outsourcing security survey0706[1]

8/14/2019 outsourcing security survey0706[1]

1/28

March 21, 2006New York, NY

DISCUSSION DOCUMENT

Outsourcing Security: Concerns GrowingOutsourcing Security Survey Findings


2/28

2

Background on the Booz Allen Hamilton Outsourcing SecuritySurvey

As the use of outsourcing continues to grow, so too do risks to customer and company datathat companies must rely on their outsourcing vendors to protect

In order to better understand how companies are managing the information security and dataprivacy risks of outsourcing, Booz Allen Hamilton surveyed senior executives involved indefining and managing their companies outsourcing strategies

The survey, which reflects the responses of 158 executives from companies across a range of

industries, June-December 2005, was designed to provide insight into: Senior Executive perspectives on the magnitude of information security risk involved in

outsourcing relationships How companies approach the evaluation and monitoring of outsourcing vendors information

security capabilities The information security and data privacy challenges that the outsourcing industry must

address in order to maintain the trust and confidence of customers and clients

The following presentation provides an initial summary of the survey results


3/28

3

Key Takeaway: Companies using outsourcing are increasinglyconcerned about information security

Security is an increasingly important issue among outsourcing buyers

While security is a complex issue, respondents almost unanimously agreed on the need for standards and auditing mechanisms

These mechanisms are particularly needed in some key countries where respondents do nottrust the current legal and regulatory infrastructure (e.g. India, China)

Support is growing for government involvement in setting and enforcing security standards

Like financial markets, outsourcing security can benefit from public - private partnerships toprovide regulations, standards and audit capabilities

Outsourcing buyers seem willing to pay a premium for improved security capabilities

Executive Summary


4/28

4

Services, pricing and security capabilities are the top threeevaluation factors when selecting an outsourcing partner

117

77

74

63

51

33

17

0 50 100 150

When selecting an outsourcing partner, what are the

most important evaluation factors?

Capabilities and quality of services

Pricing of service and costsavings to the company

Provider's security policies,capabilities and track record

Financial strength andbusiness stability

Reputation, brand andreferences

Provider's regulatory andcompliance history

Geographic factors

Note: Respondents were asked to select all that apply


5/28

5

Companies are more concerned about cyber threats than physicalbreaches and natural disasters

101

98

56

56

0 50 100 150

Theft, misuse or damage of company systems anddata from outside the Outsource Provider

(system hacking, viruses, spyware infiltration, etc.)

Theft, misuse or damage of company systemsor data from inside the Outsource Provider

Theft or damage of data or assets via compromisesof physical security (break-ins, vandalism, etc.)

Compromise of operating continuity due to external

factors (natural disasters, political instability, etc.)

When evaluating or managing outsourcing relationships, howconcerned are you about the following type(s) of security threats?

Note: Includes only # of respondents who answered Very Important in each category Note: Respondents were asked to select all that apply

Cyber Threats

Non-cyber Threats


6/286

Increased awareness of security risks has led many companies toreview their outsourcing strategies in the last year

58%

42%

YesNo

In the last two years, have you heard of specific examples of outsourcing security

failures and/or breaches of privacy?

As a result of this knowledge, has your company reviewed its overall outsourcing

strategy in the last year?

37%

YesNo

63%


7/28 7

The security risk is perceived as significantly higher for providerswith offshore operations

Do you perceive a greater or lesser risk of security threats

for outsourcing providers located offshore?

28%

48%

17%

1%

Moderately Higher

Much Higher

Same

No basisfor comparison

Moderately Lower

76% of respondents consider thesecurity risks when using offshore

providers higher than the risksassociated with domestic providers

2%

Much Lower 4%


8/28 8

Providers with operations in India, Asia and South America areparticularly challenged by a legal and regulatory perception gap

North America is seen as having themost robust legal and regulatoryenvironment, followed by Ireland andthe emerging EU countries of easternEurope

India is seen as fair, with room toimprove, as only 27% of respondentsindicated that the area has a robustlegal infrastructure

China, South America, andSoutheast Asia were seen hashaving the biggest legal and

regulatory gap, with 11 percent or fewer respondents indicating theyhad a robust infrastructure

Major FindingsWhich geographies have a robust regulatory and legal infrastructure?

% of Respondents selecting geography

Note: Respondents were asked to check all that apply

83%

52%

42%

27%

11%

9%

6%

5%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

North America

Ireland

Emerging EU

India

Southeast Asia

Other

South America

China

Challenging Regulatory and Legal

Environments


9/28 9

Providers security capabilities matter more than providerssecurity budgets .

82

78

68

63

60

33

0 20 40 60 80 100

How important are the following security factors when evaluating and managing an outsourcing relationship?

Providers security team (depth of expertise)

Providers security budget (provider s budgeton security relative to industry best

practices)

Providers compliance with standards and laws

Providers network & system security

Physical security at providers f acilities

Providers personnel security policy and procedures

Note: Includes only # of respondents who answered Very Important in each category Note: Respondents were asked to select all that apply

Verifiable security

management capabilitiesmatter more thanabsolute spending


10/28 10

however defining, monitoring, and integrating securitymanagement in outsourcing contracts is a growing challenge

65

58

54

31

26

22

0 20 40 60 80

Establish effective security managementrequirements in the contracts

Monitoring, auditing and evaluating vendor compliance with established security policy

Evaluating and implement security technology andprocess integration

Acquiring and maintaining the right skill sets andcapabilities to manage security

Determining how much to invest in security in anoutsourcing relationship

Delivering effective training in policies and

procedures of Outsourcing Providers

% of respondents putting factor in top 3

Which factors present the biggest management challenges inevaluating and managing security in outsourcing relationships?


11/28 11

Companies want more 3 rd party audits and independent securityevaluations of outsourcing providers

105

95

89

80

39

37

0 50 100 150

Site visits and in-person audits of vendor security processes and capabilities

References from other clients

3rd party security certifications(e.g., NASSCOM)

Security industry benchmarks& analyst reports

Vendors security track recordas reported in media, industry press

Vendors self-reported metrics(e.g., RFP responses)

What tools do you feel are most important to use in evaluatingthe security capabilities of outsourcing vendors?


Information on vendors sought by companies (pull metrics) is

more reliable than vendor -reported metrics in RFPs or

media (push metrics)

Pull metrics

Push metrics


12/28 12

The US government could play an increasing role in creatingsecurity and privacy regulations for outsourcing providers

Should the U.S. create specific regulations for outsourcing providers toensure they meet commonly accepted security and privacy standards?

33%

34%

32%

Yes, across all providers, functionsand service categories

Yes, but only for specific functionsor service categories

No

Two thirds of respondents are opento some form of US regulation of

security standards


13/2813

Outsourcers should work with associations and governments todefine and establish security regulations and standards

Who should be responsible for defining andestablishing the standards?

50

46

49

49

31

0 20 40 60

# of Respondents expressing preference

Customer trade groups or industryassociations

Outsourcing service provider coalitionsor industry associations

Government -led from within major industrialized nations (e.g. U.S., Europe)

Government -led from countries with growingoutsourcing industries (e.g. India, China)

Independent experts and outsideconsultants

Industry associations top preference for establishing

security standards

Industry ready for public-private partnerships for setting

standards and regulations


14/2814

while leveraging external auditors for monitoring

73

38

41

0 20 40 60 80

Self -enforcement and reportingat the outsourcing company level

External enforcement via regular certifications and auditsby external consultants and auditors

Who should be responsible for certifying,monitoring and enforcing standards?

Nearly 2:1 preferencefor 3 rd party audits over

self-enforcement


External enforcement via active regulationand management by government entities


15/2815

Investments should be prioritized for security training andawareness, new technologies and improved policies/procedures

107

85

75

70

51

0 20 40 60 80 100 120

Invest in internal security training, education andawareness initiatives

Invest in new security technologies

Improve published security policies and procedures

Invest in outside, independent assessments to highlightinternal security and compliance track record

Invest in new physical security and other business continuity initiatives

How do you believe outsourcing providers should prioritize their security investments?

Note: Respondents were asked to check all that apply



16/28

16

Buyers may be willing to pay a premium for improved securitycapabilities challenging the industry to demonstrate ROI

Would you be willing to pay 10% to 15% more for outsourcing services

if you thought it would ensure superior security?

30%

55%

15%Definitely - proven securityis worth the additional cost

Maybe - would depend on comparisonof security against other factors

No - additional security is either not worththe premium or it is too difficult to validate

85% of respondents may bewilling to pay some premium for

improved security


17/28

17

Other Supporting Findings


18/28

18

Respondents viewed service disruption, loss of customer trust andbrand impact, and loss of intellectual property as equally importantoutsourcing security risks

What do you believe are the greatest security risks and vulnerabilities to your business from outsourcing?

Disruptions in product delivery or service caused bybreakdowns in mission critical business processes or functions

Loss of customer trust or relationships due to improper or fraudulent use of confidential customer data

94

91

94

92

65

5

0 20 40 60 80 100

Loss of intellectual property or other sensitive information viaeither accidental exposure, theft or misuse of corporate data

Brand or reputation damage that results in loss of goodwillarising from actual or perceived risk of security failures

Risk that your company is liable for improper actions of your outsourcing provider

Other




19/28

19

Companies are more concerned about theft or misuse of outsourced data than they are about the threat of terrorism

From your perspective, how serious is the threat of

terrorism for the operations of domesticoutsourcing vendors?

LowThreat

VeryConcerned

No Basisfor Evaluation

SeriousThreat

9%

39%

47%

15%

ModerateThreat

SomewhatConcerned

NotConcerned

63%28%

9%

Less than 50% view terrorism as amoderate serious threat, while

91% were somewhat veryconcerned about data theft or

misuse

How concerned are you about theft, misuse or damage

of company systems and data from outside/inside anoutsource provider?


20/28

20

There is credibility gap in the security capabilities of providers,with clients in some verticals more skeptical than others

Verification of compliance 2 nd most important

evaluation factor

14%

37%

20%

30%

Yes

Half of respondents

discredit outsourcers

security claims

For your industry, do you find the security capabilityclaims of outsourcing providers credible?

Yes, but onlythe largest

Maybe, but no wayto verify or validate

claims

No

25%

F i n a n c

i a l S e r v i c e s

G o v e r n m e n

t

Less than half of financial servicesrespondents trustedeven the largestproviders securitycapabilities

M a n u

f a c

t u r i n g 67% of manufacturing

respondents foundsome degree of provider security claims to becredible

Governmentrespondents were evenmore skeptical with lessthan 30% trusting all or the largest providers

15%25%

30%30%

25%

18%

36%

36%

9%

25%24%

14%

19%

43%


21/28


22/28

22

Survey Methodology and Demographics


23/28

23

Survey Methodology

Respondent Selection Method: Invitations to participate in the study were distributed viaemail to a select group of contacts:

Booz Allen current and former clients Other comparable senior executives gathered through selective acquisition Registered opt-in subscribers to email lists for knowledge@wharton and strategy+business

magazine Participants in Outsourcing Seminar as part of Conference Boards 2005 BPO Conference

Format: Online survey hosted by Booz Allen Hamilton

Date of Survey: June December 2005

Number of Respondents: 158


24/28

24

83% of respondents are currently outsourcing or activelyconsidering doing so

83%

YES

17%

NO

Is your company either currently outsourcing anyfunctions or actively considering outsourcing?


25/28

25

Over half of survey respondents were senior executives

Responses by Function

CXO*

Procurement /RegulatoryOfficer

Other

*CXO category includes Chairman, President, CEO, CFO,Controller, COO, CIO, CTO, CISO, VP Operations

53%

32%

15%


26/28

26

The 158 respondents to the survey represented 12 differentindustry sectors

Distribution by Industry

4%

17%

3%

2%

6% 8% 15%2%

11%

8%

9%4%

11%

Automotive

Business Services (legal, accounting, architectural, engineering design)

Communications (telecommunication, Internet services)

Computer Services

EducationElectronics

Financial Services

Government

Healthcare

Insurance

Life Sciences

Manufacturing

Other


27/28

27

Survey respondents represented companies of all sizes

Distribution by Revenue

39%

24%

18%

19%

$10B+

Distribution by # Employees

42%

27%

18%

5%8%


28/28

28

For more information regarding this survey, please contact:

Vinay Couto, Vice President, Chicago (312) 578-4617 [email protected]

Jim Newfrock, Principal, Parsippany, NJ (973) 630-6789 [email protected]

Jon Watts, Principal, New York, NY (212) 551-6644 [email protected]

Martha-Rosalind Stainton, Senior Associate, McLean, VA (703) 902-3815 [email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]

outsourcing security survey0706[1]

Documents