Security Services in Noida - RedScorpionSecurity

DISCUSSION DOCUMENT
Outsourcing Security: Concerns Growing

Outsourcing Security Survey Findings
March 21, 2006

New York, NY
https://www.redscorpionsecurity.in/
#Security_services_in_Delhi
#Security_company_in_Noida
Background on the Booz Allen Hamilton Outsourcing Security
Survey
 As the use of outsourcing continues to grow, so too do risks to customer and company data
that companies must rely on their outsourcing vendors to protect
 In order to better understand how companies are managing the information security and data
privacy risks of outsourcing, Booz Allen Hamilton surveyed senior executives involved in
defining and managing their companies’ outsourcing strategies
 The survey, which reflects the responses of 158 executives from companies across a range of
industries, June-December 2005, was designed to provide insight into:
– Senior Executive perspectives on the magnitude of information security risk involved in
outsourcing relationships
– How companies approach the evaluation and monitoring of outsourcing vendors’ information
security capabilities
– The information security and data privacy challenges that the outsourcing industry must
address in order to maintain the trust and confidence of customers and clients
 The following presentation provides an initial summary of the survey results
#Security_company_in_Noida 1
Key Takeaway: Companies using outsourcing are increasingly
concerned about information security
Executive Summary
 Security is an increasingly important issue among outsourcing buyers
 While security is a complex issue, respondents almost unanimously agreed on the need for
standards and auditing mechanisms
 These mechanisms are particularly needed in some key countries where respondents do not
trust the current legal and regulatory infrastructure (e.g. India, China)
 Support is growing for government involvement in setting and enforcing security standards
 Like financial markets, outsourcing security can benefit from public - private partnerships to
provide regulations, standards and audit capabilities
 Outsourcing buyers seem willing to pay a premium for improved security capabilities
2
Services, pricing and security capabilities are the top three
evaluation factors when selecting an outsourcing partner
When selecting an outsourcing partner, what are the most
important evaluation factors?
Capabilities and quality of

117
services
Pricing of service and cost

savings to the company 77
Provider's security policies, 74

capabilities and track record
Financial strength and

63
business stability
Reputation, brand and 51

references
Provider's regulatory and 33

compliance history
Geographic factors 17
0 50 100 150
Note: Respondents were asked to select all that apply
3
Companies are more concerned about cyber threats than physical
breaches and natural disasters
When evaluating or managing outsourcing relationships, how

concerned are you about the following type(s) of security threats?
Theft, misuse or damage of company systems and

data from outside the Outsource Provider 101
(system hacking, viruses, spyware infiltration, etc.)
Cyber
Theft, misuse or damage of company systems Threats
or data from inside the Outsource Provider 98
Theft or damage of data or assets via compromises

of physical security (break-ins, vandalism, etc.) 56
Non-cyber
Threats
Compromise of operating continuity due to external 56
factors (natural disasters, political instability, etc.)
0 https://www.redscorpionsecurity.in/
50 100 150
Note: Includes only # of respondents who answered “Very Important” in each category #Security_company_in_Noida
4
Increased awareness of security risks has led many companies to
review their outsourcing strategies in the last year
As a result of this knowledge, has your

In the last two years, have you heard of company reviewed its overall outsourcing
specific examples of outsourcing security strategy in the last year?
failures and/or breaches of privacy?
No Yes
37%
No Yes
42%
58%
63%
5
The security risk is perceived as significantly higher for providers
with offshore operations
Do you perceive a greater or lesser risk of security threats
for outsourcing providers located offshore?
No basis
Much Lower 1% for comparison
4%
Moderately Lower 2%
Same
28%
17%
Much Higher
48% 76% of respondents

consider the security
risks when using
Moderately Higher offshore providers higher
than the risks associated
with domestic providers
6
Providers with operations in India, Asia and South America are
particularly challenged by a legal and regulatory perception gap
Which geographies have a robust regulatory and legal infrastructure? Major Findings
 North America is seen as having the

North America 83%
most robust legal and regulatory
Ireland 52%
environment, followed by Ireland and
the emerging EU countries of eastern
Emerging EU 42% Europe
India 27%  India is seen as fair, with room to

improve, as only 27% of respondents
Southeast Asia 11% indicated that the area has a robust
legal infrastructure
Other 9% Challenging Regulatory
and Legal
Environments  China, South America, and
South America 6%
Southeast Asia were seen has
China 5%
having the biggest legal and
regulatory gap, with 11 percent or
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% fewer respondents indicating they
had a robust infrastructure
% of Respondents selecting geography
Note: Respondents were asked to check all that apply
7
Providers’ security capabilities matter more than providers’
security budgets ….
How important are the following security factors when evaluating and managing an outsourcing relationship?
Provider’s network & system security 82
Provider’s compliance with standards and laws 78
Provider’s personnel security policy and procedures 68 Verifiable security

management capabilities
matter more than
Physical security at provider’s facilities 63 absolute spending
Provider’s security team (depth of expertise) 60
Provider’s security budget (provider’s budget

33
on security relative to industry best practices)
0 20 40 60 80 100
Note: Includes only # of respondents who answered “Very Important” in each category #Security_company_in_Noida
8
…however defining, monitoring, and integrating security
management in outsourcing contracts is a growing challenge
Which factors present the biggest management challenges in
evaluating and managing security in outsourcing relationships?
Establish effective security management

65
requirements in the contracts
Monitoring, auditing and evaluating vendor

58
compliance with established security policy
Evaluating and implement security technology and

54
process integration
Acquiring and maintaining the right skill sets and 31

capabilities to manage security
Determining how much to invest in security in an

26
outsourcing relationship
Delivering effective training in policies and

procedures of Outsourcing Providers 22
0 20 https://www.redscorpionsecurity.in/
40 60 80
% of respondents putting factor in top 3
9
Companies want more 3rd party audits and independent security
evaluations of outsourcing providers
What tools do you feel are most important to use in evaluating
the security capabilities of outsourcing vendors?
Site visits and in-person audits of vendor 105

security processes and capabilities
Pull metrics
References from other clients 95
3rd party security certifications

89
(e.g., NASSCOM)
Security industry benchmarks

80
& analyst reports
Vendor’s security track record

as reported in media, industry press 39 Push metrics
Vendor’s self-reported metrics

37
(e.g., RFP responses) Information on vendors sought
by companies (pull metrics) is
0 50 100 150 more reliable than vendor-
reported metrics in RFPs or
media (push metrics)
10
The US government could play an increasing role in creating
security and privacy regulations for outsourcing providers
Should the U.S. create specific regulations for outsourcing providers to

ensure they meet commonly accepted security and privacy standards?
Yes, across all providers, functions

and service categories
No
33%
32%
Two thirds of
34% respondents are open to
some form of US
regulation of security
standards
Yes, but only for specific functions

or service categories
11
Outsourcers should work with associations and governments to
define and establish security regulations and standards…
Who should be responsible for defining and

establishing the standards?
Customer trade groups or industry

associations 50
Industry associations top

Outsourcing service provider coalitions
46 preference for establishing
or industry associations
security standards
Independent experts and outside

49
consultants
Government-led from within major

industrialized nations (e.g. U.S., Europe) 49
Government-led from countries with growing

outsourcing industries (e.g. India, China) 31
Industry ready for public-private

0 20 40 60
partnerships for setting
# of Respondents expressing preference standards and regulations
12
…while leveraging external auditors for monitoring
Who should be responsible for certifying,

monitoring and enforcing standards?
External enforcement via regular certifications and audits 73

by external consultants and auditors
Self-enforcement and reporting

at the outsourcing company level 38 Nearly 2:1 preference
for 3rd party audits over
self-enforcement
External enforcement via active regulation

and management by government entities 41
0 20 40 60 https://www.redscorpionsecurity.in/
80
# of Respondents expressing preference
13
Investments should be prioritized for security training and
awareness, new technologies and improved policies/procedures
How do you believe outsourcing providers should prioritize their

security investments?
Invest in internal security training, education and 107

awareness initiatives
Invest in new security technologies 85
Improve published security policies and procedures 75
Invest in outside, independent assessments to highlight 70

internal security and compliance track record
Invest in new physical security and other
business continuity initiatives 51
0 20 40 60 80 100 120
Note: Respondents were asked to check all that apply
14
Buyers may be willing to pay a premium for improved security
capabilities — challenging the industry to demonstrate ROI
Would you be willing to pay 10% to 15% more for outsourcing services
if you thought it would ensure superior security?
No - additional security is either not worth

the premium or it is too difficult to validate
Definitely - proven security

15% is worth the additional cost
30%
85% of respondents
55%
may be willing to pay
Maybe - would depend on comparison
some premium for
of security against other factors
improved security
15
Other Supporting Findings
16
Respondents viewed service disruption, loss of customer trust and
brand impact, and loss of intellectual property as equally important
outsourcing security risks
What do you believe are the greatest security risks and vulnerabilities to your business from outsourcing?
Disruptions in product delivery or service caused by

breakdowns in mission critical business processes or functions 94
Loss of customer trust or relationships due to improper or

fraudulent use of confidential customer data 91
Loss of intellectual property or other sensitive information via

either accidental exposure, theft or misuse of corporate data 94
Brand or reputation damage that results in loss of goodwill

arising from actual or perceived risk of security failures
92
Risk that your company is liable for improper actions of your

65
outsourcing provider
Other 5
0 20 40 60 80 100
17
Companies are more concerned about theft or misuse of
outsourced data than they are about the threat of terrorism
From your perspective, how serious is the threat of How concerned are you about theft, misuse or damage
terrorism for the operations of domestic of company systems and data from outside/inside an
outsourcing vendors? outsource provider?
Serious Not
No Basis Threat Concerned
for Evaluation
9%
15% 9%
Moderate Somewhat
28%
39% Threat Concerned 63%
47% Very
Concerned
Low
Threat
Less than 50% view
terrorism as a moderate https://www.redscorpionsecurity.in/
– serious threat, while
91% were somewhat – #Security_services_in_Delhi
very concerned about
data theft or misuse
18
There is credibility gap in the security capabilities of providers,
with clients in some verticals more skeptical than others
Financial Services
15%  Less than half of
25%
25%
financial services
For your industry, do you find the security capability respondents trusted
30% even the largest
claims of outsourcing providers credible?
30% providers’ security
Yes capabilities
Maybe, but no way
to verify or validate
claims 14%
30% 18%  Government
Government
36%
25%
respondents were even
9% more skeptical with less
than 30% trusting all or
36% the largest providers
37%
20%
No Yes, but only
the largest 14%  67% of manufacturing
Manufacturing
24%
25%
respondents found
Half of 19%
Verification of
respondentsnd
some degree of provider
compliance 2 security claims to be
discredit
most important #Security_services_in_Delhi
43% credible
outsourcers’
evaluation factor
security claims #Security_company_in_Noida
19
Over the next two years, respondents expect continued growth in
the outsourcing market, but are generally divided on whether
growth will occur in existing functions, or expand upstream
5%
Financial Services
 95% of financial services
For your industry, what do you expect in the
respondents expect
outsourcing market in the next two years?
outsourcing market growth
50% 45%
Reduction in the to continue, but are
size of the market divided on expansion into
upstream functions
Slowing growth or market
stagnation
6%
7%
 Government respondents
Government
27%
are less certain, with
36% almost 40% expecting
49% 9% market stagnation or
reduction
27%
38%
Continued growth and 5%

successful expansion of
outsourced functions
Continued growth, but with (e.g., moving upstream into R&D)  86% of manufacturing
10%
little expansion Manufacturing respondents expect
beyond current functions https://www.redscorpionsecurity.in/
outsourcing market growth
to continue, but are
43% 43% divided on expansion into
upstream functions
20
Survey Methodology and Demographics
21
Survey Methodology
 Respondent Selection Method: Invitations to participate in the study were distributed via
email to a select group of contacts:
– Booz Allen current and former clients
– Other comparable senior executives gathered through selective acquisition
– Registered opt-in subscribers to email lists for knowledge@wharton and strategy+business
magazine
– Participants in Outsourcing Seminar as part of Conference Board’s 2005 BPO Conference
 Format: Online survey hosted by Booz Allen Hamilton
 Date of Survey: June – December 2005
 Number of Respondents: 158
22
83% of respondents are currently outsourcing or actively
considering doing so
Is your company either currently outsourcing any

functions or actively considering outsourcing?
17%
NO
83%
YES
23
Over half of survey respondents were senior executives
Responses by Function
CXO*
Other
32%
53%
15%
Procurement /
Regulatory
Officer
24
The 158 respondents to the survey represented 12 different
industry sectors
Distribution by Industry
11%
4% Automotive
9%
Business Services (legal, accounting, architectural, engineering design)
Communications (telecommunication, Internet services)
17% Computer Services
8%
Education
Electronics
11% Financial Services

Government
3% 4% Healthcare
2% Insurance
2% Life Sciences
6% 8% 15%
Manufacturing
Other
25
Survey respondents represented companies of all sizes
Distribution by Revenue Distribution by # Employees
19% 8%
5%
39% <$100 M
<1,000
$100M - $1B 42%
18% 1,000 - 10,000
18% $1B-$10B 10,000 - 50,000
>$10B+ 50,001 - 75,000
75,000+
24%
27%
26
For more information regarding this survey, please contact:
 Vinay Couto, Vice President, Chicago

– (312) 578-4617
– couto_vinay@bah.com
 Jim Newfrock, Principal, Parsippany, NJ

– (973) 630-6789
– newfrock_jim@bah.com
 Jon Watts, Principal, New York, NY

– (212) 551-6644
– watts_jon@bah.com
 Martha-Rosalind Stainton, Senior Associate, McLean, VA

– (703) 902-3815
– stainton_mr@bah.com https://www.redscorpionsecurity.in/
27

Security Services in Noida - RedScorpionSecurity

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Services in Noida - RedScorpionSecurity

Uploaded by

Copyright:

Available Formats

DISCUSSION DOCUMENT

Outsourcing Security: Concerns Growing

March 21, 2006

 The following presentation provides an initial summary of the survey results

 Security is an increasingly important issue among outsourcing buyers

Capabilities and quality of

Pricing of service and cost

Provider's security policies, 74

Financial strength and

Reputation, brand and 51

Provider's regulatory and 33

When evaluating or managing outsourcing relationships, how

Theft, misuse or damage of company systems and

Theft or damage of data or assets via compromises

As a result of this knowledge, has your

48% 76% of respondents

 North America is seen as having the

India 27%  India is seen as fair, with room to

Provider’s network & system security 82

Provider’s compliance with standards and laws 78

Provider’s personnel security policy and procedures 68 Verifiable security

Provider’s security team (depth of expertise) 60

Provider’s security budget (provider’s budget

Establish effective security management

Monitoring, auditing and evaluating vendor

Evaluating and implement security technology and

Acquiring and maintaining the right skill sets and 31

Determining how much to invest in security in an

Delivering effective training in policies and

Site visits and in-person audits of vendor 105

3rd party security certifications

Security industry benchmarks

Vendor’s security track record

Vendor’s self-reported metrics

Should the U.S. create specific regulations for outsourcing providers to

Yes, across all providers, functions

Yes, but only for specific functions

Who should be responsible for defining and

Customer trade groups or industry

Industry associations top

Independent experts and outside

Government-led from within major

Government-led from countries with growing

Industry ready for public-private

Who should be responsible for certifying,

External enforcement via regular certifications and audits 73

Self-enforcement and reporting

External enforcement via active regulation

How do you believe outsourcing providers should prioritize their

Invest in internal security training, education and 107

Invest in new security technologies 85

Improve published security policies and procedures 75

Invest in outside, independent assessments to highlight 70

No - additional security is either not worth

Definitely - proven security

Disruptions in product delivery or service caused by

Loss of customer trust or relationships due to improper or

Loss of intellectual property or other sensitive information via

Brand or reputation damage that results in loss of goodwill

Risk that your company is liable for improper actions of your

Continued growth and 5%

 Format: Online survey hosted by Booz Allen Hamilton

 Date of Survey: June – December 2005