Professional Documents
Culture Documents
In order to better understand how companies are managing the information security and data
privacy risks of outsourcing, Booz Allen Hamilton surveyed senior executives involved in
defining and managing their companies’ outsourcing strategies
The survey, which reflects the responses of 158 executives from companies across a range of
industries, June-December 2005, was designed to provide insight into:
– Senior Executive perspectives on the magnitude of information security risk involved in
outsourcing relationships
– How companies approach the evaluation and monitoring of outsourcing vendors’ information
security capabilities
– The information security and data privacy challenges that the outsourcing industry must
address in order to maintain the trust and confidence of customers and clients
2
Key Takeaway: Companies using outsourcing are increasingly
concerned about information security
Executive Summary
While security is a complex issue, respondents almost unanimously agreed on the need for
standards and auditing mechanisms
These mechanisms are particularly needed in some key countries where respondents do not
trust the current legal and regulatory infrastructure (e.g. India, China)
Support is growing for government involvement in setting and enforcing security standards
Like financial markets, outsourcing security can benefit from public - private partnerships to
provide regulations, standards and audit capabilities
Outsourcing buyers seem willing to pay a premium for improved security capabilities
3
Services, pricing and security capabilities are the top three
evaluation factors when selecting an outsourcing partner
When selecting an outsourcing partner, what are the
most important evaluation factors?
Geographic factors 17
0 50 100 150
4
Companies are more concerned about cyber threats than physical
breaches and natural disasters
0 50 100 150
Note: Includes only # of respondents who answered “Very Important” in each category
Note: Respondents were asked to select all that apply
5
Increased awareness of security risks has led many companies to
review their outsourcing strategies in the last year
No Yes
37
No %
Yes
42
% 58
% 63
%
6
The security risk is perceived as significantly higher for providers
with offshore operations
Do you perceive a greater or lesser risk of security threats
for outsourcing providers located offshore?
No basis
Much Lower 1% for comparison
4%
Moderately Lower 2%
Same
28%
17
Much Higher
%
48
% 76% of respondents consider the
security risks when using offshore
Moderately Higher providers higher than the risks
associated with domestic providers
7
Providers with operations in India, Asia and South America are
particularly challenged by a legal and regulatory perception gap
Which geographies have a robust regulatory and legal infrastructure? Major Findings
8
Providers’ security capabilities matter more than providers’
security budgets ….
How important are the following security factors when evaluating and managing an outsourcing relationship?
Note: Includes only # of respondents who answered “Very Important” in each category
Note: Respondents were asked to select all that apply
9
…however defining, monitoring, and integrating security
management in outsourcing contracts is a growing challenge
Which factors present the biggest management challenges in
evaluating and managing security in outsourcing relationships?
0 20 40 60 80
% of respondents putting factor in top 3
10
Companies want more 3rd party audits and independent security
evaluations of outsourcing providers
What tools do you feel are most important to use in evaluating
the security capabilities of outsourcing vendors?
95
Pull metrics
References from other clients
11
The US government could play an increasing role in creating
security and privacy regulations for outsourcing providers
12
Outsourcers should work with associations and governments to
define and establish security regulations and standards…
13
…while leveraging external auditors for monitoring
0 20 40 60 80
14
Investments should be prioritized for security training and
awareness, new technologies and improved policies/procedures
0 20 40 60 80 100 120
# of Respondents expressing preference
15
Buyers may be willing to pay a premium for improved security
capabilities — challenging the industry to demonstrate ROI
Would you be willing to pay 10% to 15% more for outsourcing services
if you thought it would ensure superior security?
16
Other Supporting Findings
17
Respondents viewed service disruption, loss of customer trust and
brand impact, and loss of intellectual property as equally important
outsourcing security risks
What do you believe are the greatest security risks and vulnerabilities to your business from outsourcing?
Other 5
0 20 40 60 80 100
# of Respondents expressing preference
18
Companies are more concerned about theft or misuse of
outsourced data than they are about the threat of terrorism
From your perspective, how serious is the threat of How concerned are you about theft, misuse or damage
terrorism for the operations of domestic of company systems and data from outside/inside an
outsourcing vendors? outsource provider?
Serious Not
No Basis Threat Concerned
for Evaluation
9%
15% 9%
Moderate Somewhat
28%
39% Threat Concerned 63%
47% Very
Concerned
Low
Threat
19
There is credibility gap in the security capabilities of providers,
with clients in some verticals more skeptical than others
15%
Financial Services
Less than half of
25%
25%
financial services
For your industry, do you find the security capability respondents trusted
30% even the largest
claims of outsourcing providers credible?
30% providers’ security
Yes capabilities
Maybe, but no way
to verify or validate
claims 14%
30% 18% Government
Government
36%
25%
respondents were even
9% more skeptical with less
than 30% trusting all or
36% the largest providers
37%
20%
No Yes, but only
the largest 14%
24% 67% of manufacturing
Manufacturing
25%
respondents found
Half of 19% some degree of provider
Verification of
respondentsnd security claims to be
compliance 2
discredit credible
most important
outsourcers’
43%
evaluation factor
security claims
20
Over the next two years, respondents expect continued growth in
the outsourcing market, but are generally divided on whether
growth will occur in existing functions, or expand upstream
5%
Financial Services
95% of financial services
For your industry, what do you expect in the
respondents expect
outsourcing market in the next two years?
outsourcing market growth
50% 45% to continue, but are
Reduction in the
size of the market divided on expansion into
upstream functions
Slowing growth or market
stagnation
6%
7%
Government respondents
Government
27%
are less certain, with
36% almost 40% expecting
49% 9% market stagnation or
reduction
27%
38%
21
Survey Methodology and Demographics
22
Survey Methodology
Respondent Selection Method: Invitations to participate in the study were distributed via
email to a select group of contacts:
– Booz Allen current and former clients
– Other comparable senior executives gathered through selective acquisition
– Registered opt-in subscribers to email lists for knowledge@wharton and strategy+business
magazine
– Participants in Outsourcing Seminar as part of Conference Board’s 2005 BPO Conference
23
83% of respondents are currently outsourcing or actively
considering doing so
17%
NO
83%
YES
24
Over half of survey respondents were senior executives
Responses by Function
CXO*
Other
32%
53%
15%
Procurement /
Regulatory *CXO category includes Chairman, President, CEO, CFO,
Officer Controller, COO, CIO, CTO, CISO, VP Operations
25
The 158 respondents to the survey represented 12 different
industry sectors
Distribution by Industry
11%
4% Automotive
9%
Business Services (legal, accounting, architectural, engineering design)
Communications (telecommunication, Internet services)
17% Computer Services
8%
Education
Electronics
26
Survey respondents represented companies of all sizes
19% 8%
5%
39% <$100 M
<1,000
$100M - $1B 42%
18% 1,000 - 10,000
75,000+
24%
27%
27
For more information regarding this survey, please contact:
Vinay Couto, Vice President, Chicago
– (312) 578-4617
– couto_vinay@bah.com
28