Outsourcing's Impact on Network Security Still Uncertain

Despite IT pros' concerns about outsourcing's net effect on network security, the true impact is still unclear.

Information security is always a concern in any outsourcing arrangement, particularly when that arrangement involves the shifting of applications, workloads, or services -- to say nothing of sensitive data -- overseas.

Just how much of a concern is still the subject of considerable debate.

There is little dispute that IT pros have grave concerns about outsourcing's net effects on network security. Consider a new survey sponsored by security software firm VanDyke Software Inc., which found that an overwhelming majority of IT pros -- almost 70 percent -- believe that shifting jobs overseas has a negative overall impact on network security.

The survey -- which collected responses from 350 network administrators and IT executives -- was conducted by Amplitude Research, a professional market research firm based in Boca Raton, Fla.

In stark contrast to the IT pros who feel that outsourcing can compromise network security, just 10 percent of respondents believe outsourcing can improve network security. (Another 22 percent say it has no net impact.)

VanDyke Software, which has an avowed interest in drawing attention to concerns about outsourcing and network security (the firm develops and markets security-oriented tools for network administration and end-user access), says that outsourcing and its overall impact on network security is an issue that merits additional investigation. "The survey results indicate there is sentiment, as well as initial data, that suggests outsourcing tech jobs offshore is a matter that needs greater scrutiny in the area of network security," said Jeff Van Dyke, VanDyke's president and founder, in a prepared release.

IT pros aren't grousing around, either, VanDyke and Amplified Research officials stress. A solid majority -- regardless of their own experiences with outsourcing -- have concerns about its impact with respect to network security.

On the other hand, opposition to offshore outsourcing tends to be higher among IT pros whose employers don't currently outsource any of their IT operations overseas. For example, the survey reports that nearly one-third of respondents (29 percent) confirm that their organizations currently have offshore outsourcing arrangements; among these, only half -- as opposed to 69 percent for the entire sample -- believe that outsourcing has had a negative impact on network security.

Meanwhile, one-quarter (24 percent) say it has had a positive impact. The latter tally is almost 300 percent higher among shops that outsource. (Just over a quarter say that outsourcing hasn't had any impact on network security.)

There's an additional wrinkle here: outsourcers are more likely than non-outsourcers to have experienced an unauthorized intrusion of some kind. In fact, more than three-fifths of respondents in outsourcing shops admit that their companies were victimized by an illicit or unauthorized intrusion of some kind.

There isn't necessarily a correlation between a decision to outsource and an increased likelihood of intrusion, however. For starters, companies that outsource -- particularly companies that engage in offshore outsourcing -- tend to be bigger than non-outsourcing organizations. What's more, companies that send IT workloads or services to offshore locales tend to be much bigger.

This is true even with regard to security applications or services. According to a 2006 survey sponsored by the Federal Bureau of Investigation (FBI) and the Computer Security Institute (CSI), shops with more than $1 billion in annual revenues sent 15 percent of their security functions offshore (that was an 66 percent increase from the year before), while organizations that generated less than $10 million in annual revenues sent just 8 percent of their security functions overseas. (Shops in the $100 million to $1 billion range were also big outsourcers, sending 13 percent of security tasks overseas.)

An increase in size translates into an increase in profile. There are also correlations between size and (a) willingness to outsource and (b) volume of outsourcing. The upshot, then, is that companies which outsource -- and particularly shops that choose to outsource security-related tasks or services to offshore providers -- tend both to be bigger targets and more ambitious outsourcers.

Moreover, the VanDyke survey didn't ask respondents if they had experienced an unauthorized intrusion as a result of an offshore outsourcing arrangement.

There's no consensus about how offshore outsourcing affects information security. This is in part because -- notwithstanding the existence of several market research reports that clearly establish the size or demographics of outsourcing practitioners -- there's a lamentable lack of hard data dealing with the economic benefits of outsourcing, particularly with respect to intangibles (or to what economists call "externalities").

"Most products have an elastic demand function. Thus, if security behaves as most goods, if outsourcing can reduce the price of one unit of security, firms should decide to consume more or increase their security," writes Brent Rowe, a researcher with think tank RTI International, in a 2007 publication entitled Will Outsourcing IT Security Lead to a Higher Social Level of Security?

Rowe suggests a thought-exercise. "If a firm decides that it can outsource part of its security and pay less per unit of security, we should assume that the firm would consume more security," he says, adding that -- if this assumption is correct -- the net result, on balance, should be an overall improvement in IT security.

"However, security has many characteristics that are very different from normal goods," Rowe continues. "When a firm spends more money on security, it may or may not be guaranteed to see improvements [such as enhanced network performance, reduced downtime, or fewer breaches]. As an example, a firm may require that its network generally be open as part of its business operations."

The upshot, Rowe laments, is that we just don't know.

"[O]ther firm characteristics may exist that determine the level of spending a firm sets after it decides to outsource certain activities," he concludes. "This issue merits further study, although at this point, no study has looked at the change in IT security spending as a result of outsourcing."

Must Read Articles