Wednesday, August 06, 2008

Security and Outsourcing: The Neglected Dimension

Having witnessed several dozen organizations strategize, plan, operationalize, and even terminate their outsourcing agreements, I continue to be amazed with the lack of care and consideration given to security elements in these efforts (Power, Desouza, and Bonifazi, 2006; Power, Bonifazi, and Desouza, 2004). As one manager remarked:“No one really has the time, patience, or resources, to spend a few days evaluating the security issues associated with an agreement…Most of our time is spent working out details such as the financials, the project management plans, the personnel and public relations dimensions…Unless there are glaring security issues, most outsourcing agreements have the standard boiler plate text on security…you know…the NDAs (Non-Disclosure Agreements), the data and information protection clauses, etc…”The above quote is not unique to a particular manager or organization; one might argue that it is a norm in most outsourcing deals, with the exception of one class of organizations – organizations who have been burnt by security breaches! Only after an organization has witnessed the dire consequences of not adhering to security elements, does it begin to pay due attention to it when considering outsourcing. In Desouza (2007), a whole chapter is dedicated to the issue of securing intellectual assets in the context of strategic alliances. This article will point attention to the need to seriously consider the security dimension in sourcing agreements. Let me begin by sharing two small vignettes that illustrate two different kinds of security breaches (Desouza, 2007):

A large manufacturing firm in the Midwest of the United States outsourced the physical security of its corporate buildings to a security management organization. It was up to this security organization to hire the necessary personnel to monitor the premises. Not known to the manufacturing firm was the fact that the security-outsourcing vendor never ran thorough background checks on its hires. Upon investigation it was found that two of the guards working in night shifts at the manufacturing firm, George and Alan, were stealing high-end office supplies such as printer toner and reams of papers. It was even discovered that George and Alan were using unprotected computers (i.e., computers that were not locked) to surf pornographic websites during their night shifts. The investigation commenced only after a routine IT audit discovered that two computers had traffic to the pornographic websites. Besides the minor expenses involved in replacing stolen office supplies, these actions may have had a more severe cost, such as viruses or spyware that may have been inadvertently downloaded onto office computers.

A boutique strategy consulting company based in downtown New York had about 30 employees and just under a dozen clients. The firm received an offer to participate on a project involving a firm based in Shanghai. No one in the firm had any serious experience in the Chinese market, and hence, they decided to hire a new employee: a recent graduate of a prestigious law school who was interested in international law with a special focus on Asia. The new hire passed the initial background check with flying colors and began her assignment. During the course of the assignment, suspicious behavior started to emerge, including loss of documents and extended phone calls with Chinese counterparts. The organization decided to commission a new check on the employee. During the investigations, which included information on the exchanges with the colleagues in China, it was discovered that the employee was in serious financial trouble and had ailing parents who needed her immediate financial assistance. As a result, she got involved in illegal activities, which included the sale of sensitive information and spying on the organizations’ clients for the benefit of the Chinese business counterparts.

  • Desouza, K.C. Managing Knowledge Security: Strategies for Protecting Your Company’s Intellectual Assets, London, United Kingdom: Kogan Page, 2007.

  • Power, M.J., Bonifazi, C., & Desouza, K.C. “Ten Outsourcing Traps to Avoid,” Journal of Business Strategy, 25 (2), 2004, 37-42.

  • Power, M.J., Desouza, K.C, & Bonifazi, C. The Outsourcing Handbook: How to Implement a Successful Outsourcing Process, London, United Kingdom: Kogan Page, 2006.

If interested in reading more, please drop me an email. The above is an excerpt from an article accepted for publication in Strategic Outsourcing: An International Journal

No comments: