The cost of cost savings: Security and risk when outsourcing IT

Whether you blame the IT skills shortage or the pressure CIO’s face to execute new digital demands on tight budgets, information technology outsourcing (ITO) is here to stay.

Gartner’s latest forecast predicts the worldwide IT services market will exceed $980 billion (£660 billion) in 2015. With outsourcing contributing to more than half of that market growth, the industry is poised to reach $1.1 trillion (£740 billion) by 2018.

That’s combined with a booming offshoring market, with domestic leaders like HP starting to lose market share to India-based outsourcers and cloud-based service providers. Overall, Forrester Research predicts 542,000 IT jobs will move overseas by 2015, and that number is widely seen as conservative.

All of that considered, these days, it’s rare for businesses not to outsource at least one aspect of their IT organisation. With the onset new digital technology growing on a global scale, no one person can be a master of all trades, making outsourcing unavoidable. But growing cyber security concerns demand a second, more detailed inspection of the cost associated with risk.

Opening your network to just any outsourced partner opens it to a slew of risky possibilities.

When CFOs and CIOs strictly look at salaries, outsourcing IT can seem very enticing. But how many of those executives have looked at the hidden costs of subcontracting? What are the costs, in terms of additional security and risk, to sending these jobs outside the enterprise?

Gartner research conducted in 2014 found that all nine countries it studied in the popular Asia Pacific region were rated either ‘poor’ or ‘fair’ on the data/IP security and privacy criterion.

Until an organisation assesses its entire application infrastructure, these savings may be part of a false economy; something that saves money at first, but costs more over time. It’s time to evaluate remote logins, remote and virtual desktop programs, integrated security applications and the risk associated with each enterprise application.

How much are these cost-saving measures really costing you?

Finding the Real Price Tag

If outsourcing work is the status quo, it’s time to reevaluate the norm, starting with the risk and liabilities presented when contracted employees access your network from outside its parameter.

Respondents to PwC’s 2015 Global Information Security Survey reported the total number of detected security incidents in 2014 exceeded 42.8 million, a 48 per cent increase over 2013. Moreover, the survey found security-breach-related financial losses to be 34 per cent higher than the year prior.

So ask yourself: When you open your organisation’s perimeter to let outsourced employees in, what’s been done internally to protect your information? Is your partnering organisation holding itself to the same standards of security? Furthermore, does your organisation have the capacity and capabilities to make the evaluation, or is the first step finding a partner to complete the security assessment?

In the end, it’s vital to understand the enterprise’s entire application portfolio, sprawling between internal functionality and external access, and then aligning that with risk and security metrics.

Once an enterprise creates a comprehensive map of its IT assets, specifically the ones outsourced employees can access, consider:

  • The asset’s cost and maintenance
  • Risk and cost to secure the IT asset
  • Cost associated with a potential security breach
  • Function and potential redundancies with existing assets

Evaluating these components together shows the true cost associated with doing business with an outsourcer or overseas organisation.

The most poignant and overlooked step in this equation is the evaluation of a potential data breach from opening the network. According to the PwC report, other than your current and former employees, there is no higher cyber security threat than service providers, consultants and contractors.

And the cost of an incident is increasing. Globally, the average financial loss associated with cyber security incidents in 2014 was $2.7 million (£1.8 million), a 34 per cent increase over 2013.

Do the math, and find the real price tag of outsourcing. And ask the tough questions from our new outsourced partners: Would you buy beef from a butcher that refuses to eat his own meat?

Would you still outsource IT work after finding just a few hundred dollars in savings, taking risk and security into consideration? Probably not.

By Karl Fruecht, Client Engagement Manager, KillerIT; and Jason Ausburn, Director of Security Services, SOS Security