BPO Blog
Get the latest business process outsourcing news, information and thought leadership at HP blogs and communities.

Security should have a Front-row Seat at the Outsourcing Table

LOCK.jpgBy Mohammed Sadiq Ali,  Director, Global Risk & Compliance

Application Business Services


I recently read an interesting Horses for Sources (HfS) article titled It’s a miracle we’re yet to see any BPO/ITO security disasters.” It is indeed ironic that not much importance is given to security as part of the outsourcing process. There are enough constraints for CSOs to implement the latest security technologies to protect their organization from various security threats. In today’s security environment, we observe that threats evolve and react to innovation much faster, emphasizing the need for continuous monitoring and improvement. When an organization makes a decision to outsource some of its work, business leaders usually either forget the necessity to involve the CSO or they pull them in much later in the game when there is a disaster just around the corner. Or they merely assume that service providers will take care of all of the security requirements.


We are dealing with many buyers of our services, and the above issue pointed out by James Slaby in the HfS post is notable with the exception of 1 or 2. Buyers (or their outsourcing advisors) instead focus on including security requirements in the contractual clauses. Though it covers the buyers, it does not absolve them of the responsibility completely. It depends a lot on the service provider’s capability, expertise, scalability, experience, intent, etc., and how much the service provider believes in the importance of security.


I agree with Slaby in that the big players definitely play a more proactive role. At HP, security is given high priority and importance because we have security as a service offering. By adopting this strategy we ensure that it is not something ‘we have to tip-toe around,’ rather it something we ‘must do’ for our clients.


Our Risk, Compliance & Security team is engaged by the sales team at the time of solutioning. This ensures that the team:


  • Understands the process outsourced
  • Carries out a detailed process map / impact analyses
  • Designs a risk and control matrix for the outsourced process

These steps help ensure a strong control environment is built to protect the process and organization from potential threats. It also helps our clients be in compliance with various data privacy and regulatory requirements. We work as two-in-the-box with clients to ensure we go beyond what is listed in the contract so that the solution is holistic & not done in pieces. Though there is more work to be done in this area, we are continuously evolving.


It is appropriate to conclude that how an organization thinks about security depends a lot on the management and their thought leadership. There will be opportunities for the CSO to build security as a part of the culture in the organization. When such opportunities arise, the CSO should take advantage of them. If such opportunities are missed, then the wait begins for the next opportunity, and until then one needs to keep believing, as the HfS article notes, in “miracles” to save companies from security disasters.


What are your thoughts on security and outsourcing? Should security be “built-in” or added on later? What have your experiences been when it comes to this topic?


Additional resources:

Nadhan | ‎08-03-2012 11:19 PM

Couldn't agree more, Sadiq.  Especially when it comes to working with Cloud service providers -- because guess who is responsible when it comes to Cloud security?


Connect with Nadhan on: Twitter, Facebook, Linkedin

Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.