International enterprises cannot afford to ignore the potentially serious IT security implications that arise when they decide to outsource core business functions to third party providers, industry analysts have warned.
Gartner noted that, as offshore outsourcing evolves from low value and low exposure projects to increasingly complex global projects involving core competencies, the cost and exposure of inadequate attention to security will increase significantly.
According to the analyst firm, enterprises and service providers must start an informed dialog to address security early and to perform due diligence throughout the outsourcing life cycle. Although security issues will lengthen the sales cycles of global delivery, it will not stop enterprises from adopting global sourcing models.
"The security exposure that both clients and service providers have to deal with, as global sourcing becomes more strategic and complex, increases by orders of magnitude," said Partha Iyengar, research vice president, Gartner India.
"Service providers are unable to provide standard security solutions because regulations, legislation and consequently risk vary vastly between industries and geographies."
Gartner went on to warn that there is also tremendous hype and a lack of understanding of the problems surrounding security and protection of data.
"One of the most frequently voiced concerns is related to call centers where consumers are alarmed when dealing with people with unfamiliar accents in unknown or foreign locations. This understandably raises questions around people's personal data, but may nevertheless not present a real risk," said Iyengar.
"Service providers and users need to look jointly at risks and work together to create an information protection framework to identify and spell out each of the concerns, determine their validity and make educated decisions about the risk they may or may not pose. Companies also need to be more transparent and inform customers of the security steps they take when going global to alleviate fears and avoid hype."
Understanding the relationship between business, security, intellectual property and privacy is essential for enterprises in effectively managing business risks associated with corporate and individual privacy, Gartner explained.
"There is a significant 'cost of security', and it is not cost-effective to provide the same level of security to every aspect of a company's offshore exposure. Companies therefore need to understand which records and data they need to protect and why, and how much they should spend on this security," added Iyengar.
"Diligence in understanding the actual risks involved will ensure that educated decisions can be made on the ROI around security expenses and investments. The most sensitive data can be found in personal, financial, medical, tax, employment and company financials records. Certain companies and vertical industries will have to classify data or determine the requirements for sharing data on project by project basis."
Iyengar also highlighted that global delivery includes a growing number of lines of service or application areas. These include applications development, IT infrastructure, contact centres and back-office BPO. Each of these could have vastly different requirements and exposure in terms of 'information protection' requirements and need to be understood and dealt with differently.