviate from integrity clauses within standard Terms and Conditions.

Do you have a clear data security policy? Most folks in the room said yes, but few said they take boilerplate language and modify it to vendors' different levels of risk during procurement.

The other problem: vendor risk is often only a part of initial due diligence. Just one man was bold enough to raise his hand and admit to this on behalf of his company, but Aase and McClean noted that most traditional risk models focus on pre-deal due diligence.

The problem: most risk conversations are actually "deal risk," such as delivering on commitments and having a backup plan when a vendor fails.

"We thought about coming in here and scaring you, but I don't think we really need to. Just read the newspaper," Aase said. "But they don't tell you who the vendor was -- just the client. You are ultimately responsible. You have chosen to outsource to a third party. You are fully accountable."

In the early days, factors such as negative press coverage, Sarbanes-Oxley and FTC action didn't exist. Now, there's a huge list of considerations that's on everyone's mind. It's no longer just a procurement and vendor management worry, Aase said.

"Risk management really affects every part of the business," McClean said. "The security risk professional really needs to be the source of guidance."

But with an increasing number of third-party vendors comes an increase in the number of sources of reputation, financial, operational and regulatory risk.

The typical large enterprise has more than 200 third-party relationships that are of potential risk, Aase said. But enforcing controls is difficult -- internal policies and procedures have little effect outside corporate walls.

Worse, an increasing number of decisions occur without consideration for risk -- delivery models often circumvent the security professionals tasked with assuring safe dealings.

"Security pros can't ensure data security without help," Aase said. "Collaborating will give us the ability to augment our contracts."

A sobering fact: only half of sourcing and vendor management teams do regular, systematic tracking of vendor viability. Most firms only track financial stability after the deal is already signed -- and should an event occur, sourcing and vendor management teams with vendor viability tracking often don't have a disaster plan.

So what to do? McClean outlined a pocket guide:

  • Establish context (time, budget, etc.)
  • Identify risks
  • Analyze them
  • Evaluate them
  • Treat them

But hurdles remain. For one, technology populism, self-provisioning and as-a-service offerings are on the rise; moreover, the correlation between spend and importance is weakening, making it harder to discern what's critical.

Not to mention the proliferation of source code vulnerabilities, Aase said.

"The word re-use makes us excited," he said. "But for security and risk, that's a dirty word. How do I know you're not reintroducing back-door opportunities to hack into our site?"

But collaboration within the organization is ultimately key.

"It's still not perfect," Aase said. "At the end of the day, a business user can overrule security concerns about a vendor anyway. That's why collaboration is important."

More from the 2011 Forrester IT Forum on ZDNet:

Topics: Security, CXO, Outsourcing

Andrew Nusca

About Andrew Nusca

Andrew Nusca is a former writer-editor for ZDNet and contributor to CNET. During his tenure, he was the editor of SmartPlanet, ZDNet's sister site about innovation.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Good Article

    I've been spending some time reading into outsourcing and I have to agree with all you've said. Especially when it comes down to the reputation sharing. If a client hires an outsourcer then they should expect to take the fall when the outsourcer messes up. Any company thinking otherwise really needs to reconsider their position on outsourcing.
  • RE: Left alone, outsourcing could sink your organization

    I've been in the business of multimedia and eLearning for nearly 30 years and initially I was open to outsourcing certain services such as video production, voice-over, graphics etc. It became obvious very quickly that the best thing for our clients and ourselves was to do everything in-house. It also means that we accumulate experience in a variety of fields that is of direct use to the company. No more arguments about quality, delayed delivery, client requests etc.

    Outsourcing has robbed a lot of businesses of expertise. So much so that company personnel are unlikely to be able to evaluate outsourced tenders.
    • RE: Left alone, outsourcing could sink your organization

      @tonymcs@... ::QUOTE::Outsourcing has robbed a lot of businesses of expertise. So much so that company personnel are unlikely to be able to evaluate outsourced tenders.::unquote::

      Very true. In the less dramatic, day 2 day interaction, the net result of being unable to evaluate outsourcing tenders are spiraling budgets (vendors can get away with anything) and not putting the organisation's interests but verbatim reporting the vendor's speak to internal management.
      • RE: Left alone, outsourcing could sink your organization


        I have a theory for why this is so, and why it keeps happening over and over. It is because the accountant-types who keep on driving the decision to go with outsourcing themselves do not understand the value of and need for in-house engineering expertise.
  • RE: Left alone, outsourcing could sink your organization

    Outsourcing is a fact of life. Dont know any company which has their own team of janitors. Similarly most of the hardware maintenance in offices & factories are outsourced. Companies like Nike have outsourced almost everything other than design & marketing. Of course it goes without saying that you have to tightly monitor the vendors as you are liable for their actions. Ask BP, how outsourcing worked out for them in the Gulf of Mexico. In this context, how is IT outsourcing different? You really cant build skills for everthing in-house. Outsourcing has allowed business to further improve on what they do best rather than waste time learning what they dont understand. You need vendors to support you. However, you cant wash of your hands & you need to monitor them. You need some skills in-house to cross check on what they are doing.
  • Forrester and Gartner are to blame

    Amazing how the tune has begun to change with Forrester. Outsourcing was never a good idea and it has led to major damage of US and EMEA corporations led down the garden path by analyst firms such as Forrester and Gartner.

    Through outsourcing major corporations have given up their expertise and competitive advantages in return for a race to the bottom for the lowest costs. Guess what? You get what you pay for and you reap what you sow.

    Maybe the analyst firms figured out (a bit late) that after cutting costs by outsourcings, companies could further reduce costs by dumping analyst firms too.
  • Contracts and protection

    For those that attempt to protect their interests via contracts with outsourcers, ask yourself if you really have the stomach, resources and evidence to hold outsourcers accountable, or will you just not renew the contract and call it a day.

    Unfortunately, outsourcers will rarely, if ever, disclose that they are partially or completely incompetent at fulfilling the contract they are signing due the lack of competent staff to fulfill the contract.

    There is no magical land of people willing to work for almost nothing and give you world class competent people. Yes, they may bring out their smart ones for your initial meetings, but they will frequently disappear after the contract is signed.

    And, the smart people in your company that become part of theirs as part of an outsourcing agreement will be swept away to other companies, or will quit because they don't want to put up with the nonsense.
  • Wow, people are JUST realizing this?

    We've been saying for years that out-sourcing is short-sighted and is a danger to the on-going business.

    It is only useful to executives who want to fatten the bottom line for a one time bonus payment before they skip town.

    It has been repeatedly shown to be inherently bad for the business long-term ... but C-level executives don't care because it's all about the stock-price to them. Once they artificially inflate the stock prices by killing off employees and services they dump their options, pocket millions of dollars, and walk-away leaving the ship slowly sinking behind them.

    Gee, thanks Carly.

    Do what's right for the company, not for your personal greed. Its no wonder that the CEOs are often called 'criminal executive officers' by Intel/Lucent/DEC/Compaq/HP survivors.

    • RE: Do what's right for the company,

      @JonathonDoe <br><br>But, therein lies the rub. When you are speaking of a <i>privately held</i> company, you as a C-level exec have a good sense of who the owners are, and what they expect of you.<br><br>As soon as you cross over to a <u>public</u> company, the former 'clarity of investor intent' gets muddied. First of all, you have to deal with competing investor expectations. Some investors are "in it" for the <b>quick buck</b>. They trade in and out of your stock like it was underwear. Then you have to deal with "rich, loudmouth cowboys" who make a lot of noise. And Finally, you have to <b>pacify the <i>loudmouth</i> <u>Wall Street</u> ANALysts,</b> who are out to increase the churn in your stock at your expense.<br><br>It all goes back to the business school mentality of <b>interchangeable executives</b>, and that usually, you have between 3 and 5 years to f--- up a company before it is time to move on and s--- on some other company.<br><br>You mentioned Carly, she isn't the only one who fits that mold.
      • No, Carly isn't the only one...

        @fatman65535 but she IS the one who put these daggers in all of our backs, so she's the one who gets mentioned.

  • RE: Left alone, outsourcing could sink your organization

    Dell learned a lesson about 10 years ago when they outsourced server support. Wisely listening to their customers, they brought it back before it was too late.
  • RE: Left alone, outsourcing could sink your organization

    One of the problems with outsourcing is that sometimes the company you outsourced to does the same, and pretty soon the scene looks like one of those mirror reflecting other mirrors. In other words, you don't really know what you're looking at.

    Maybe Trustworthy Data Handling is just as it says, but if the company bean counters think it doesn't need the job it just signed on to (YOURS), it will out source it retaining a management fee. Now this doesn't have to happen for more than two or three iterations and the job you think Trustworthy signed on to do is being handled by FUBAR, Yor Data Keepr Co. with (un)predictable results, depending on how you look at the situation.

    This sort of thing has been going on for a few decades by the bill processing people for major corps. and is one reason why it's almost impossible to get the money back the store, service, whatever owes you or to get off their books when you don't owe them a red cent.
  • Hard to go back

    As someone who has gone through two outsourcings and a layoff with three different Fortune 500s I can speak with some authority. Outsourcing gets sold as a way to "improve service and lower cost" to the business.

    One company (a name you would all know) sold off all of its Data Centers to an outsourcer. Physically dug new utilities and fenced off the building from the other property. Now most of the building houses other clients of the outsourcing company.

    Literally hundreds of people left each time I was laid off. Untold knowledge left with them too that in many cases will never be replaced. All of this for short term boost in stock price and a golden parachute exit before things go wrong.
  • RE: Left alone, outsourcing could sink your organization

    "The question: how best should you manage that risk?"

    Quit outsourcing.

    There, problem solved.
  • RE: Left alone, outsourcing could sink your organization

    From an App Dev standpoint, the company I work for pairs a local developer with an offshore one. Although it doesn't get you the savings of having an all offshore team, it does allow you to have a local developer that you can have access to. This way you can react a little quicker to problems that crop up, get adhoc status reports from, questions answered. Our local developers are more responsible for driving the work.
  • RE: Left alone, outsourcing could sink your organization

    <a href="http://www.nikefreerunplus.com/Nike-free-3.0-v3-charcoal-grey--shoes">Nike free 3.0 v3 charcoal grey shoes</a>
    <a href="http://www.nikefreerunplus.com/Nike-free-3.0-v3-red-black-shoes">Nike free 3.0 v3 red black shoes</a>
    <a href="http://www.nikefreerunplus.com/Nike-free-3.0-v3-running-shoes-grey-black">Nike free 3.0 v3 shoes grey black</a>
    <a href="http://www.nikefreerunplus.com/Nike-Free-3.0-v3-Women-Shoes-Black-Grey">Nike free 3.0 v3 Women Shoes Black Grey</a>
    <a href="http://www.nikefreerunplus.com/Nike-Free-3.0-V3-Women-Shoes-Blue">Nike free 3.0 v3 Women Shoes Blue</a>
    <a href="http://www.nikefreerunplus.com/Nike-Free-3.0-v3-Women-Shoes-Grey-Black">Nike free 3.0 v3 Women Shoes Grey Black</a>
    <a href="http://www.nikefreerunplus.com/Nike-Free-3.0-v3-Women-Shoes-Red-Black">Nike free 3.0 v3 Women Shoes Red Black</a>
    <a href="http://www.nikefreerunplus.com/nike-free-5.0">Nike free 5.0</a>
    <a href="http://www.nikefreerunplus.com/Nike-Free-5.0-Running-Shoes-Black-White">Nike Free 5.0 Shoes Black White</a>
    <a href="http://www.nikefreerunplus.com/Nike-Free-5.0-Running-Shoes-Deep-Blue-Grey">Nike Free 5.0 Shoes Blue Grey</a>
    <a href="http://www.nikefreerunplus.com/Nike-Free-5.0-Running-Shoes-Grey-Black">Nike Free 5.0 Shoes Grey Black</a>
    <a href="http://www.nikefreerunplus.com/Nike-Free-5.0-Running-Shoes-Red-Black">Nike Free 5.0 Shoes Red Black</a>
    <a href="http://www.nikefreerunplus.com/Nike-Free-5.0-Shoes-Charcoal-Grey-Yellow">Nike Free 5.0 Shoes Charcoal Grey Yellow</a>
    <a href="http://www.nikefreerunplus.com/Nike-Free-5.0-Shoes-White-Black-Grey">Nike Free 5.0 Shoes White Black Grey</a>
    <a href="http://www.nikefreerunplus.com/Nike-Free-5.0-Shoes-White-Red-Grey">Nike Free 5.0 Shoes White Red Grey</a>
    <a href="http://www.nikefreerunplus.com/Nike-Free-7.0-Black-Blue-Shoes">Nike Free 7.0 Black Blue Shoes</a>
    <a href="http://www.nikefreerunplus.com/Nike-Free-7.0-Black-Gold-Shoes">Nike Free 7.0 Black Gold Shoes</a>
    <a href="http://www.nikefreerunplus.com/Nike-Free-7.0-Black-Grey-Green-Shoes">Nike Free 7.0 Black Grey Green Shoes</a>
    <a href="http://www.nikefreerunplus.com/Nike-Free-7.0-Black-Running-Shoes">Nike Free 7.0 Black Shoes</a>
    <a href="http://www.nikefreerunplus.com/Nike-Free-7.0-grey-red-shoes">Nike Free 7.0 grey red shoes</a>