DISCUSSION DOCUMENT Outsourcing Security: Concerns Growing Outsourcing Security Survey Findings March 21, 2006 New York, NY Background on the Booz Allen Hamilton Outsourcing Security Survey As the use of outsourcing continues to grow, so too do risks to customer and company data that companies must rely on their outsourcing vendors to protect In order to better understand how companies are managing the information security and data privacy risks of outsourcing, Booz Allen Hamilton surveyed senior executives involved in defining and managing their companies’ outsourcing strategies The survey, which reflects the responses of 158 executives from companies across a range of industries, June-December 2005, was designed to provide insight into: – Senior Executive perspectives on the magnitude of information security risk involved in outsourcing relationships – How companies approach the evaluation and monitoring of outsourcing vendors’ information security capabilities – The information security and data privacy challenges that the outsourcing industry must address in order to maintain the trust and confidence of customers and clients The following presentation provides an initial summary of the survey results 1 Key Takeaway: Companies using outsourcing are increasingly concerned about information security Executive Summary Security is an increasingly important issue among outsourcing buyers While security is a complex issue, respondents almost unanimously agreed on the need for standards and auditing mechanisms These mechanisms are particularly needed in some key countries where respondents do not trust the current legal and regulatory infrastructure (e.g. India, China) Support is growing for government involvement in setting and enforcing security standards Like financial markets, outsourcing security can benefit from public - private partnerships to provide regulations, standards and audit capabilities Outsourcing buyers seem willing to pay a premium for improved security capabilities 2 Services, pricing and security capabilities are the top three evaluation factors when selecting an outsourcing partner When selecting an outsourcing partner, what are the most important evaluation factors? Capabilities and quality of services 117 Pricing of service and cost savings to the company 77 Provider's security policies, capabilities and track record 74 Financial strength and business stability 63 Reputation, brand and references 51 Provider's regulatory and compliance history 33 17 Geographic factors 0 50 100 150 Note: Respondents were asked to select all that apply 3 Companies are more concerned about cyber threats than physical breaches and natural disasters When evaluating or managing outsourcing relationships, how concerned are you about the following type(s) of security threats? Theft, misuse or damage of company systems and data from outside the Outsource Provider (system hacking, viruses, spyware infiltration, etc.) 101 Cyber Threats Theft, misuse or damage of company systems or data from inside the Outsource Provider 98 Theft or damage of data or assets via compromises of physical security (break-ins, vandalism, etc.) 56 Non-cyber Threats Compromise of operating continuity due to external factors (natural disasters, political instability, etc.) 56 0 50 100 150 Note: Includes only # of respondents who answered “Very Important” in each category Note: Respondents were asked to select all that apply 4 Increased awareness of security risks has led many companies to review their outsourcing strategies in the last year In the last two years, have you heard of specific examples of outsourcing security failures and/or breaches of privacy? As a result of this knowledge, has your company reviewed its overall outsourcing strategy in the last year? No Yes 37% No 42% Yes 58% 63% 5 The security risk is perceived as significantly higher for providers with offshore operations Do you perceive a greater or lesser risk of security threats for outsourcing providers located offshore? No basis for comparison 4% Much Lower 1% Moderately Lower 2% Same 28% 17% 48% Moderately Higher Much Higher 76% of respondents consider the security risks when using offshore providers higher than the risks associated with domestic providers 6 Providers with operations in India, Asia and South America are particularly challenged by a legal and regulatory perception gap Which geographies have a robust regulatory and legal infrastructure? 83% North America 52% Ireland 42% Emerging EU 11% Southeast Asia 9% Other Challenging Regulatory and Legal Environments 6% South America 5% China 0% 10% 20% 30% North America is seen as having the most robust legal and regulatory environment, followed by Ireland and the emerging EU countries of eastern Europe India is seen as fair, with room to improve, as only 27% of respondents indicated that the area has a robust legal infrastructure 27% India Major Findings 40% 50% 60% 70% 80% 90% China, South America, and Southeast Asia were seen has having the biggest legal and regulatory gap, with 11 percent or fewer respondents indicating they had a robust 100% infrastructure % of Respondents selecting geography Note: Respondents were asked to check all that apply 7 Providers’ security capabilities matter more than providers’ security budgets …. How important are the following security factors when evaluating and managing an outsourcing relationship? Provider’s network & system security 82 Provider’s compliance with standards and laws 78 Provider’s personnel security policy and procedures 68 Physical security at provider’s facilities Verifiable security management capabilities matter more than absolute spending 63 Provider’s security team (depth of expertise) 60 Provider’s security budget (provider’s budget on security relative to industry best practices) 33 0 20 40 60 80 100 Note: Includes only # of respondents who answered “Very Important” in each category Note: Respondents were asked to select all that apply 8 …however defining, monitoring, and integrating security management in outsourcing contracts is a growing challenge Which factors present the biggest management challenges in evaluating and managing security in outsourcing relationships? Establish effective security management requirements in the contracts 65 Monitoring, auditing and evaluating vendor compliance with established security policy 58 Evaluating and implement security technology and process integration 54 Acquiring and maintaining the right skill sets and capabilities to manage security 31 Determining how much to invest in security in an outsourcing relationship 26 Delivering effective training in policies and procedures of Outsourcing Providers 22 0 20 40 60 80 % of respondents putting factor in top 3 9 Companies want more 3rd party audits and independent security evaluations of outsourcing providers What tools do you feel are most important to use in evaluating the security capabilities of outsourcing vendors? 105 Site visits and in-person audits of vendor security processes and capabilities Pull metrics 95 References from other clients 3rd party security certifications (e.g., NASSCOM) 89 Security industry benchmarks & analyst reports 80 Vendor’s security track record as reported in media, industry press 39 Vendor’s self-reported metrics (e.g., RFP responses) 37 0 50 Push metrics 100 150 Information on vendors sought by companies (pull metrics) is more reliable than vendorreported metrics in RFPs or media (push metrics) Note: Respondents were asked to select all that apply 10 The US government could play an increasing role in creating security and privacy regulations for outsourcing providers Should the U.S. create specific regulations for outsourcing providers to ensure they meet commonly accepted security and privacy standards? Yes, across all providers, functions and service categories No 33% 32% 34% Two thirds of respondents are open to some form of US regulation of security standards Yes, but only for specific functions or service categories 11 Outsourcers should work with associations and governments to define and establish security regulations and standards… Who should be responsible for defining and establishing the standards? Customer trade groups or industry associations 50 Outsourcing service provider coalitions or industry associations Industry associations top preference for establishing security standards 46 Independent experts and outside consultants 49 Government-led from within major industrialized nations (e.g. U.S., Europe) 49 Government-led from countries with growing outsourcing industries (e.g. India, China) 31 0 20 40 60 # of Respondents expressing preference Industry ready for public-private partnerships for setting standards and regulations 12 …while leveraging external auditors for monitoring Who should be responsible for certifying, monitoring and enforcing standards? External enforcement via regular certifications and audits by external consultants and auditors 73 Self-enforcement and reporting at the outsourcing company level Nearly 2:1 preference for 3rd party audits over self-enforcement 38 External enforcement via active regulation and management by government entities 41 0 20 40 60 80 # of Respondents expressing preference 13 Investments should be prioritized for security training and awareness, new technologies and improved policies/procedures How do you believe outsourcing providers should prioritize their security investments? Invest in internal security training, education and awareness initiatives 107 85 Invest in new security technologies Improve published security policies and procedures 75 Invest in outside, independent assessments to highlight internal security and compliance track record 70 Invest in new physical security and other business continuity initiatives 51 0 20 40 60 80 100 120 # of Respondents expressing preference Note: Respondents were asked to check all that apply 14 Buyers may be willing to pay a premium for improved security capabilities — challenging the industry to demonstrate ROI Would you be willing to pay 10% to 15% more for outsourcing services if you thought it would ensure superior security? No - additional security is either not worth the premium or it is too difficult to validate Definitely - proven security is worth the additional cost 15% 30% 55% Maybe - would depend on comparison of security against other factors 85% of respondents may be willing to pay some premium for improved security 15 Other Supporting Findings 16 Respondents viewed service disruption, loss of customer trust and brand impact, and loss of intellectual property as equally important outsourcing security risks What do you believe are the greatest security risks and vulnerabilities to your business from outsourcing? Disruptions in product delivery or service caused by breakdowns in mission critical business processes or functions 94 Loss of customer trust or relationships due to improper or fraudulent use of confidential customer data 91 Loss of intellectual property or other sensitive information via either accidental exposure, theft or misuse of corporate data 94 Brand or reputation damage that results in loss of goodwill arising from actual or perceived risk of security failures 92 Risk that your company is liable for improper actions of your outsourcing provider 65 Other 5 0 20 40 60 80 # of Respondents expressing preference 100 Note: Respondents were asked to select all that apply 17 Companies are more concerned about theft or misuse of outsourced data than they are about the threat of terrorism From your perspective, how serious is the threat of terrorism for the operations of domestic outsourcing vendors? How concerned are you about theft, misuse or damage of company systems and data from outside/inside an outsource provider? Serious Threat No Basis for Evaluation 15% Not Concerned 9% 9% 39% Moderate Threat Somewhat Concerned 47% 28% 63% Very Concerned Low Threat Less than 50% view terrorism as a moderate – serious threat, while 91% were somewhat – very concerned about data theft or misuse 18 For your industry, do you find the security capability claims of outsourcing providers credible? Yes Maybe, but no way to verify or validate claims Financial Services There is credibility gap in the security capabilities of providers, with clients in some verticals more skeptical than others 15% 25% 25% 30% 30% Less than half of financial services respondents trusted even the largest providers’ security capabilities 14% Government 30% 18% 36% 25% 9% 36% Government respondents were even more skeptical with less than 30% trusting all or the largest providers 37% No Half of Verification of respondentsnd compliance 2 discredit most important outsourcers’ evaluation factor security claims Yes, but only the largest Manufacturing 20% 14% 24% 25% 19% 43% 67% of manufacturing respondents found some degree of provider security claims to be credible 19 Over the next two years, respondents expect continued growth in the outsourcing market, but are generally divided on whether growth will occur in existing functions, or expand upstream For your industry, what do you expect in the outsourcing market in the next two years? Reduction in the size of the market Financial Services 5% 50% 45% Slowing growth or market stagnation 95% of financial services respondents expect outsourcing market growth to continue, but are divided on expansion into upstream functions 6% Government 7% 49% 27% 36% 9% 27% 38% 5% Manufacturing Continued growth, but with little expansion beyond current functions Continued growth and successful expansion of outsourced functions (e.g., moving upstream into R&D) Government respondents are less certain, with almost 40% expecting market stagnation or reduction 10% 43% 43% 86% of manufacturing respondents expect outsourcing market growth to continue, but are divided on expansion into upstream functions 20 Survey Methodology and Demographics 21 Survey Methodology Respondent Selection Method: Invitations to participate in the study were distributed via email to a select group of contacts: – Booz Allen current and former clients – Other comparable senior executives gathered through selective acquisition – Registered opt-in subscribers to email lists for knowledge@wharton and strategy+business magazine – Participants in Outsourcing Seminar as part of Conference Board’s 2005 BPO Conference Format: Online survey hosted by Booz Allen Hamilton Date of Survey: June – December 2005 Number of Respondents: 158 22 83% of respondents are currently outsourcing or actively considering doing so Is your company either currently outsourcing any functions or actively considering outsourcing? 17% NO 83% YES 23 Over half of survey respondents were senior executives Responses by Function CXO* Other 32% 53% 15% Procurement / Regulatory Officer *CXO category includes Chairman, President, CEO, CFO, Controller, COO, CIO, CTO, CISO, VP Operations 24 The 158 respondents to the survey represented 12 different industry sectors Distribution by Industry 11% 4% Automotive 9% Business Services (legal, accounting, architectural, engineering design) Communications (telecommunication, Internet services) 17% Computer Services 8% Education Electronics Financial Services 11% Government 3% 4% Healthcare 2% Insurance 2% 6% 8% 15% Life Sciences Manufacturing Other 25 Survey respondents represented companies of all sizes Distribution by # Employees Distribution by Revenue 8% 19% 5% 39% <$100 M $100M - $1B 18% <1,000 42% 18% 1,000 - 10,000 $1B-$10B 10,000 - 50,000 >$10B+ 50,001 - 75,000 75,000+ 24% 27% 26 For more information regarding this survey, please contact: Vinay Couto, Vice President, Chicago – (312) 578-4617 – couto_vinay@bah.com Jim Newfrock, Principal, Parsippany, NJ – (973) 630-6789 – newfrock_jim@bah.com Jon Watts, Principal, New York, NY – (212) 551-6644 – watts_jon@bah.com Martha-Rosalind Stainton, Senior Associate, McLean, VA – (703) 902-3815 – stainton_mr@bah.com 27