ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Offshoring: Getting it Right Through a Security and Privacy Lens

Offshoring: Getting it Right Through a Security and Privacy Lens

Vinay Narang, Senior Associate, KPMG LLP, Chicago
| Posted at 3:05 PM by ISACA News | Category: Privacy | Permalink | Email this Post | Comments (0)

Vinay NarangThe offshoring industry is at a turning point. There is a growing demand to further saturate offshoring hubs with a view to increase profits. The true value of offshoring can be realized when viewed as a relationship amongst parties rather than a mere delivery model.

Success of this relationship can be seen when:

  • The offshoring units meet contractual metrics and produce deliverables of industry quality;
  • Onshore units are successful in cutting costs and drawing profits, and are able to focus on critical tasks toward business expansion;
  • People involved in the offshore and onshore units are satisfied, competent, and have synergy;
  • Industry standards are maintained with due care to information security and privacy requirements.

However, in the real world, it seems companies struggle to manage this relationship, with security and privacy considerations becoming all the more challenging to manage.

So, the question is, offshoring: how to get it right? Or do we plan to offshore this task as well?

Below are key considerations that, when consciously applied by the onshore and the offshore teams, will help companies achieve talent utilization, value creation and profit realization.

Key considerations for the ONSHORE team

1. Change in mindset
Operational lens:
The current patch in the mindset of onshore professionals in which  offshore teams are flooded with work requests needs to be updated. Onshore professionals need to update and mature their mindset in the pursuit of achieving low costs and high quality. The offshore team must be viewed as an extension of the team, and team members should be encouraged to ask questions and build their expertise. The vision of the firm and the engagement should unite the teams with a shared purpose when geographic distance separates them.
Security/privacy lens:
Change is the only constant in technology. Based on changing laws and regulations, the onshore team must be aware of the information that is being dealt within onshore locations. According to chapter 5 of the General Data Protection Regulation (GDPR), which is related to transfers of personal data to third countries or international organizations, considerations must be satisfied while processing or intending to process personal data. As such, given the global impact, it is vital for onshore professionals to update their mindset from a security/ privacy lens and carefully scan the information that can or cannot be offshored.

2. Collaborate and share knowledge with offshore teams
Operational lens:
Onshore professionals should be encouraged to share knowledge to offshore teams to help understand the objectives of the deliverables. Having structured periodic calls/updates helps achieve efficiency on both sides of the table. Training the onshore team on how to efficiently collaborate with offshore professionals, understanding the culture of communication and work management at the offshore site, and periodic checkpoints on technical learnings will meet these goals.
Security/privacy lens:
A strong relation requires both parties to complement each other. In this direction, it is important to train offshore teams with technical aspects of security and privacy considerations. Training can be based on a framework (like NIST or ISO) or focused training on areas such as access control, information risk assessments, network security, and system development. As such, collaborating and sharing such knowledge will make the offshore teams informed, enabling them to make sound decisions.

3. Invest in the right technology
Operational lens:
Large firms that embrace offshoring usually have a file-sharing/instructions-sharing mechanism connecting the onshore and offshore teams. With time, it is noted that the tool or mechanism being used seems ineffective in terms of time, usage, and perhaps intent. While long emails and Excel trackers have been a thing of the past, firms must smartly invest in research and development of proprietary tools and automation techniques.
Security/privacy lens:
From a security/privacy lens, companies need to consider:
1. Technology being used to share the data
2. Actual content or data being shared
Automation brings its own risks, especially related to data security and access security. Wise implementation of automation, backed by constant monitoring of security measures, helps mitigate risks. When actual content or data is being shared, special care needs to be taken when dealing with personal data.

Key considerations for the OFFSHORE team

1. Build the right team
Operational lens:
With cheaper costs at offshoring locations, the easy option would be to hire as many professionals and then distribute work amongst them. However, building the right team that has the required skillsets, educational background, and professional interests aligning to the services provided by the firm is critical. Hiring process at offshore locations should be based on standards that align with the quality represented by the firm.
Security/privacy lens:
The issue of data sent offshore and the risk to its privacy has shown that current laws (HIPAA, GLBA) do not adequately cover or protect US customers when information is sent abroad for processing. Offshore teams must have subject matter experts who engage in opportunities focused on regulations and are able to drive teams with their experience. Offshore teams execute best when they are led and trained by experienced leaders within the group. Industry certifications and periodic internal workshops on information security and risk management go a long way in building the right team.

2. Invest in quality and project management:
Operational lens:
With contractual metrics established between onshore and offshore teams, the need to rush and hand back deliverables to the onshore teams highlights a gap in the quality and project management practices. Offshore teams must check their deliverables for quality, voice opinions if they differ from those of the onshore teams, suggest innovative ways of accomplishing tasks and streamline quality processes. Offshore leadership must work with their teams to check if there are any gaps with respect to project management techniques, which affect resources or onshore stakeholders.
Security/privacy lens:
Low cost and high quality are traditional labels that sell offshoring. It is an investment of patience and continuous good practices to achieve high quality with offshoring teams. Techniques such as Six Sigma have been instrumental in streamlining quality requirements, and some companies have aligned Six Sigma to their security framework to derive security-driven return on investments. Offshoring teams should define, evaluate, and monitor their quality metrics, and present how they add value to onshore teams and customers.


There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.