Security in Software Development Outsourcing
In our materials, we often state that one of the most crucial factors allowing to truly benefit from software development outsourcing is choosing the right vendor. Therefore, we share with you pieces of advice and guidelines related to the following aspects of the selection process on our blog to help you make an evidence-based decision that would pay off in the future. In this article, we want to cover another element that needs to be meticulously examined before you decide to sign the deal – security.
Yet before we move to the main part of this text, we owe you a short explanation. Under the term “security” in relation to software development outsourcing hides more than cybersecurity. It also covers all the areas related to operation stability, risk management, or business continuity. Since these elements are affected not only by company internal policies and processes, but also by the environmental conditions, we’re going to describe what to verify before making the first call, and then focus on what should be done after you choose a particular vendor, since ensuring security is a continuous process that does not end after the deal is sealed.
At first, let’s take a look at the external factors influencing security aspects. These are mostly related to the country’s geopolitical situation and its law regulation. Yet before we dive deep into what you should check, a friendly reminder for those of you that aren’t sure what destinations are even worth looking at. We already created a list of the best software development outsourcing destinations and described their pros and cons, so be sure to check it out! One more disclaimer – for reference we would use Poland since that’s the country we know best for obvious reasons ?.
The first thing worth looking at are security reports created by various organizations all over the world. These provide an unbiased rating, based on multiple factors that allow examining if the particular direction might be considered safe without spending a lot of time and effort. Among them, you may find reports focused on a particular aspect of security like the International IP index created by the US Chamber of Commerce, ones focused on cybersecurity in general such as the National Cyber Security Index, or even take a look at the statistics representing the so-called “ease of doing business” which refers to multiple elements from the ease of opening a business through all the operational stages up to the most important aspect from this point of view “operating in the secure business environment”. In the vast majority of cases, examining such reports and combining them with basic geopolitical knowledge is more than enough to ensure that a particular direction is worth taking look at from a security perspective.
Yet for those of you who want to know more, we can share some of the elements that we’re sometimes asked about by our Partners who want to rest assured all their operations delegated to us are safe. When looking at external factors these refer to the rule of law (in case of countries that are a part of the EU like Poland is worth noting that apart from internal regulation, these must obey the EU regulations like the famous GDPR introduced to ensure personal data security), geopolitical stability (which is mostly the potential threat from neighbouring countries, such problems, fortunately, are rare, yet as an example, we can use the tension between Ukraine and Russia a few years ago), and even environmental conditions (some places are more exposed to threats from the environment such as floods, tsunami, storms) which may impact your operational continuity. However, as we wrote above, focusing your hunt for the best provider in countries that are considered safe and stable should give you peace of mind, and much more attention should be paid to the specific vendor you wish to cooperate with.
If we were to answer the question of what security standards and policies your potential partner should include in a single sentence – it depends ?. And that’s not shirking the responsibility, the truth is that most companies we work with have their proven standards that we as their provider have to match. Obviously, the bigger the company is the more detailed such requirements are. If your business has internal regulations just make sure that the potential provider would be able to meet them. You can do it by performing a vendor risk assessment, then talk all the doubts through at one of the meetings, and so on. However, if you haven’t come up with such a list, let’s quickly get through some of the regularly occurring issues.
In this case, the division between cybersecurity and operations continuity security is more visible so let’s start with the latter. This matter is an important element meticulously analysed mostly by big enterprises looking forward to delegating a huge amount of work – in such a scenario the continuity is truly a matter of survival. Apart from all the environmental conditions described above, you should verify the local talent market (if the need to scale up arise, would they be able to find more specialist locally and as result ramp up quickly?), do they have more than one office (in current times of remote work that’s getting less important, yet we had such questions in the past) or how their BCP plan looks like. What’s more, you can ask about the employee retention rate. Higher turnover may not only increase the risk of problems related to maintaining business continuity, but also enforce spending more time and resources on sharing and retaining knowledge. Experienced vendors should be willing to answer all these questions and have BCP plans prepared in advance.
When it comes to cybersecurity it’s even more variable – for example for companies from the EU, the compliance with GDPR is crucial since they are taken into responsibility even if their vendor is the one that made a slip, while US companies do not have to be in line with this regulation and pay much less attention to it. The general aspects that should always be discussed are things related to security controls –managing resources such as laptops, routers, servers, and so on, and access management. Additionally, it’s not unusual for our Partners to inquire about the software we use daily, ask how we manage vulnerabilities, and discuss ways of continuous improvement in this field – for example, we regularly host internal and external audits to detect any potential loopholes and immediately fix these. What’s more, you can ask if the vendor has any kind of liability insurance and what it covers, so in case of a security incident (let’s say for example a leak of confidential data) apart from the required technical skill necessary to fix the issue that caused the problem they would have financial capabilities to handle the potential penalties.
These general aspects are more than enough to have a general sense of security and are a solid foundation for detailed verification at the latter negotiation stages. As we said almost all companies nowadays have their internal security policies and need to ensure integrity with their partners. The particular elements here will differ between businesses but to show you what we have in mind let’s use some extreme examples – for some financial companies it may be crucial to run background checks of their outsourced employees while for example, healthcare companies work with extremely sensitive data, so their protection measures are usually remarkably extensive and that what they require from their partners too.
Last but not least you can hire an external audit company to verify if the potential vendor matches your security requirements. Such companies provide an unbiased review, yet since it generates additional costs it’s rather rare to run such verification. An easier option is asking your partner if they provide services that are compliant with one of the security standards or frameworks – we, for example, are going through an annual SOC 2 Type II audit and operate taking into account ISO 27001 as the best practices of security.
Signing the deal
Once you’re positive that the company you’ve selected matches your needs and fulfils security requirements it’s time to sign the deal and put everything you agreed on the paper. No matter if you choose to go with the Time and Material or the Fixed Price, it’s worth including all the discussed arrangements in the agreement to ensure that you would remain on the safe side. Creating a complete list of such elements for this text makes no sense since the settlements are always tailored for a particular situation, but we can share some universal elements to give you a better overview. Among these, you may find the rules related to access, vulnerability management, incident reporting, responsibilities, and so on. These should be precise – i.e. you might require instant information about an incident, reports from yearly security audits, include the whole BCP plan, password policies (let’s say that 10 characters password and 2 step verification is required), the antivirus software regulations, and so on. Another best practice is to incorporate a rule saying that if your partner would be forced to use third-party providers all the security regulations are transferred, and the original vendor is held responsible for the integrity. The contract should also include rules regarding IPR, precisely – all the intellectual property created by the vendor should be transferred to you. While for software development companies, like ours, such practices are almost a standard, it’s always better to be safe than sorry. Last but not least it’s worth agreeing on the possibility of running a security audit, either online or on-site, to be able to verify if your standards are met.
As we said at the opening, the process of ensuring security does not end after signing the deal. The first and most apparent elements of continuous improvements are previously mentioned audits – run but both the vendor, as internal inspections, and run by your organization to keep the hand on the pulse. But since many companies strive for a long-term partnership with their external partners they must be ready to implement modifications regarding changing conditions – both external and internal ones. Let’s look at external conditions shift through the perspective of 2020. COVID pandemic made most companies alternate their operational model, and forced them to start working 100% remotely. Although we have worked partially remotely before, switching to remote only was a significant transformation and all its challenges had to be addressed. To maintain business continuity and data security, we run extensive tests at first to make sure that both the effectiveness of work and data security won’t be compromised. Then we reached to our Clients to discuss with them all the details. Clearly, this case is an extreme one, but it perfectly illustrates our point – it’s impossible to predict everything and set security policies once and for all. Therefore, in case of such emergencies, you should always be in direct contact with your partners, to ensure that the external factor would either not harm your operations at all or the level of damage would be minimized.
However, external factors are not the only thing to keep in the back of one’s head. Your internal environment may also be submitted to some alterations – let’s say that you start operating in a new, more regulated market or simply begin to provide your service for a Client with severer security regulations. Such situations are nothing to be afraid of, yet to remain on the safe side some adjustment may be necessary. You should be ready to discuss your current needs with your provider, examine the possible ways of addressing these and as result work out matching practices and security policies. What’s more, the security world is constantly moving forward, and we have more and more technically advanced alternatives for managing data security. Therefore, both you and the provider you work with should monitor current best practices and implement both technical upgrades and policy changes whenever that’s necessary to maintain the top market standards.
Saying that security is a crucial element of operations is a cliche, we all know that. That’s why the time spent verifying if your software development partner can match your requirements at first and then implementing contact improvements should not be treated as a cost but rather as an investment. Over the last 22 years, we have cooperated with Clients from different branches, with some of them working in extremely regulates fields like healthcare or financial services, and maintaining the highest security standards allow both us and them to focus on growing their business without losing time, money and reputation over security incidents. If you want to dive much deeper into this subject and discuss how to address your particular situation best – just use the contact form below – we’re more than happy to share our knowledge and experience.