DISCUSSION DOCUMENT
Outsourcing Security: Concerns Growing
Outsourcing Security Survey Findings
March 21, 2006
New York, NY
Background on the Booz Allen Hamilton Outsourcing Security
Survey
 As the use of outsourcing continues to grow, so too do risks to customer and company data
that companies must rely on their outsourcing vendors to protect
 In order to better understand how companies are managing the information security and data
privacy risks of outsourcing, Booz Allen Hamilton surveyed senior executives involved in
defining and managing their companies’ outsourcing strategies
 The survey, which reflects the responses of 158 executives from companies across a range of
industries, June-December 2005, was designed to provide insight into:
– Senior Executive perspectives on the magnitude of information security risk involved in
outsourcing relationships
– How companies approach the evaluation and monitoring of outsourcing vendors’ information
security capabilities
– The information security and data privacy challenges that the outsourcing industry must
address in order to maintain the trust and confidence of customers and clients
 The following presentation provides an initial summary of the survey results
1
Key Takeaway: Companies using outsourcing are increasingly
concerned about information security
Executive Summary
 Security is an increasingly important issue among outsourcing buyers
 While security is a complex issue, respondents almost unanimously agreed on the need for
standards and auditing mechanisms
 These mechanisms are particularly needed in some key countries where respondents do not
trust the current legal and regulatory infrastructure (e.g. India, China)
 Support is growing for government involvement in setting and enforcing security standards
 Like financial markets, outsourcing security can benefit from public - private partnerships to
provide regulations, standards and audit capabilities
 Outsourcing buyers seem willing to pay a premium for improved security capabilities
2
Services, pricing and security capabilities are the top three
evaluation factors when selecting an outsourcing partner
When selecting an outsourcing partner, what are the most
important evaluation factors?
Capabilities and quality of
services
117
Pricing of service and cost
savings to the company
77
Provider's security policies,
capabilities and track record
74
Financial strength and
business stability
63
Reputation, brand and
references
51
Provider's regulatory and
compliance history
33
17
Geographic factors
0
50
100
150
Note: Respondents were asked to select all that apply
3
Companies are more concerned about cyber threats than physical
breaches and natural disasters
When evaluating or managing outsourcing relationships, how
concerned are you about the following type(s) of security threats?
Theft, misuse or damage of company systems and
data from outside the Outsource Provider
(system hacking, viruses, spyware infiltration, etc.)
101
Cyber
Threats
Theft, misuse or damage of company systems
or data from inside the Outsource Provider
98
Theft or damage of data or assets via compromises
of physical security (break-ins, vandalism, etc.)
56
Non-cyber
Threats
Compromise of operating continuity due to external
factors (natural disasters, political instability, etc.)
56
0
50
100
150
Note: Includes only # of respondents who answered “Very Important” in each category
Note: Respondents were asked to select all that apply
4
Increased awareness of security risks has led many companies to
review their outsourcing strategies in the last year
In the last two years, have you heard of
specific examples of outsourcing security
failures and/or breaches of privacy?
As a result of this knowledge, has your
company reviewed its overall outsourcing
strategy in the last year?
No
Yes
37%
No
42%
Yes
58%
63%
5
The security risk is perceived as significantly higher for providers
with offshore operations
Do you perceive a greater or lesser risk of security threats
for outsourcing providers located offshore?
No basis
for comparison
4%
Much Lower 1%
Moderately Lower 2%
Same
28%
17%
48%
Moderately Higher
Much Higher
76% of respondents
consider the security
risks when using
offshore providers higher
than the risks associated
with domestic providers
6
Providers with operations in India, Asia and South America are
particularly challenged by a legal and regulatory perception gap
Which geographies have a robust regulatory and legal infrastructure?
83%
North America
52%
Ireland
42%
Emerging EU
11%
Southeast Asia
9%
Other
Challenging Regulatory
and Legal
Environments
6%
South America
5%
China
0%
10%
20%
30%
 North America is seen as having the
most robust legal and regulatory
environment, followed by Ireland and
the emerging EU countries of eastern
Europe
 India is seen as fair, with room to
improve, as only 27% of respondents
indicated that the area has a robust
legal infrastructure
27%
India
Major Findings
40%
50%
60%
70%
80%
90%
 China, South America, and Southeast
Asia were seen has having the
biggest legal and regulatory gap, with
11 percent or fewer respondents
indicating they had a robust
100%
infrastructure
% of Respondents selecting geography
Note: Respondents were asked to check all that apply
7
Providers’ security capabilities matter more than providers’
security budgets ….
How important are the following security factors when evaluating and managing an outsourcing relationship?
Provider’s network & system security
82
Provider’s compliance with standards and laws
78
Provider’s personnel security policy and procedures
68
Physical security at provider’s facilities
Verifiable security
management capabilities
matter more than
absolute spending
63
Provider’s security team (depth of expertise)
60
Provider’s security budget (provider’s budget
on security relative to industry best practices)
33
0
20
40
60
80
100
Note: Includes only # of respondents who answered “Very Important” in each category
Note: Respondents were asked to select all that apply
8
…however defining, monitoring, and integrating security
management in outsourcing contracts is a growing challenge
Which factors present the biggest management challenges in
evaluating and managing security in outsourcing relationships?
Establish effective security management
requirements in the contracts
65
Monitoring, auditing and evaluating vendor
compliance with established security policy
58
Evaluating and implement security technology and
process integration
54
Acquiring and maintaining the right skill sets and
capabilities to manage security
31
Determining how much to invest in security in an
outsourcing relationship
26
Delivering effective training in policies and
procedures of Outsourcing Providers
22
0
20
40
60
80
% of respondents putting factor in top 3
9
Companies want more 3rd party audits and independent security
evaluations of outsourcing providers
What tools do you feel are most important to use in evaluating
the security capabilities of outsourcing vendors?
105
Site visits and in-person audits of vendor
security processes and capabilities
Pull metrics
95
References from other clients
3rd party security certifications
(e.g., NASSCOM)
89
Security industry benchmarks
& analyst reports
80
Vendor’s security track record
as reported in media, industry press
39
Vendor’s self-reported metrics
(e.g., RFP responses)
37
0
50
Push metrics
100
150
Information on vendors sought
by companies (pull metrics) is
more reliable than vendorreported metrics in RFPs or
media (push metrics)
Note: Respondents were asked to select all that apply
10
The US government could play an increasing role in creating
security and privacy regulations for outsourcing providers
Should the U.S. create specific regulations for outsourcing providers to
ensure they meet commonly accepted security and privacy standards?
Yes, across all providers, functions
and service categories
No
33%
32%
34%
Two thirds of
respondents are open to
some form of US
regulation of security
standards
Yes, but only for specific functions
or service categories
11
Outsourcers should work with associations and governments to
define and establish security regulations and standards…
Who should be responsible for defining and
establishing the standards?
Customer trade groups or industry
associations
50
Outsourcing service provider coalitions
or industry associations
Industry associations top
preference for establishing
security standards
46
Independent experts and outside
consultants
49
Government-led from within major
industrialized nations (e.g. U.S., Europe)
49
Government-led from countries with growing
outsourcing industries (e.g. India, China)
31
0
20
40
60
# of Respondents expressing preference
Industry ready for public-private
partnerships for setting
standards and regulations
12
…while leveraging external auditors for monitoring
Who should be responsible for certifying,
monitoring and enforcing standards?
External enforcement via regular certifications and audits
by external consultants and auditors
73
Self-enforcement and reporting
at the outsourcing company level
Nearly 2:1 preference
for 3rd party audits over
self-enforcement
38
External enforcement via active regulation
and management by government entities
41
0
20
40
60
80
# of Respondents expressing preference
13
Investments should be prioritized for security training and
awareness, new technologies and improved policies/procedures
How do you believe outsourcing providers should prioritize their
security investments?
Invest in internal security training, education and
awareness initiatives
107
85
Invest in new security technologies
Improve published security policies and procedures
75
Invest in outside, independent assessments to highlight
internal security and compliance track record
70
Invest in new physical security and other
business continuity initiatives
51
0
20
40
60
80
100
120
# of Respondents expressing preference
Note: Respondents were asked to check all that apply
14
Buyers may be willing to pay a premium for improved security
capabilities — challenging the industry to demonstrate ROI
Would you be willing to pay 10% to 15% more for outsourcing services
if you thought it would ensure superior security?
No - additional security is either not worth
the premium or it is too difficult to validate
Definitely - proven security
is worth the additional cost
15%
30%
55%
Maybe - would depend on comparison
of security against other factors
85% of respondents
may be willing to pay
some premium for
improved security
15
Other Supporting Findings
16
Respondents viewed service disruption, loss of customer trust and
brand impact, and loss of intellectual property as equally important
outsourcing security risks
What do you believe are the greatest security risks and vulnerabilities to your business from outsourcing?
Disruptions in product delivery or service caused by
breakdowns in mission critical business processes or functions
94
Loss of customer trust or relationships due to improper or
fraudulent use of confidential customer data
91
Loss of intellectual property or other sensitive information via
either accidental exposure, theft or misuse of corporate data
94
Brand or reputation damage that results in loss of goodwill
arising from actual or perceived risk of security failures
92
Risk that your company is liable for improper actions of your
outsourcing provider
65
Other
5
0
20
40
60
80
# of Respondents expressing preference
100
Note: Respondents were asked to select all that apply
17
Companies are more concerned about theft or misuse of
outsourced data than they are about the threat of terrorism
From your perspective, how serious is the threat of
terrorism for the operations of domestic
outsourcing vendors?
How concerned are you about theft, misuse or damage
of company systems and data from outside/inside an
outsource provider?
Serious
Threat
No Basis
for Evaluation
15%
Not
Concerned
9%
9%
39%
Moderate
Threat
Somewhat
Concerned
47%
28%
63%
Very
Concerned
Low
Threat
Less than 50% view
terrorism as a moderate
– serious threat, while
91% were somewhat –
very concerned about
data theft or misuse
18
For your industry, do you find the security capability
claims of outsourcing providers credible?
Yes
Maybe, but no way
to verify or validate
claims
Financial Services
There is credibility gap in the security capabilities of providers,
with clients in some verticals more skeptical than others
15%
25%
25%
30%
30%
 Less than half of
financial services
respondents trusted
even the largest
providers’ security
capabilities
14%
Government
30%
18%
36%
25%
9%
36%
 Government
respondents were even
more skeptical with less
than 30% trusting all or
the largest providers
37%
No
Half of
Verification of
respondentsnd
compliance 2
discredit
most important
outsourcers’
evaluation factor
security claims
Yes, but only
the largest
Manufacturing
20%
14%
24%
25%
19%
43%
 67% of manufacturing
respondents found
some degree of provider
security claims to be
credible
19
Over the next two years, respondents expect continued growth in
the outsourcing market, but are generally divided on whether
growth will occur in existing functions, or expand upstream
For your industry, what do you expect in the
outsourcing market in the next two years?
Reduction in the
size of the market
Financial Services
5%
50%
45%
Slowing growth or market
stagnation
 95% of financial services
respondents expect
outsourcing market growth
to continue, but are
divided on expansion into
upstream functions
6%
Government
7%
49%
27%
36%
9%
27%
38%
5%
Manufacturing
Continued growth, but with
little expansion
beyond current functions
Continued growth and
successful expansion of
outsourced functions
(e.g., moving upstream into R&D)
 Government respondents
are less certain, with
almost 40% expecting
market stagnation or
reduction
10%
43%
43%
 86% of manufacturing
respondents expect
outsourcing market growth
to continue, but are
divided on expansion into
upstream functions
20
Survey Methodology and Demographics
21
Survey Methodology
 Respondent Selection Method: Invitations to participate in the study were distributed via
email to a select group of contacts:
– Booz Allen current and former clients
– Other comparable senior executives gathered through selective acquisition
– Registered opt-in subscribers to email lists for knowledge@wharton and strategy+business
magazine
– Participants in Outsourcing Seminar as part of Conference Board’s 2005 BPO Conference
 Format: Online survey hosted by Booz Allen Hamilton
 Date of Survey: June – December 2005
 Number of Respondents: 158
22
83% of respondents are currently outsourcing or actively
considering doing so
Is your company either currently outsourcing any
functions or actively considering outsourcing?
17%
NO
83%
YES
23
Over half of survey respondents were senior executives
Responses by Function
CXO*
Other
32%
53%
15%
Procurement /
Regulatory
Officer
*CXO category includes Chairman, President, CEO, CFO,
Controller, COO, CIO, CTO, CISO, VP Operations
24
The 158 respondents to the survey represented 12 different
industry sectors
Distribution by Industry
11%
4%
Automotive
9%
Business Services (legal, accounting, architectural, engineering design)
Communications (telecommunication, Internet services)
17%
Computer Services
8%
Education
Electronics
Financial Services
11%
Government
3%
4%
Healthcare
2%
Insurance
2%
6%
8%
15%
Life Sciences
Manufacturing
Other
25
Survey respondents represented companies of all sizes
Distribution by # Employees
Distribution by Revenue
8%
19%
5%
39%
<$100 M
$100M - $1B
18%
<1,000
42%
18%
1,000 - 10,000
$1B-$10B
10,000 - 50,000
>$10B+
50,001 - 75,000
75,000+
24%
27%
26
For more information regarding this survey, please contact:
 Vinay Couto, Vice President, Chicago
– (312) 578-4617
– couto_vinay@bah.com
 Jim Newfrock, Principal, Parsippany, NJ
– (973) 630-6789
– newfrock_jim@bah.com
 Jon Watts, Principal, New York, NY
– (212) 551-6644
– watts_jon@bah.com
 Martha-Rosalind Stainton, Senior Associate, McLean, VA
– (703) 902-3815
– stainton_mr@bah.com
27