Is your enterprise considering sourcing internal resources via offshore locations? Or is it already sourcing talent from lower-cost locations?
Global in-house centers (GICs) are becoming popular because they can deliver services in low-cost locations that are owned and operated by the same enterprise receiving the services. Over the last few years, many multinational enterprises have set up GICs in India to leverage the nation’s highly skilled, low-cost talent pool and reduce the cost of service delivery. In addition, executives are increasingly looking toward Asia-Pacific, Eastern Europe and Latin America nations as viable options for expanding their external workforce. However, there are challenges around adopting this model and one of them is maintaining the integrity and security of the enterprise’s data because the culture and IT security in the offshore location are considered vulnerabilities that can affect the GIC value chain to a high degree.
Chief information security officers (CISOs) should alert the board about the importance of conducting a risk assessment to identify the threats and vulnerabilities introduced, specifically when hiring workers based in a different country, and the consequences for the business if they are not managed. They should work with the cyberthreat intelligence team and security operations center to document incidents that demonstrate how people from the offshore location can be one of the largest drivers of incidents at the organization. If the enterprise has not started operations, they should gather information about the security incidents reported in the country the offshore location is based in.
Organizations should get the support of the board to involve people with appropriate knowledge in the risk assessment exercise. A multidisciplinary team composed of representatives of the offshore location should be invited to participate in the workshop sessions. It is also beneficial for the CISO to travel to the offshore offices to immerse themselves in the local culture and to hire a local security professional.
Another mechanism to obtain deeper understanding of international employees’ security attitudes and habits that may help identify behavioral risk is to conduct a survey. The support of the board and HR from the offshore location are needed for this task as these stakeholders can help build a set of questions to gather information about how employees engage with security in their daily work (and nonwork) lives.
Once the results from the risk assessment and the survey are obtained, a security awareness program should be created for the international location and presented to the board and top management. Organizations should ensure computer-based security training is customized to tailor the content to the employees’ level of knowledge and experience. In addition, security awareness activities such as contests with prizes can help reinforce learning retention. It is important to note that you may be building a culture of information security in a country that does not enforce security laws.
The board should also propose that HR of the offshore location develops and communicates a disciplinary action policy that includes violations of privacy and security rules. It is crucial that an environment with respect toward policies and rules is maintained to cultivate the security mindset. However, HR might not want to implement or communicate a local sanction policy if they think it could have a negative effect on workplace environment. If this concern is raised, it should be discussed with the board.
Design metrics must be determined before testing the employees’ behavior before and after deploying the security awareness program. Metrics show whether employees are being effectively educated and changing their behaviors accordingly. In cases where the values obtained do not meet the goals of the security awareness program, corrective actions may be implemented to improve the metrics. The status of the security awareness program should always be communicated to the board, placing special emphasis on presenting the metrics to show employees’ behavior in the offshore location.
Building a culture of security is not an easy task. It can be challenging for a CISO to understand the behavior toward information security that people from other countries have. When colleagues grow up in a country where legislation is not necessarily enforced, management is often worried that offshore colleagues see them as the police officers of the organizations. The key to overcoming these obstacles is to get the support of the board and regularly update them with the results of the security awareness program. This means that they are accountable for overseeing risk management by ensuring that the necessary resources are allocated to manage risk.
Editor’s note: For further insights on this topic, read Vanessa Britt Perez Revilla’s recent Journal article, “Raising Security Awareness in Cross-Cultural Work and Collaboration,” ISACA Journal, volume 5, 2023.
