T E L 416 203 0200
F A X 313 557 5852
E M A I L jacob@stollerstrategies.com

Security by Proxy

Offshore outsourcing offers unquestioned benefits to financial institutions, considering that the pay scale for technical workers in India is less than half of what it is in the US. But banks that end the analysis there will be making a big mistake. When weighing the pros and cons of "offshoring" their back-office functions, managers also need to factor in the costs of security.

Protecting customer data is the key concern, but there are legal issues as well. The security requirements contained in 2000's Gramm-Leach-Bliley Act do not allow financial institutions to pass the liability for data and system security on to an outsourcer. And in an era when computer viruses, hackers, fraud, theft of intellectual property and privacy issues increasingly challenge U.S. banks, the prospect of integrating ongoing security programs with other organizations based in different legal and regulatory environments can be daunting.

Financial institutions that outsource an activity to a vendor thousands of miles away essentially need to manage security by proxy, which requires a closely structured relationship with the outsourcer. A common mistake is to sign contracts and service level agreements and then consider the matter closed.

While this paperwork is essential, the core issue is mastering relationships with "employees" who "are working for you, but not really working for you," says Virginia Garcia, an analyst with TowerGroup Inc. in Needham, Mass. Garcia estimates that putting the people, processes, and tools in place to establish this kind of governance could add between 15% and 20% to an organization's initial outsourcing budget.

It's not that offshore outsourcers are intrinsically deficient when it comes to security. India, for example, is home to numerous information technology companies that have proven themselves in global markets. The problem, rather, is that offshore outsourcing adds complexity to an already complex management problem.

Yet these challenges can be met with the proper planning and follow-through. To begin with, IT security organizations need to work as structured teams where both client and outsourcer are reading off the same script. Centralized groups of this type build, maintain, and enforce security policies around configuration management, physical security, code protection, business continuity planning, access control, and a long list of other functions.

The situation gets more complicated when multiple outsourcers are involved. Many institutions are looking at "best of breed" strategies, which might involve sending check processing to China, disaster recovery to India, and a human resources application to Ireland. Unless those various security infrastructures are aligned, weaknesses may pop up in the institution's defense perimeter.

According to Mary Kirwan, an independent IT security consultant and lawyer based in Toronto, a country's laws can affect an organization's ability to execute governance with respect to areas such as the right to do background checks on employees, movement and encryption of data, and enforcement against security breaches. Kirwan says this environment is constantly in flux, and that companies with offshore agreements need to have expertise in place to monitor changing conditions, and protect their ability to govern security procedures.

As Kirwan's comments suggest, over-reliance on the law and service agreements is a mistake in offshore outsourcing. "With IT, you can never legislate every possibility," says independent Toronto-based security consultant James Haw, formerly with Canadian Imperial Bank of Commerce.

Instead, the emphasis should be on building the relationships with offshore vendors necessary to execute an integrated security strategy in a seamless fashion. "You have to have monitoring, and you have to have unified controls," says Martin Finch, operational risk advisor for the Federal Reserve Bank of New York. European banks and global U.S.-based institutions such as Citigroup Inc. and General Electric Corp., have been doing this for years, but most U.S. regional banks will be starting from scratch.

Charlotte-based Bank of America Corp., which outsources software application maintenance and development services to India, declined to make executives available to discuss its procedures for handling offshore security. But a company spokesman did say, "We hold our partners to the same gold standards with regard to security as we practice internally, and we audit those procedures regularly."

Developments in security technology promise to make integrated security management easier. New enterprise management tools are providing deeper intelligence that enables security managers to anticipate threats. Enterprise security portals enable an organization to deploy enterprise-wide security policies over the Web, making it easier to maintain consistent practices across inter-company and international boundaries. But like the rest of the pieces in the security puzzle, these need to be integrated into the overall security management framework.