China’s service outsourcing continues to grow

China’s service outsourcing industry continues to grow, with a faster increase in the value of contracts signed in the first 10 months of the year, official data showed on Wednesday.

Chinese companies inked service outsourcing contracts worth $96.75 billion during the Jan-Oct period, up 18.2 percent year on year, accelerating from a 16.4-percent increase in the first nine months, the Ministry of Commerce (MOC) said.

Among the deals were offshore service outsourcing contracts valued at $63.48 billion, rising 18.8 percent from a year earlier.

Contracts fulfilled with businesses in the United States and the EU posted rapid growth, up 18.1 percent and 12.8 percent respectively in their value.

Outsourcing of information technology-related services accounted for more than half of the contracts, according to the MOC.

China is the world’s second-largest service outsourcing provider after India. The State Council has said outsourcing will be a new engine for tertiary industry and a boon to employment.

In the first 10 months, nearly 5,000 new firms in service outsourcing were established, creating 926,000 jobs, up 92 percent and 59.8 percent year on year, the MOC data showed.

Source: ChinaDaily-China’s service outsourcing continues to grow

5 reasons most outsourcing projects fail

There are 5 key areas seasoned CIOs believe you have to get right when outsourcing web and mobile applications.

Outsourcing is an integral part of today’s work culture. Companies across a wide range of sizes and industries are choosing to outsource some or all of their software development. As David Berry, CIO of Daymon says, outsourcing is no longer about saving money, but primarily about flexibility and getting to scale.
While outsourcing has many benefits, it also brings some operational challenges. To get a better sense of the roadblocks that could derail an outsourced project, I interviewed people who take responsibility for outsourcing software projects – CIOs.

Most outsourcing projects fail because tech leaders do not follow these 5 steps:

1. Role clarity

Like any great leader, most CIOs should start by emphasizing the need for complete clarity about their own role in the outsourcing process. They are the bridge between the CEO and the IT division.

A CIO must understand the business implications of the project. There has to be a specific business case for each IT project. It might be overhauling the online presence of the company by redesigning the website, or adding a new mobile app to help a business unit better communicate with customers. Either way, the implications of the outsourced project must be clearly understood by the CIO and properly communicated to the internal and outsourced IT teams.

On the other end, a CIO should be equally adept at understanding the technical components of the project. Until she understands the nuances of the project, it will be very difficult to guide the team. Great CIOs understand their role, the incentives of each stakeholder and must know how to communicate with each party to keep everyone motivated.

2. Big picture
Once the CIO understands her role in the outsourcing engagement, she must then understand how the outsourced project integrates with all the other tools and products in the company. CIO of Weitz and Luxenburg, Arun K. Sharma, states that it is important to know how a project initiative for one product can affect other products or services in the portfolio. For example, if you are developing a new mobile application for your account management team, you should plan ahead and look into all the other products it should integrate with. In this case you might want the application to integrate with your customer service, social media and other customer facing tools so that account managers can get a more comprehensive picture of each customer across each touchpoint.

If you don’t take into account these big picture flows and processes, you might successfully build an isolated product but then face severe challenges integrating it, which could cause the project to fail.

3. Planning

After you know your role and understand the high level view, you transition into the planning phase. Tom Amrhein, CIO at Integrated-DM, mentions that to properly plan your next project, you have to work closely with your customers to understand their needs and priorities. Every aspect of the milestone needs to be planned in advance to ensure smooth operation. Of course there is a balance because you want to be agile so you cannot plan out every detail in a long term project but it’s important to make sure your standards and preferences are clear and at least the tasks for the next milestone, usually 4 weeks, are clear. Sean Azhadi, CIO of Arizona State Credit Union, states that proper planning helps ensure that a project does not deviate from its intended direction.

Key standards that should be predefined include – documentation, styling, architecture, and method of communication.

4. Trusted partner

If you have a trustworthy partner, you can include them in the planning phase. Rob Lloyd, CIO at City of Avondale, says that you must focus on the outcomes that you are targeting from a specific project and make sure that is very clear, but you can involve the outsourced developer in the planning phase. By having a trustworthy outsourced partner you can leverage their experience while developing a detailed roadmap.

Brian Luckey, VP of Technology at Knowledgenet, also believes finding a trusted outsourced vendor prior to starting your project is critical. This allows you to focus on product development instead of constantly questioning the development teams incentives.

5. Implied communication

Most people make the mistake of omitting some information while sharing a project brief as they assume it is obvious. Seasoned CIOs warn against this behavior. They repeatedly stressed on explaining things in detail. What is obvious to you, say an industry veteran who has spent the last 30 years in the insurance industry, might not be as clear to an outsourced team that might have only done 1 or 2 insurance projects.

This is even more important when you are working with a team for the first time or partnering with a company that doesn’t have extensive experience in your industry. Also there are always some unique aspects of your business processes or structure that will impact the way the product is built; it’s your job to make sure this is clear.

While it’s hard to iron out all the details, regular reporting, communication and cross checking will help ensure that the scope is properly understood. It’s always better to over communicate than miss out on some seemingly obvious but important details.

According to Nigel Fortlage, CIO at GHY, implied communication is a larger problem in a remote working engagement so it’s important that you regularly video conference to mitigate the communication gap.

These are the 5 areas that CIOs usually struggle with when outsourcing a project. Christopher Augustin, CIO of First Data, sums up the key to a successful outsourcing engagement, “The outsourced tech team has to be aligned with the goals of the product, and the business.” If you have great planning, alignment and a structured communication process you avoid some of the most common reasons outsourced IT projects fail.

Source: CIO.com-5 reasons most outsourcing projects fail By Randy Rayess

Outsourcing in 2020

During he last few days of 2015 the National Outsourcing Association (UK member of European Outsourcing Association) performed the NOA’s “Outsourcing in 2020” survey.

The results are in and they reveal a wide range of intriguing insights on how new trends and technologies are going to transform the face of modern outsourcing. What’s more, the findings paint an interesting picture of what the new outsourcing ecosystem is going to look like in the build up to the year 2020 and beyond.

I wanted to give you exclusive access to these findings, ahead of them being published in the Outsourcing Yearbook in early 2016.

Let’s get started…

Methodology

134 organisations participated in our research (roughly one-third buyers, one-third service providers, one-third support organisations). 25% of these organisations had 50,000+ employees – on the buy-side, 50% had a headcount of 10,000 or more, while company size on the supply-side was more varied.

The vast majority of those surveyed were C-suite, Directors, Heads, Presidents, Senior Vice Presidents, Managers and Specialists. Overall, 35% saw ITO as their main area of focus, while 33% said BPO. Customer service, FAO, HRO, KPO, LPO and local government were also given as focuses.

Key Findings

How will your company’s use of outsourcing change over the next five years?

• 70% of buyers plan to increase their use of outsourcing, with 35% planning to significantly. 10% plan to decrease their outsourcing slightly; none plan to decrease the amount they outsource significantly.
• 83% of suppliers expect the outsourcing industry to grow, with 37% expecting it to grow significantly. Just 4% expect the outsourcing industry to get smaller.

What business issues are increasing your company’s use of outsourcing?

• Overall, organisations said they outsourced primarily for the following reasons:
  Cost savings (35% cited this as the prime driver for outsourcing); improving the customer experience (23%); transitioning from legacy IT to as-a-service models (17%).
• This differs from the traditional prime reasons why companies outsource: Cost savings; increasing operational flexibility; accessing new skills.

How progressed are you with the following business activities? How significant will they be in 2020?

• Overall, respondents said they are most progressed with offshoring, cloud and process transformation
• 83% of all respondents believed robotic process automation (RPA) will be of greater significance in the next decade. 80% said the same of artificial intelligence (AI).
• 44% of suppliers said AI will be more of a game-changer than RPA. Just 7% on the buy-side agreed.
• 61% of buyers thought backsourcing will be less significant in 2020, with 57% of suppliers saying the same. 59% of buyers thought reshoring will be less significant in 2020, while 61% of suppliers said the same of offshoring.

Key changes to contracting in 2020

Our research showed strong expectation on both sides that the following changes to contracting will occur:

1. Contract values will be based on outcomes
2. Service providers will be contracted as service integrators sharing risk
3. Procurement will become a more important part of the contracting process
4. Notice periods will become significantly shorter

Conclusions

There’s a new outsourcing ecosystem on the horizon – one that will be defined by the ability of organisations to provide customer-centricity and handle data. We’ll also see increased investment over the next five years in many areas: data analytics, digital innovations, robotic process automation, artificial intelligence, to name just a few.

Outsourcing as a practice is set to become more dynamic, more collaborative and more competitive – the speed and willingness with which outsourcers and their service providers adapt will determine the winners and losers in 2020.

For the full picture, read NOA CEO Kerry Hallard’s article Make way for the new outsourcing ecosystem which was featured in The Times’ “Future of Outsourcing” supplement this month.

These are just the basic findings. The full report will be published in the Outsourcing Yearbook, schedule for release in Q1 2016. To ensure you receive your free copy, head over to the NOA website.

10 outsourcing trends to watch in 2016

Experts expect a number of shifts in the IT outsourcing industry in 2016. Some of these shifts include a focus on hyper-speed deal making, new multi-sourcing headaches, more man-machine collaboration and more.

his year, we saw companies embrace increased standardization and cloud computing options of all flavors, use their leverage to renegotiate or rebid their deals, and settle into a best-of-breed approach to offshore outsourcing.

So what will 2016 bring? Our experts expect a number of shifts in the industry—including a focus on hyper-speed deal making, the emergence of new multi-sourcing headaches and potential cures, increased man-machine collaboration, and significant expansion of the service provider universe.

1. Security takes center stage

Security is top of mind from the boardroom to the break room, and it will influence outsourcing strategy in 2016. Indeed, security risk is poised to increase as telematics and the Internet of Things (IoT) becomes more prevalent in consumer and commercial products, says Paul Roy, partner in the business and technology sourcing practice of Mayer Brown. “Increasing numbers of threat actors will use increasingly creative ways to exploit weaknesses, often with devastating effect. Regulators will exact increasingly large fines for poor security. Service providers have often been the weakest link in a company’s security and will need to find better ways to address that concern.”

“The threat profile changes every day and with every added protection comes a new vulnerability, not to mention it is becoming harder and harder to tie products together to deliver a robust security solution,” says Rahul Singh, managing director at outsourcing consultancy Pace Harmon. “In 2016, we expect to see the rise of the Chief Security Officer and more enterprises opting for specialized security vendors with Security-as-a-Service capabilities that can protect data no matter where it resides.”
2. Offshore captives come back

Companies will leverage the experience they have gained in process maturity as a result of working with outsourced offshore teams and set up their own shops, predicts Randy Vetter, senior director with outsourcing consultancy Alsbridge. “The objective of this approach will be to reduce costs by taking away the provider’s margin, as well as increase flexibility by removing contractual constraints.” Companies are likely to get smarter about insourcing in general, says Alsbridge director Mary Patry. “Rather than insourcing as a knee-jerk reaction to a bad outsourcing relationship and repeating past mistakes, clients will benefit from lessons learned and be smarter about what and how they repatriate.”

3. Production workloads—and more—hit the cloud

There’s no denying Amazon’s first mover advantage with the public cloud. And IT shops who reached for the cloud first did so with non-critical systems. But in 2016, we’ll see more production workloads move to the cloud—and not just AWS, says Lynn LeBlanc, CEO of HotLink. “No CIO wants to cast all bets on just one cloud provider,” LeBlanc says. “IT pros recognize that the future of their data centers will embody many platforms, so we’ll start to see more CIOs experiment with other major public cloud options, such as Microsoft Azure and Google Cloud Platform.”

“In 2016 the potential to move outsourcing from the ‘lift and shift’ of non-core processes to something more substantial is entirely do-able in the cloud,” says Michael Corcoran, a senior managing director overseeing growth and strategy for Accenture Operations. “The as-a-service outsourcing model makes it possible to combine infrastructure, software, and business process to create a platform that is much more modular, scalable and intelligent. This platform can tackle higher-level processes, creating results that increase revenues, improve margins, enhance customer service, and move the business forward instead of running in place.”

4. VMOs go mainstream

Multi-sourcing has multiplied the vendor management workload. “As clients look for ways to address the challenges of overseeing increasingly complex multi-vendor service delivery models, the [vendor management office] will establish itself as a way to provide a high-level, enterprise-wide view while at the same time managing day-to-day operational details and multiple touch points between different providers in the service delivery chain,” says Mike Slavin, Alsbridge managing director.

5. Integration challenges surge

“Customers adopting an ever larger number of emerging digital technologies will face an ever-larger integration challenge,” says Rebecca Eisner, partner in the Chicago office of law firm Mayer Brown. “Many of the most powerful cloud technologies will require integration efforts comparable to those required to install ERP systems.” Because most companies do not have employees capable of managing multiple emerging technology platforms, they’ll have to outsource service integration, incident management, and change management. Expect increasing partnerships among providers, predicts Mayer Brown partner Brad Peterson.

6. The service providers universe expands

“Customers will buy from an expanding list of technology providers,” says Dan Masur, partner in Mayer Brown’s Washington, D.C. office. “Customers will continue to turn to ITO, BPO and cloud service providers who have blazed a digital trail for help in becoming digital businesses. They will source services from an ever-expanding list of emerging and digital technology providers. Pace Harmon’s Singh says we’ll see more product-driven managed services “as more product-oriented vendors, such as Cisco and others, move beyond just selling their products to also delivering services around their products. We are already seeing this on a small scale, but expect it to ramp up in 2016 as very large clients are growing their managed services capabilities.”

7. Multi-speed IT hits outsourcing

Gartner dubbed it “bimodal IT.” McKinsey named it “two-speed.” Whatever you want to call it, outsourcing clients will recognize the need to take different approaches to managing the “run the business” part of IT and the “change the business” part this year. “Clients will use the bi-modal approach to implement commercial and contractual mechanisms with vendors to clearly delineate the roles of the respective groups and to optimize the contributions of each to the business,” says Eleanor Winn, managing director at Alsbridge.

8. Vendors get soft(er)

“After 20 years, vendors who have been accustomed to bending customers to their one-sided terms by offering low prices will come to realize that further market penetration—particularly penetration into core functions or large companies–will require a more accommodative approach to meeting the needs of those companies,” says Peterson.

9. Automation will redefine relationships

“Having exhausted the opportunities to move work to lower-cost people, ITO and BPO companies are now focused on moving it to machines,” says Roy. “Buyers with contracts designed to purchase people will need to reconcile their contracts to this new world.” Both customers and providers will have to rethink their deals as they integrate more robotic process automation (RPA) into IT service delivery.

“Clients will rethink their sourcing strategies and how to build their RPA capabilities and providers will continue to build automation into their solutions,” says Craig Nelson, managing director with Alsbridge. “Both parties will have to redefine roles and skills requirements for human jobs, as well as manage the touch points between automation functions and jobs performed by humans. This will present a significant challenge for outsourcing relationships as agreements will need to be flexible to accommodate these highly dynamic environments.”

10. Agile sourcing emerges

With technology itself seeming to advance on a dime, outsourcing decision making will have to speed up. “Companies who decide on a digital strategy will execute quickly in 2016 to avoid seeing a technology shift or a competitor jumping ahead,” predicts Peterson of Mayer Brown. “We see increasing numbers of clients deploying substantial negotiating teams working on an agile basis to close smart deals fast.”

 

Source: CIO.com-10 outsourcing trends to watch in 2016 By Stephanie Overby  

IT outsourcing year in review: Grading our 2015 predictions

We predicted that this was the year that IT outsourcing companies would welcome standardization, outcome-based contracts would finally take hold and RFPs would become a thing of the past. Now it’s time to grade those and the rest of our predictions.

Earlier this year, CIO.com and its outsourcing experts made several bold (and a few slightly less daring) predictions for IT services in 2015. We suggested that this year, companies would get serious about managing their IT supplier risk. (Not exactly.) We said that renegotiation and multi-sourcing would dominate contracting activity. (They did.) And we envisaged the arrival of outcome-based sourcing and the departure of the RFP. (Neither, alas, came to pass.)
We revisited all of our prognostications from last year and found that, once again, we got half of them right. Three of them were off base, and two were just beginning to take shape at year-end. As we pull together our forecast for 2016, here’s how all those 2015 predictions panned out.

Right on target

Customers embrace standardization

Companies did, in fact, become less interested in customer solutions and the intensive infrastructure required to support them. “They largely see standardization as a way to drive productivity, efficiency and maintainability of solutions,” says Marc Tanowitz, managing director of outsourcing consultancy Pace Harmon.

“Service providers have clearly moved away from asset based deals, which is forcing buyers to increasingly invest in optimizing their IT infrastructure to meet the needs of their stakeholders. What’s more, cloud providers began to offer more protections and options in their standard agreements, explains Rebecca Eisner, partner in the Chicago office of law firm Mayer Brown. “Companies embraced standard offerings in 2015 in large measure because providers began to embrace the needs of big company customers. This is particularly apparent for core functions for which cloud terms have historically been ill-suited.”

Renegotiation reigns

Companies didn’t just renegotiate at the end of their outsourcing deals, they started re-examining them mid-term, says Dan Masur, partner in Mayer Brown’s Washington, D.C. office. “The renegotiations have been driven in part by re-solutioning to bring in new technologies, retrofitting to add digital technologies, restructuring to adopt outcome or output based pricing, reconciling the contract to changing realities, and re-sourcing components of the services to specialized providers.” This behavior, however, was more stop-gap than strategy, says Bill Huber, managing director with outsourcing consultancy Alsbridge. “The market has shifted dramatically, and re-competes have demonstrated the potential to unlock significantly greater value at this juncture than can usually be achieved by a straight renegotiation, whether or not the renegotiation includes re-scoping.”

Multi-sourcing multiplies

Manufacturing is driven by data. From inventory management to cost of goods sold, there is no shortage of information to track. The Internet of Things (IoT) adds to the plethora of data by enabling expanded data…
The deal-per-customer ratio continued to climb. “Clients are becoming increasing comfortable with best of breed suppliers and multi-provider environments,” says Tanowitz of Pace Harmon. “Driven by popularity of the cloud, standardization allows clients to ‘plug in’ or ‘unplug’ providers easily, and many companies have moved away from deals with a heavy asset investment by the provider.” However, points out Information Services Group (ISG) partner Steven Hall, “many enterprises are still challenged with governing in a services-based environment and have yet to modernize their governance organizations. We continued to see rapid adoption of SaaS solutions; workloads/applications moving to public cloud environments; and the implementation of bi-modal IT models, which all require advanced governance capabilities seen in product lifecycle management.”

The cloud comes down to earth

Finally. “In 2015, cloud computing reached the end of the beginning,” said Paul Roy, partner in the business and technology sourcing practice of Mayer Brown. “Cloud computing has become and is now a routine part of outsourcing conversations and solutions.” Public, private and hybrid solutions were all on the table. “At this point, enterprises’ forward looking investments almost always include cloud infrastructure for the apps they are supporting,” says Pace Harmon’s Tanowitz.

The sourcing decision becomes data-driven

“2015 saw the continued rise of Technology Business Management and TBM software providers,” says ISG’s Hall. “IT organizations are starving for actionable intelligence, based on their data, to help them make sound investment decisions.” Tanowitz argues that sourcing has always been data driven: “data and analytics are essential to ensure sourcing decisions are grounded in a solid business case and also to ensure that the procurement process remains objective and audit-proof. We expect this to continue to be the case, even for emerging technologies and new and innovative services.”

Off the mark

Outcomes become the name of the game
If only. “Outcome-based sourcing continues to face headwinds,” explains Huber of Alsbridge. “Progress is being made, but the fact is that outcomes are difficult to define in a way that fits traditional contract structures, and they take time to get right. This is going to take more work by smart, creative deal-shapers before outcome-based sourcing can truly replace traditional input-based models as the predominant sourcing model.” So far, the best we can offer is that some deals have shifted from input-based to output-based, says Brad Peterson, partner in Mayer Brown’s Chicago office. “Pricing on outcomes like cash collections looks like a true answer but—like most true answers—takes great diligence and skill to achieve and remains relatively rare,” he explains. “However, the move to output-based pricing is an important move away from the typical pricing based on inputs and a step closer to a true business outcomes measure.”

The business takes over

Business leaders did play a bigger role in procuring IT services—particularly cloud services—than in the past. However, “IT remains vital for the integration of service provider solutions and for effective security,” says Eisner. “The business has certainly taken over the digital agenda in many organizations and SaaS solutions, such as HR technology, are being made outside of IT,” says ISG’s Hall. “But, many CIOs have stepped up this year to own the digital agenda for their enterprise.”

And odds are IT may become even more integral to future sourcing decisions. “Cybersecurity and interoperability trump unfettered business-centrism as the Internet of Things adds another layer of complexity and vulnerability,” says Huber Alsbridge.

The RFP fades

“The RFP continues to be an essential piece of the competitive procurement process, particularly for complex products and services,” says Tanowitz of Pace Harmon. “However, we are seeing more collaborative approaches to RFPs, such as co-developing statements of work and creating more solution-oriented approaches to RFPs that lend more flexibility to the process and allow suppliers to offer innovative solutions.”

While the RFP remained entrenched, it did not go unquestioned. “The RFP has not gone away, but the old templates have grown stale, and sourcing processes, including RFPs, need to become more adaptive,” says Alsbridge’s Huber. The tried-and-true approach never worked well for emerging technologies, says Peterson of Mayer Brown. “There, RFIs, RFSs and Proof of Concept projects work better. However, the RFP has remained a trusty tool for traditional outsourcing deals where it remains important to communicate requirements and obtain comparable information from potential service providers.”

Wait and see

Dawn of the cloud robots

“We’ve certainly seen an uptick in conversations about robotics process automation (RPA), but the reality is that cloud robots are still little more than Excel macros at this point,” says Tanowitz. “Providers discuss cloud robots frequently and the benefits can be meaningful in terms of productivity gains, but we haven’t seen clients take advantage of the technology in a meaningful way.” Automation is advancing, says Brian Bodor, partner in the global sourcing practice of Pillsbury, “but we have yet to see the ‘rise of the machines.’ We expect to continue to watch this trend in 2016 and beyond.”

Where robotics and automation have taken hold is not cloud computing, but business process outsourcing, says Roy of Mayer Brown.

Supplier risk takes center stage

Outsourcing customers did not get serious about supplier risk overall, but they did get hyper-focused on cybersecurity. As a result, clients paid more attention to service location in signing deals, says Eisner of Mayer Brown. “We generally see supplier risk conversations ebb and flow with current events,” explains Pace Harmon’s Tanowitz. “Rather than preparing for supplier risk based on geographic instability or events, we’re seeing enterprises preparing more holistically for disaster response and recovery, including assessing cybersecurity risks and the protection of customer data that may be in the hands of their supplier.

Source: CIO.com-IT outsourcing year in review: Grading our 2015 predictions By Stephanie Overby  

Survey: IT outsourcing on the rise among health insurers

But data security concerns remain in wake of cyberattacks.

The healthcare payer IT outsourcing market is expected to grow more than 40 percent in the next two years, according to a new Black Book survey. That’s because better software solutions have accelerated expenses faster than originally anticipated, and there has not been any corresponding increase in revenue for many health plans.

Still, less than 10 percent of health executives surveyed have considered solutions that lie outside of the U.S., because of “concerns over hostile offshore locations and escalating health data security and privacy issues.” As recently as January, 75 percent of reporting health plans were cautious of major outsourcing initiatives, since data breaches such as the massive cyberattack that hit Anthemincreased their fears of unsafe operations, according to the survey announcement. Continue reading →

5 tasks first-time business owners should outsource immediately

Question: What is one task first-time business owners should outsource immediately?

All things legal

“Unless you went to law school, outsourcing your legal work can save you time and money on complex tasks. Although using DIY legal sites are tempting, the ramifications of incorrectly completing legal-related tasks can be disastrous. Legal outsourcing early saves money and time later. If you’re being sued, it’s too late. I recommend Legal Hero for a cost-effective solution.” — Antonio Calabrese|Boonle

Payroll

“Doing payroll and associated taxes by hand can be time consuming and prone to error. Use a payroll service like Gusto or ADP. Even if you are a solopreneur, if you bring in revenue and pay yourself a salary, consider setting up payroll.” — John Arroyo| Arroyo Labs, Inc.

Your biggest weakness

“I would suggest spending your time focusing on your strengths and outsourcing your weaknesses. I could very well be the world’s most unorganized person (definitely in the top 10); my business really began to take off once I acknowledged my weakness, gave up on organizing things myself and handed off the crucial tasks to people who were inherently good at organization.” — Max Coursey| Tiger Prop

Accounting and finances

“Even if you’ve got a head for numbers, it’s better to leave things, such as taxes, to a professional. Tax law, after all, is constantly changing, and managing the taxes for your business has the potential to eat up a ton of time that could be better spent growing your business.” — Steven Buchwald| Buchwald & Associates

Outreach

“One of the most important aspects of getting your business out there is outreach, but it’s also one of the most time consuming. Work with someone from your team and show them how to contact websites, potential clients and media outlets with a soft intro email. Once a relationship has been established, you can than respond to that email directly or pass them off in the right direction.”

Source: Upstart-5 tasks first-time business owners should outsource immediately

Cybersecurity Incident Response: Planning Is Just The Beginning

Executive summary

By now, most senior-level executives have heard that either you have had a data breach or you just don’t know that you’ve had a data breach. Cyberattacks are now as much a part of doing business as taxes and financial statements, and they are getting expensive. According to the 2015 U.S. Cost of a Data Breach Study¹ by the Ponemon Institute, last year there was an 11% increase in the total cost of a data breach, to a $217 average per lost or stolen record. To be sure, those numbers are based on estimated costs of actual data loss incidents, not hypotheticals. In an effort to support senior financial executives in their cybersecurity incident planning and response, Grant Thornton LLP and Financial Executives Research Foundation (FERF) have identified several essential areas for their consideration.

This report’s findings are based on in-depth interviews, conducted between August and September 2015, with 10 subject matter experts of various specializations, including legal, PR and communications, insurance, and IT security. The interviewees provided their perspectives on cyberrisk management strategies and best practices in cyberbreach response.

Key findings include:

• Simply having a cybersecurity incident response (IR) plan is not enough. It must be reviewed and updated regularly as part of a comprehensive cybersecurity incident response program.
• Regular training and exercises are important in keeping the IR plan effective. Employees can be a critical line of defense.
• Board involvement is crucial. Senior management and the board need to have open dialogue about expectations regarding risk tolerances, budget considerations, IR planning and breach response.
• General liability insurance and director’s insurance most likely will not cover a cybersecurity incident. A full review of insurance should be an integral part of cyberrisk management.

Introduction

Today’s organizations face a sobering reality. The question is no longer whether we will be breached but whenwe will be breached. Cybersecurity is a C-suite and board-level issue requiring a comprehensive risk management strategy, intelligent investment and integration across the organization.

While the costs associated with a data breach continue to rise, there are established best practices that can mitigate some of those costs. The 2015 U.S. Cost of a Data Breach Study² found that having an IR plan and team in place, extensive use of encryption, business continuity management (BCM) involvement, chief information security officer (CISO) leadership, employee training, board-level involvement, and insurance protection are viewed as reducing the cost of a data breach. An IR team can decrease the average cost of a data breach from $217 to $193.2 (decrease = $23.8) per lost or stolen record. However, third-party error, a rush to notify, lost or stolen devices, and the engagement of external consultants to support the IR team respond to a breach increased data breach cost.

Clearly, having an IR plan and team in place, extensive use of encryption, BCM involvement, CISO leadership, employee training, board-level involvement, and insurance protection would all be considered best practices. These elements should be considered the foundation of a robust cybersecurity incident program. FERF, in cooperation with Grant Thornton LLP, spoke with several subject matter experts from a variety of fields to glean insights and recommendations for instituting an effective cybersecurity incident response program.

Cybersecurity incident response

When determined adversaries such as hacktivists, state-sponsored actors and organized criminal syndicates set their minds on finding a way inside, every organization with valuable digitized information is at risk of having its information assets breached and its critical assets compromised. Indeed, most organizations today would do well to expand their efforts to mitigate the consequences of inevitable breaches, which likely affect infrastructure systems and compromise key data such as personally identifiable information and confidential business information. A properly drafted IR plan guides the proactive planning and management necessary to effectively react to such breaches.

It all starts with a plan

The primary objective of an IR plan is to prepare for and manage a cybersecurity incident in a way that limits damage, increases the confidence of external stakeholders, and reduces recovery time and costs.³Unfortunately, IR plans are one of the most neglected aspects of information security.⁴ Without a plan, organizations do not respond to a cybersecurity incident — they react to it, and reactions are usually based on misinformation and misunderstanding or, worse yet, fear.

To this point, Melissa Krasnow, partner and U.S. Certified Information Privacy Professional (CIPP/US) with Dorsey & Whitney LLP, noted: “While a number of companies have them [IR plans], you might be surprised by the companies that do not have them even though there is guidance about them, regulators are encouraging companies to have them, and they are a best practice. Once a company or a competitor or a business partner experiences a breach, incident or cyberattack, they develop an awareness that often galvanizes preparation, including an IR plan.”

Fellow attorney Liisa Thomas, chair of the principal and data security practice at Winston & Strawn LLP, said: “Most companies have a disaster recovery plan. If a 9/11 type of event happens, they know what to do. Typically, they will dust off that plan and make sure it works for them at least once a year, if not more.”

As it relates specifically to cyberincidents, Thomas continued: “A potential data breach should be treated in much the same way. An IR plan should give high-level information about how the company will handle the incident. Not all breaches are the same. Some might be cyberevents; some might be internal thefts. I’ve seen plans that are 30, 40 or maybe 100 pages long. Often they’re very focused on specific steps that the IT department would take to contain the incident. These plans may have their place, depending on the organization. But they might not instruct those outside of the IT department — senior leadership — on what to do at a high level. I advise clients to have a shorter, high-level document. The high-level document helps not only during an incident, but also before it, raising awareness with the senior leadership about the types of decisions they’re going to be asked to make. A plan like that can be used by the decision-makers to practice against, just like they would a disaster recovery plan.”

Johnny Lee, Grant Thornton managing director of Forensic, Investigative and Dispute Services, adds, “While the IR plan can resemble a high-level policy, it is important to note that each constituent department (IT, legal, communications, risk management, etc.) might have far more detailed protocols invoked during an incident response.”

Jerry Wynne, CISO and senior director of enterprise security with Noridian Mutual Insurance, said his company does have a cybersecurity IR plan: “We are in the process of updating it again based on several breaches that have occurred within the industry in the last year. It will include some additional areas that are outside of the traditional cybersecurity IR time.”

Those updates were the result of lessons learned within their industry peer group. This follows best practices, as IR plans should be revisited regularly to ensure that they don’t get stale. Wynne continued, “We have a stronger legal presence on the team, and we’ve made sure that our privacy area and compliance areas are more heavily involved than they have been in the past.”

Information security expert and former CISO Bill Barouski believes there are two aspects organizations should consider in reviewing their cybersecurity incident response plans: “I think every program, every plan should be reviewed at least annually. Then, probably every 18 to 24 months, have a third party review the plans. Any high-performing organization would want an outside view into their effectiveness.”

IR team

When asked who should head the response team or what departments should be included in the team, John Kennedy, corporate partner in the IT and outsourcing, privacy, and information security group at Wiggin and Dana LLP, said: “It varies by organization, but I believe a best practice is to create an IR governance committee, which should include representatives from executive management, so that decisions can be made quickly. In terms of the preparedness side and the planning and the communications chain, it will include legal, IT, risk management, human resources, public relations and, in some cases, facilities management. There may be, in addition, a compliance officer as well as a risk officer. In the end, the incident response team should represent a cross-section of key stakeholder interests that will be affected by different kinds of incidents.”

Ashley McCown, president at Solomon McCown, had a few suggestions regarding which business operations should be a part of the IR team: “The CFO certainly is included; there are obviously significant financial implications in a breach, so he or she needs to be at the table. The general counsel, and as companies are getting very organized around potential cyberattacks and identifying a law firm or lawyer with expertise in cybercrimes and breaches, that person can be brought into the effort. IT clearly should be involved; HR, sometimes, if employee data and personally identifiable information are leaked. Definitely the communications department, which could include internal and external communications.”

She continued: “Additionally, you want to have backups and redundancies because people go on vacation. Even with cellphones and Wi-Fi everywhere, people can be out of touch, and being able to mobilize your team quickly is essential. Incidents don’t often happen at the most opportune times.”

Exercises and training

Putting a plan like this together, keeping it up-to-date and exercising it periodically is a lot of work — a major reason that it doesn’t always get done. But when something bad happens (and it will), having the plan available and the experience that only comes from practice will save a lot of time and potentially avoid embarrassment at best, and litigation at worst.⁵

Having a cybersecurity incident response plan is an important step, but it’s only the beginning. The plan is not of much use if it only exists on paper or on a server somewhere — it must be reviewed regularly and periodically exercised. All of the interviewees stressed the importance of tabletop exercises and employee training. Additionally, as they relate to tabletop exercises, these updates should include industry-, regulatory- and technology-specific scenarios. An executive director of information security with a large insurance company noted: “We’ve had numerous exercises in 2015. Traditionally, we’ve conducted exercises focused on business continuity and disaster recovery. However, we’ve stepped it up this year to do more crisis management tabletop exercises to address cybersecurity threats. We engage the threat response team, which is our cross-functional IT team, to participate in cybersecurity tabletop exercises based on real-life scenarios. We exercised our plans to determine how prepared we are to respond and to determine if our response plans are well-documented.”

She continued: “We’ve also done a tabletop with our midlevel executives, our vice presidents and other key stakeholders across the organization, to make sure plans are in place, including communication plans. Social media is going to be a big part of our response plan to make sure we handle social media issues timely and appropriately. Soon we’re going to conduct an exercise with our senior-level executives so they are prepared to handle crisis management events. We are really putting a lot of effort and emphasis on tabletop exercises and preparedness as key to managing a major event.”

John Kennedy, corporate partner at Wiggin and Dana, noted: “Organizations that are seriously focused on this issue are doing training directed at all employees who may be in a position to expose the company to risk by virtue of the activity that they’re permitted within the company’s network. We have done training sessions with hedge funds specifically for the issue of social engineering and phishing. The training was not just limited to the senior officers either; it was a room full of traders and analysts. Phishing attacks are becoming increasingly sophisticated; you hear stories where someone very high up in the organization was impersonated and a middle-management employee was duped to transfer funds or execute an order that was bogus.”

Todd Fitzgerald, Grant Thornton International global director of Information Security, adds: “Training methods have to change from 45-minute slide decks to online cyberassessments, phishing simulations and interactive training to grab the end users’ attention and deliver relevant 15-minute training. Only after users have been fake-phished will they really pay attention to the training where information flow and demands on our time are at all-time highs.”

While there are those that will view employees as the weakest link in their organization’s cyberincident preparedness, Bill Barouski, information security expert and former CISO, thinks the opposite. “Someone that is very well-trained and cyberaware is going to be far more effective than technology,” he said. “People can become your strongest link.”

For attorney Jason Bernstein, partner and co-chair of the data security and privacy group at Barnes & Thornburg LLP, training also means reinforcement: “If you do it once a month, people start getting kind of blind eyes, like a parent talking to a 16-year-old. With the IT directors and CIOs that I talk to, it’s constant education. It does not matter how high- or low-level you are at this; these phishing attacks have gotten so good, and there are so many nuances in them that it’s real easy to just click on them.”

Board involvement

With recent high-profile legal cases involving board members making headlines, boards need to be more than just aware of cybersecurity incident response, they need to be involved in the IR planning. As Melissa Krasnow, partner and CIPP/US with Dorsey & Whitney LLP, pointed out, “The intersection of cybersecurity and corporate governance is an area that’s developing and where awareness continues to increase.”

She continued: “IT is in the middle of all this, and increasingly is being called upon by the board of directors and executives. Some companies are being transparent about their cybersecurity, for example stating, ‘Here’s where we’re lacking in our security, and here’s what we need to do to address it,’ and providing steps that should be considered. Company ethics and culture may transcend legal requirements about how a company handles things. It’s interesting to see this dynamic play out.”

Unfortunately, the reality is that boards are often focused on other competing priorities. The former CISO of a large educational system noted that there was limited support at the board level: “If they did get involved, it did not trickle down to me. To my knowledge, senior management did not have much expectation from the board relating to cybersecurity. The board was focused on other topics.”

However, other boards are very involved in cybersecurity. The executive director of information security with a large insurance company said the board in her organization takes this issue very seriously: “It’s considered in every board meeting now. My boss is the chief information security officer, and he reports to the CIO. Every quarter, they have to give an update regarding not only IT in general, but also cybersecurity threats. The board is very interested and they do care, and I think it’s helping to drive our investments in security, which is a good thing.”

From the senior management perspective, she continued, “…the expectation of the board is to drive awareness. The board sets the tone so senior management and the end users know that it’s important that security and the controls work properly.”

Cyberinsurance

Given that cybersecurity is all about risk assessment and management, no cybersecurity IR program would be complete without a review of an organization’s existing insurance coverage. Do not just assume the company’s general liability or directors insurance coverage will suffice. That said, there are certainly some companies that are ahead of the curve. Jerry Wynne, CISO and senior director of enterprise security at Noridian Mutual Insurance, said his company has been carrying cyberliability insurance for several years: “We went down the road of cyberinsurance after recognizing the potential liability. The discussion focused on the financial impact a breach would be to the company and to everyone involved. In the end we decided that we really had to have cyberinsurance, so we’ve been maintaining that for about five years.”

Nolan Wilson, Southeast region leader of professional risk solutions at AON, notes: “Probably more do not purchase [cyberinsurance] than do, even though it’s such a big topic today. I think from a general liability perspective, it’s more and more common to see a specific exclusion for access or disclosure of confidential and personal information. It’s critical to not just assume that you have insurance that will cover a specific incident, and to make sure that you’re looking at the policy and any exclusions that it might have.”

John Kennedy, corporate partner at Wiggin and Dana LLP, noted more policy review: “Companies are paying much more attention to it. At least some of them are waking up to the fact that commercial general liability (CGL) policies and other kinds of standard policies do not address cyberrisk. We do a fair amount of work in the insurance sector, so we’ve actually worked with insurance companies on how to draft cyberinsurance policies, but also how to draft cyberrisk exclusions from their CGL policies.”

Kennedy continued: “Companies just don’t seem to pay the same degree of attention to the risk of loss to their information assets as they do to their tangible assets, and therefore may not understand that data loss is not covered. Or if you outsourced something and that third-party provider lost your data, your policies may not cover that. Insurance provisions have gotten very detailed and demanding. Customers are telling their vendors or their suppliers that they’ve got to carry all these types of cyberliability coverage, criminal cyberliability coverage, etc., in addition to the other types of insurance.”

Todd Fitzgerald, Grant Thornton International global director of Information Security, also notes: “Cyberinsurance is an important tool to mitigate risk; however, this cannot be a substitute for having reasonable controls and an adequate IR program. Many policies have exclusions for not having minimum controls, such as an exclusion for losses due to unencrypted laptops, or not having a plan in place. Some policies will also require the use of their service providers in the event of an incident. These policies should be reviewed carefully to determine acceptable coverage for the organization.”

Third-party risk

Just because an organization’s systems do not suffer a breach does not mean its information cannot be compromised. Third-party or vendor risk is another key area of consideration for a company’s cybersecurity IR program. Are they protecting data with the same fervor you are? To find out, it’s critical to conduct an assessment of your partners’ cybersecurity measures and assess your vendors’ management processes. You’ll need to determine how these organizations will protect your data, either through contractual agreements, assessments or audits. Depending on the size of your organization, your vendor management group may be able to handle this, or it might require a combined effort, with your accounting group and IT security staff working together to look at vendors.⁶ The former CISO of a large educational system said he instituted vendor security and a vendor assessment questionnaire: “Anytime a new vendor would come on board, we would have them complete the questionnaire and we would make a risk recommendation whether or not to proceed. Now the organization could always accept the risk, but IT would at least make some recommendation based on our vendor security review.”

Bill Barouski, information security expert and former CISO, noted: “I think this has started to get more attention in the last 18 months. Any large, extended enterprise will have a very wide array of third-party vendors and partners. They’re saying, ‘We need to take a holistic view of cyberrisk across the entire enterprise, including contractors, vendors, partners, etc.’ so I see a lot of energy around this topic, especially in the financial services industry.”

Ashley McCown, president of Solomon McCown, commented: “In business in general, we are hearing more about companies requiring verification from third-party vendors to show what systems and processes they have in place to protect data. I think that’s becoming much more commonplace.”

An executive director of information security with a large insurance company said her company has spent a lot of time looking at third parties because incidents can occur outside your systems but have implications for your company: “Many times it had to do with a third party either having some kind of entry point into your system, or just the fact that we’re sharing our data with third parties. So we have a strong, robust third-party vendor management program. We look at it from a privacy, security and legal perspective. But we know it’s really working with our procurement department, as well as our business partners, to have a strategy of what type of information lends itself to be hosted externally with third parties and the criticality of the business. So we’re putting a lot of criteria and strategy around our third-party vendor management to make sure we’re providing the right oversight.”

She continued: “If vendors have access to critical and/or confidential information, we require what’s called a minimum security requirements document that’s a part of the contract, like an addendum, and one of our requirements is data security at rest, in addition to many other things. It seems like the industry has shifted, and a lot of companies and third-party vendors — at least the ones that deal in health care information — are taking it seriously and adhering to that requirement.”

Communications

PR and communications must be an integral part of any cybersecurity incident response plan. This is the area of expertise of Ashley McCown, president of Solomon McCown, and she summed this up perfectly: “Social media is a game changer in our world in terms of how quickly information and/or rumors can spread. Now hackers will often be the ones that go onto a blog or other social channels to put it out there that they’ve hacked an organization or company. So then the clock starts ticking. Someone’s going to tell the story, and you want that someone to be you and your company and not other people.”

Bill Barouski, information security expert and former CISO, noted: “What I’ve observed, increasingly so, is the sooner you’re able to provide clear and unambiguous information, the sooner you reduce the attention, uncertainty and the number of news stories. By nature, if the public doesn’t believe you’re being straightforward or cooperating, the scrutiny and intensity increase. But I think you’ve seen in the last two years how firms are much quicker to announce what they do know even without full understanding of what’s happened.”

While putting out a public communication statement following a breach is important, Jason Bernstein, partner and co-chair of the data security and privacy group at Barnes & Thornburg LLP, did provide some words of caution: “A lot of times when we’re talking about a small company, they don’t have a PR firm, certainly not a PR firm that knows how to deal with data breach communications. Part of what we do in our role is to help manage this whole process, and one of the things that a PR firm and certainly the client tends to do in terms of communication is say, ‘We are guilty, we’re sorry, mea culpa.’ We try and advise them on what they should be saying or not to say just yet.”

He continued: “One key to managing communications is to communicate early and clearly what you do know, and that you will provide more details as they become available. In a major breach incident, it’s not a good idea to release information that is not confirmed. Delaying an initial announcement makes the public suspicious of your motivations. But restating the facts later is likely to be more damaging. So managing that communications process is a balancing act. And, in the big picture, the way the company handles communications will be remembered long after the breach is fixed and individuals have been taken care of, and this is the key to minimizing damage to the company’s brand reputation and regaining trust.”

Conclusion

Hardly a day goes by without cyberattacks and data breaches grabbing media headlines. No company, organization or even government is immune. That’s the bad news. The good news is that companies can use these events to bolster their own cybersecurity incident response. Once again we consider those factors that can reduce the cost of a data breach. Some of the most valuable investments companies can make seem to be an IR plan, extensive use of encryption, the involvement of business continuity management, the appointment of a CISO with enterprise-wide responsibility, employee training, board-level involvement and insurance protection.⁷

Prevention through implementing reasonable controls is still very important; however, these controls are point-in-time and, even if implemented correctly 100% of the time, there are new threats and exploits that are emerging. There will always be a gap between the implemented controls and the resources available to a determined attacker. Thus, planning for this situation by implementing an IR program is critical to reducing the risk and cost to the enterprise.

The risks of cyberattacks span functions and business units, companies and customers. Given the stakes and the challenging circumstances related to becoming cyberresilient, making the decisions necessary can only be achieved with active engagement from the CEO and other members of the senior management team.⁸Cybersecurity is not a check-the-box-and-you’re-done issue. It requires a commitment of time and resources. It’s too late to start planning for a breach once a breach has taken place. Start planning now; best practices begin with a cybersecurity incident response plan as part of a comprehensive IR program.

Interviewees

Ten in-depth research interviews provided insights into how companies are reacting to cybersecurity. The following subject matter experts participated in these interviews:

• Bill Barouski, information security expert and former CISO
• Jason Bernstein, partner, data security and privacy group, Barnes & Thornburg LLP
• John Kennedy, corporate partner, IT and outsourcing, privacy, and information security group, Wiggin and Dana LLP
• Melissa J. Krasnow, corporate partner and CIPP/US, Dorsey & Whitney LLP; Governance Fellow, National Association of Corporate Directors
• Ashley McCown, president, Solomon McCown
• Liisa Thomas, chair, privacy and data security practice, Winston & Strawn LLP
• Nolan Wilson, Southeast region leader, professional risk solutions, AON
• Jerry Wynne, CISO and senior director of enterprise security, Noridian Mutual Insurance
• Anonymous, executive director of information security with a large insurance company
• Anonymous, former CISO of a large educational system

Footnotes

1 Ponemon Institute. U.S. Cost of a Data Breach Study, May 2015.

2 Ponemon Institute. U.S. Cost of a Data Breach Study, May 2015.

3 Bailey, Tucker; Brandley, John, and Kaplan, James. How Good Is Your Cyberincident-Response Plan? McKinsey & Company, December 2013.

4 Parkinson, John. “How to respond to a data breach,” CFO.com, July 14, 2015.

5 Parkinson, John. “How to respond to a data breach,” CFO.com, July 14, 2015.

6 See “ Unprepared organizations pay more for cyberattacks” for more information.

7 Ponemon Institute. U.S. Cost of a Data Breach Study, May 2015.

8 Bailey, Tucker; Kaplan, James; and Rezek, Chris. Why Senior Leaders Are the Front Line Against Cyberattacks, McKinsey & Company, June 2014.

Source: Mondaq-Cybersecurity Incident Response: Planning Is Just The Beginning by Johnny Lee, Alan Westfall and Todd Fitzgerald