Protecting Data and IP when Outsourcing Offshore, cont.

What can you do to minimize / mitigate risks of IP loss with your outsourcing partner? Here are some tips to consider:

General

  • Learn, understand and keep yourself up to day on Information security topics
  • Do not outsource your crown jewels. If it’s at all possible do not send any high value IP work offshore.
  • Hold the offshore vendor, its employees and subcontractors to the same or higher standards of Data and IP security as your own team.

Vendor search / RFP process

  • Include IP handling inquiries in your RFP process and in on-site visits
  • Consider legal maturity and IP laws from geopolitical view
  • Check for signs of casual treatment. For example while at the site visit ask developers what they are working on / etc. Your IP would be at best treated in the way it’s treated for current clients.

Contract / negotiation process

  • Make sure to include IP elements in the contract, have it reviewed by legal team specializing in IP. My preferred approach is to have vendor “work for hire” and keep the ownership all IP including IP produced during engagement.
  • Make sure that required clauses are enforceable and can be seen through downstream (employees, subcontractors, etc.). You can ask for specific language in chain of trust agreements and NDA documents.
  • Put excessive penalty clauses associated with IP loss in the contract. I also recommend including “right to inspect” and other control elements directly into the contract.
  • Decide on a level of additional security elements you need at a physical / infrastructure level, for example network separation, biometric locks, etc. Keep in mind that it usually comes with a notable price tag.
  • Align payments with deliverables and milestones. Put some time for verifying deliverable before your pay for them.

Kick Off

  • Define and communicate to vendor policies and SOPs on data and IP handling, e.g. level of encryption, separation of duties, firewall policies, etc.
  • Consider investing into education and helping your vendor maintain IP and data secure.
  • Consider an infrastructure approach under which none of the sensitive elements reside on a vendor side. For example developers could perform all work on your network using terminal services over VPN.

Ongoing

  • Make sure that all information and artifacts produced by your vendor are physically copied to your location.
  • Test integrity of the information delivered by the vendor. For source code my preferred method is using continues integration (CI) integrated with unit / smoke testing running of local repositories.
  • Control / inspect / audit the guards you agreed to put in place.
  • Consider independent audits by a 3rd party.

Termination

  • Plan / define termination procedures when establishing the contract
  • Use appropriate InfoSec processes and procedures to close accounts, revoke privileges, destroy media, etc.
  • And make sure that you part on good terms

Protecting Data and IP when Outsourcing Offshore

Securing data when working with offshore is a well known yet a very challenging task. It’s especially serious if your company deals with financial or private data, such as ePHI (electronic protected health information). In some way though dealing with data protection in offshore scenario while complex is a straight forward task, especially for companies that are used to that kind of challenges in-house. Protecting Intellectual Property (IP) takes the challenge to a completely new level.

Risk of losing IP through offshore outsourcing is serious and real. I would venture to say that overall price tag related to IP loss in offshore outsourcing is measuring in billions. For example a friend of mine found himself out of the job after an IP ordeal with an outsourcing company in Eastern Europe. He was responsible for a product line in developer’s tools space in late nineties. He found a hired a group of vary talented engineers from Byelorussia. The requirements were coming from USA and development work was done 100% offshore. Source control and document repository were maintained offshore what seemed to be the right approach considering aggressive nature of the project and weak communication infrastructure. Cutting to the chase – when it came to transferring of the finished product into the hands of the owner the team in Byelorussia simply refused to do so. Initially the asked for some ridiculous amount of money but later on dropped out of negotiations, re-branded the product and took it to the market themselves…

To mitigate the risk you first need to understand channels of IP loss, here are the main few to consider:

  • There is clear possibility of malicious / criminal acts relevant to your IP. Your product idea could be stolen, repackaged and sold by the very partner you have entrusted. Not just idea, the source code, processes, documentation.
  • Even more probable scenario arises when a disgruntle or “entrepreneurial” employee of your vendor takes advantage of gaining access to your IP, source code, etc. Of course that could happen with your own staff; offshore just exacerbates the issue / increases the probability.
  • Immaturity of vendor infrastructure (physical security, network security, etc.) could become a reason for massive IP loss / data exposure. Insufficient physical, network security and data security opens up data and IP for hackers of all sorts.
  • Poor understanding of data and IP security, insufficient or non-existing security policy framework has the similar effect, often with even more severe consequences.
  • Casual treatment of IP security by your vendor. I remember visiting one offshore outsourcer in Eastern Europe. During a tour of facilities my guide brought me to office which had a number of expensive physical guards in place. We still went inside and my guide started – “here where we have super secret project with the company I can not name, they are a major search engine that rhymes with “frugal”, wink, wink. Those guys use our Ph.D’s to…”

What can you do to minimize / mitigate risks of IP loss with your outsourcing partner? That would be a next post

Offshore Risk: Cost-reduction expectations

Establishing high cost-reduction expectations is one of the most serious traps a technology leader can get him/herself into. If the only reason you are going offshore is cost savings – my best advice would be – stop right there! If you are very good at utilizing offshore you may realize 30% savings on somewhat sizable initiatives, and you still will need a lot of luck. That’s aside even if you do understand the paradigm of cost savings you still have to establish appropriate expectations with your execs / peers / team. Failure to establish correct expectations results in insufficient budgets, often in a collapse of the entire outsourcing initiative with a serious ripple effect.

I receive emails from one of Beyondsoft (China) sales execs on a pretty much monthly basis. While his tenacity is commendable his message is totally ludicrous, here is one of his emails:

Dear Nick,

I know your schedule is very tight, but I really hope we have an opportunity to share our ideas on how to help you decrease cost by 300% in next 12 months.

I thought that’s a good opportunity coz you are in Beijing now, and our meeting would make you more impressive.

Looking forward to your early reply.

Best regards,

George Tong

300% wow! where do I sign!? Think about your execs who are continuously spammed with such messages. Direct mail, articles, whitepapers, case studies and so on conveniently delivered to your boss’s ear scream about potential saving from offshore. Setting appropriate expectation on your part will be a balancing act of delivering a bad news without sounding like a sandbagger. Here is a presentation approach I found somewhat successful in setting my audience’s expectations at a reasonable level.

Start with debunking the Myth of Cost Savings

  • What vendors are telling us
  • Couple genuine offshore horror stories
  • Rates vs. True Cost of Outsourcing

Change audience focus to specific challenges / reasons for outsourcing, e.g.

  • Time to market
  • Access to specific resource type
  • Refocusing internal resources

Setup SMART (specific measurable actionable result-oriented and time-bound) goals for outsourcing, e.g.

  • Move 100% maintenance of product X to Worksoft team by 5/15/210
  • Deliver 50 functional points by ZenSar’s team by 9/20/2009

Another pointer – my recommendation is to setup an expectation that there are NO cost savings and work in terms of alternative delivery benefits rather than cost. For example:

  • The project Odessa requires 5 FTE for 10 months.
  • While we do have a budget for it we do not have the resources.
  • Finding skilled developers and QA engineers is likely to take us over 3 months and we will need to train them for about 2 months.
  • To save the ramp up time we are going to us MindTree team.
  • The budget allows us enough resources to deliver the project under 12 months.

There is another trap here – what if the team you recommended can not deliver on time? Well, that’s not at all inconceivable, yet easier to control and deal with.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to FurlAdd to Newsvine

Top outsourcing risks

Putting development of your product or any other aspect of technology in the hands of a third party is certainly a risky proposition. To properly mitigate the risks of outsourcing one needs to understand the outsourcing landscape quite well. The top offshore outsourcing risks fall in several main categories. There is much to be said about each of the categories; I am planning to add more substance / clarifications /examples to each of the bullets below, as well as some ideas on risk mitigation. For now, here is the high level list:

Geopolitical

  • Government regulations, on the both sides of the equation
  • Political stability
  • Legal maturity

Security

Internal – Organization

Internal – Team and Personal

  • Loss of team support / respect / relationships with the team
  • Loss of team spirit / internal unease
  • Loss of key personnel / technology and business knowledge loss
  • Decrease in team’s productivity / commitment
  • Career impact
  • Lifestyle impact

Vendor capabilities

  • Financial Stability
  • Organizational maturity
  • Organizational commitment
  • Infrastructure (macro / micro view)
  • Technical capabilities
  • Ability to deliver
  • Personnel turnover

Joint responsibilities

  • Process confluence
  • Scope management
  • Geographical dispersion
  • Cultural differences
  • Knowledge transfer
  • Communications

My reasons to outsource

I mentioned already the top reasons for offshore outsourcing typical for many organizations; let me list some of my own:

  • Diversity. Diversity in terms of bringing individual contributor with different background into the team often means a tremendous increase in productivity. A healthy portion of resources with different education, practical background, and way of operating could bring a fresh breath of air in stagnating organization. Also “diversifying” your portfolio of resources might help a great deal to deal with micro factors affecting employment / recruitment landscape of a specific geography.
  • Education. In countries such as India, Russia, China you find many people who value education to much higher degree than we do in the states. On one of my teams from St. Petersburg a majority of developers had at least MS and over 40% had Ph.D. That including QA engineers! Needless to say the brain power of the team was absolutely amazing.
  • Work Ethics. That doesn’t go across all geographies and companies, but fortunately you still can find outsourcing organizations with resources who’s work ethics are far superior to what you find for example in corporate America.
  • Talent Pool. Some outsourcing organizations instead of typical “selling mediocrity in bulk” build their team with top notch experts and people with exceptionally high IQ. Building such a team, no matter in which area of the world takes very long time.
  • Processes. Getting process right is time consuming and costly. When ISO or CMM processes are a requirement it’s often much easier to build relationship with a subcontractor who already has those in place.
  • Project Management. Project and program management is often something that a small software organization can not afford (or more often VPE can’t sell his execs / team on the need for it). Many, especially Indian vendors have that in perfect shape.
  • Cost. While I do not believe that offshore guarantees cost savings I do believe that there is a huge potential there especially with careful execution of multi-sourcing or/and micro-sourcing strategies.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to FurlAdd to Newsvine

Not yet ready for China

I love travel and visit new places, even if that’s on a business trip. Needless to say that living “5 to 7” lifestyle (by 5 am Monday you are on a plane to the client and ~7 pm on Friday are back on your way home) grows old quickly, but my engineering leadership role delivers travel in just the right amount. So I was quite excited when I got a chance to go to China to meet with a few promising offshore outsourcing companies. Impressed by meetings with vendors’ execs I was looking forward to starting with one of their teams in China.

Jumping ahead, I have to tell you that out of my top three impressions of China one was far above the expectations, one was at par, and one was way below. The first one was food – sorry Chef Chu, Dragon Well, and Yank Sing – there is no better place for Chinese food than China. The impression that was exactly at par with my expectations was my prospect resources’ command of English – it was dreadful. That was not a big deal for me though – English is a second language and work in progress for me as well, plus quoting Clarence Darrow, “Even if you do learn to speak correct English, whom are you going to speak it to?”. The thing that fall way below my expectations and to large degree ruined the trip was technical skills of engineers I saw.

Having spent the last 10 years of my life in Silicon Valley I’ve been conditioned to be surrounded by people much smarter than I. A great majority of them came from Asia. So I was expecting to see people like Bhaskar H, John B, Mark Dao, Shao Fang, Harshal Deo, Michelle Sue, Ashish Mangla… I was expecting maybe not the same level of intelligence, grasp on technology, and knowledge of foundations but at least somewhat close. Instead, my vendors paraded in front of me dozens of engineers who could not explain what a polymorphism is, project managers who did not know how to use MS Project, business analysts with nothing but a desire to be one. A few days into my interview process going through at rate of ~20 30-min interviews per day I met only one decent PM who did not speak English at all, one good yet quite junior business analyst (she was an IIT grad and just moved to China with her husband), and a handful of barely acceptable engineers. My interviewing stats were:

Project Managers – 1 out of 9
Business Analysts – 1 out of 11
Senior Developers – 0 out of 6
Mid Level Developers 2 out 14
Junior Developers – 4 out of 9
QA Leads – 1 out of 4
Blackbox Testers – 4 out of 6
Automation Testers – 0 out of 7

After visiting four companies my mind was set and I switched to enjoying tours to Forbidden City, Bird’s Nest and Summer Palace; I climbed the Great Wall, took many pictures, and bought a bunch of souvenirs. I knew that would be a while before I see China again.

Having spent some time thinking through the reasons behind my failure to find the vendor I could probably attest to those commonly known:

  • China is relatively new to the IT outsourcing, in particular for US projects. There is a great deal of skills, experience and understanding that has not yet been built up.
  • Language is a natural and serious obstacle which China outsourcing companies need to invest a great deal.
  • Chinese outsourcers need to learn how to deal with a large variety of cultural differences to successfully compete (and not only on cost). I believe that they need to find their own style. While a lot could be taken from success of Indian vendors, just “cut and paste” would not work.

On my trip to China I also discovered a few things that I had not heard of before:

  • In Chinese education system getting an English major ranks bottom low vs. engineering or CS degrees. Inevitably it attracts the least talented students. However, in a race to address language handicap outsourcing companies recruit English major students for key development positions – project managers, business analysts, etc. No wonder none ob the BA I interviewed heard of UML…
  • While checking out offices of many outsourcing companies I noticed one thing in common: developers’ desks were perfectly clean – not a single book anywhere. I guess one of the reasons is in lack of relevant literature in native tongue. Reading O’Reilly in English is an uphill battle for many of engineers.
  • Most of the engineers I talked with gained all their knowledge on the projects they worked on, which is a great way to learn when it is one of the methods, not the only. Result is extremely narrow scope of knowledge / expertise.

So I guess I am not ready to send my work to China yet, while I really do want to. Why? That would be a great topic for another post.

Can’t teach an old dog new tricks

“Yes to death” is a well known phenomena. In many places people are conditioned never to say “No” and that’s particular true for India and even more so for Indian outsourcing companies. Saying No as well as other forms of delivering “bad news” or “negative message” are considered rude and offensive. The fact that it causes enormous issues on business delivery side is dwarfed by the cultural conditioning. Not long ago I was on an interviewing marathon in Noida, India. Just before the start I spent some time talking with a VP of services for the company. I asked him what his company did to deal with cultural differences. He went on explaining how they invested in cross cultural training and that all employees were specifically trained on “cut to the chase” American culture, and so on. My first interviewee was a project manager with about 10 years of experience. I asked him “Rajiv, imagine the situation that when your team is falling behind because of some serious screw up on my part. What would you tell me to deal with the situation?”. The next five minutes went into back and force of defining the fine details of the situation and I started running out of patience, so I asked again “Will you tell me that you are falling behind and that is my fault?” Rajiv went silent for a few seconds, looked at VP and than said – “Of course I would never tell you that!”