“Is it secure? How secure is the data? These are questions that come up all the time when customers are considering offshore outsourcing,” said Prashant Kothari, CEO and founder of String Real Estate Information Services, Washington, D.C. “The foundation premise is that if you [customers] don’t have an effective domestic information security program, distance will make things worse. Furthermore, you can’t secure what you don’t know. Outsourcing is an eye-opener for many prospects. Weak internal security measures often surface in companies that are in the consideration process.”

Al Kirkpatrick, chief information officer at The First American Corp., Santa Ana, Calif., outlined offshore outsourcing alternatives that include piecework, workflow integration and hybrid options and inherent security concerns. “Knowing the forming factor is not as easy as it seems,” he said. “Security measures vary depending on the offshore outsourcing models companies choose.”

“U.S. customers are fearful or at least cautious,” Kothari said. “This is a potential public relations or political issue. The way to overcome that is to be upfront and give the consumer or client the facts and the choice of whether they want the work to be done onshore or offshore. After that, allow them to decide what they want. In our experience, 84 percent chose to go the offshore route.”

With U.S. unemployment rising, some are critical about offshoring. Kirkpatrick disgreed. “Regulators, and mostly federal banking regulators, reacting to public outcry of jobs going offshore, feed growing concerns about offshore outsourcing. As a result, there is more and more detailed scrutiny of work going offshore. It’s a knee-jerk trickle down from regulators.”

Current applicable standards in offshore outsourcing include ISO, SOX and SAS-70 measures. SAS 70, the Statement on Auditing Standards No. 70, assesses contracted internal controls of a service organization that provides outsourcing services that would directly affect the operations of a contracting enterprise.

“SAS-70 is the ticket to offshoring, and prospective companies look for this in vendors when they are considering offshoring,” said Thomas Morgan, chief information officer at Washington Mutual, Seattle.

Tactical differences in legal and privacy norms and systems do exist, Kirkpatrick said. “Theft is still theft anywhere, and differences exist with respect to information security. Companies want counterparties incorporated in the U.S. operations of vendors—engaging outside counsel can help establish that. Stability and standardization of policy could also help vendors—implement policy across all offshore locations while acknowledging that central policy tactics will differ.”

Kothari said the integrity of security systems and personnel are important. “Spend time considering security service providers and utilize offshore vendor resources,” he said. “Sometimes geopolitical and terrorism threats, which aren’t really of concern in countries like India, may affect customer decisions.”

“Have measurable key performance indicators,” Kirkpatrick said. “Be able to answer questions your clients have.”

Kothari agreed. “As with any management process, measuring key performance is critical. Data security is taken very seriously in India. The government and trade associations such as NASSCOM are working hard to create standards and monitor and furthermore, there is an ecosystem of audit, accounting and certification firms that provide services to offshore outsourcing vendors.”