News

Outsourcing's Impact on Network Security Debated

• By Stephen Swoyer
• October 13, 2009

Information security is always a concern in any outsourcing arrangement, particularly when that arrangement involves the shifting of applications, workloads or services -- to say nothing of sensitive data -- overseas.

Just how much of a concern is still the subject of considerable debate.

There is little dispute that IT pros have grave concerns about outsourcing's net effects on network security. Consider a new survey sponsored by security software firm VanDyke Software Inc., which found that an overwhelming majority of IT pros (nearly 70 percent) believe that shifting jobs overseas has a negative overall impact on network security.

The survey, which collected responses from 350 network administrators and IT executives, was conducted by Amplitude Research, a professional market research firm based in Boca Raton, Fla.

VanDyke Software, which has an avowed interest in drawing attention to concerns about outsourcing and network security (the firm develops and markets security-oriented tools for network administration and end user access), says that outsourcing and its overall impact on network security is an issue that merits additional investigation.

IT pros aren't just grousing, either, VanDyke and Amplified Research officials stress. Regardless of their own experiences with outsourcing, a solid majority of IT pros have concerns about outsourcing's impact on network security.

On the other hand, opposition to offshore outsourcing tends to be higher among IT pros whose employers don't currently outsource any of their IT operations overseas. For example, the survey reports that nearly one-third of respondents (29 percent) confirm that their organizations currently have offshore outsourcing arrangements. Among these, only half (as opposed to 69 percent for the entire sample) believe that outsourcing has had a negative impact on network security.

Meanwhile, one-quarter (24 percent) say it has had a positive impact. This number is almost 300 percent higher among shops that outsource. (Just over a quarter say outsourcing has had no impact on network security.)

There's an additional wrinkle here: Outsourcers are more likely than non-outsourcers to have experienced an unauthorized intrusion of some kind. In fact, more than three-fifths of respondents in outsourcing shops admit that their companies were victimized by an illicit or unauthorized intrusion.

There isn't necessarily a correlation between a decision to outsource and an increased likelihood of intrusion, however. For starters, companies that outsource -- particularly companies that engage in offshore outsourcing -- tend to be bigger than non-outsourcing organizations. What's more, companies that send IT workloads or services to offshore locales tend to be much bigger.

This is true even with regard to security applications or services. According to a 2006 survey sponsored by the FBI and the Computer Security Institute (CSI), shops with more than $1 billion in annual revenues sent 15 percent of their security functions offshore (a 66 percent increase from the year before). Shops in the $100 million to $1 billion range were also big outsourcers, sending 13 percent of security tasks overseas. Meanwhile, organizations that generated less than $10 million in annual revenues sent just 8 percent of their security functions overseas.

An increase in size translates into an increase in profile. There are also correlations between size and a willingness to outsource, as well as the volume of outsourcing. The upshot, then, is that companies that outsource -- and particularly shops that choose to outsource security-related tasks or services to offshore providers -- tend to be both bigger targets and more ambitious outsourcers.

Moreover, the VanDyke survey didn't ask respondents if they had experienced an unauthorized intrusion as a result of an offshore outsourcing arrangement.

There's no consensus about how offshore outsourcing affects information security. This is in part because, notwithstanding the existence of several market research reports that clearly establish the size or demographics of outsourcing practitioners, there's a lamentable lack of hard data dealing with the economic benefits of outsourcing, particularly with respect to intangibles (or to what economists call "externalities").

"Most products have an elastic demand function. Thus, if security behaves as most goods, if outsourcing can reduce the price of one unit of security, firms should decide to consume more or increase their security," writes Brent Rowe, a researcher with think tank RTI International, in a 2007 publication entitled "Will Outsourcing IT Security Lead to a Higher Social Level of Security?"

Rowe suggests a thought exercise. "If a firm decides that it can outsource part of its security and pay less per unit of security, we should assume that the firm would consume more security," he says, adding that -- if this assumption is correct -- the net result, on balance, should be an overall improvement in IT security.

"However, security has many characteristics that are very different from normal goods," Rowe continues. "When a firm spends more money on security, it may or may not be guaranteed to see improvements" such as enhanced network performance, reduced downtime or fewer breaches. "As an example, a firm may require that its network generally be open as part of its business operations."

The upshot, Rowe laments, is that we just don't know.

"[O]ther firm characteristics may exist that determine the level of spending a firm sets after it decides to outsource certain activities," he concludes. "This issue merits further study, although at this point, no study has looked at the change in IT security spending as a result of outsourcing."