For all the advances in telecommuting, convincing business executives to let distributed teams run complex technology projects has never been an easy task. Whether it comes to in-house teams or outsourced operations, the concerns usually centered around efficiency: Can these groups communicate. Can they collaborate? We have all dealt with such questions a thousand times.
The recent wave of concern about cybersecurity — or cyber insecurity, to use a term that better reflects the worry — certainly does not help either. It is not just the business and operational executives who are now concerned. You can now add risk, legal, and compliance to the mix of nervous departments.
They all have legitimate concerns: Does remote access and collaboration tool increase the risk of data breach? Are data-protection terms enforceable in overseas jurisdictions? Can remote contractors plant a “backdoor” that will let them siphon data long after they are gone? The list goes on and on and on.
Yet, for companies that want to compete and win, there is little choice but to invest in more complex technology. There is no way to get it done without relying on the best talent available no matter whether that is in-house, local, nearshore, or overseas — and generally some combination of all these options. So how does one structure these distributed teams without elevating security risks?
To start, it is useful to dispel some persistent myths about cybersecurity. One misconception is that data breaches are inevitably the result of flaws in IT systems. Another is that external hacking is mostly to blame. In fact, most data breaches are perpetrated by people associated with the company: permanent employees, temporary workers, contractors, or vendors.
Hacks are often informed or initiated by information supplied from the inside. That such information is easily available is often caused by failure of corporate governance and compliance rather than IT. Business managers often turn a blind eye on employees, ignoring or corrupting security policies by, for example, storing confidential client data on local computers.
Normally, extending technology development beyond a single office wall should not necessitate creating a new layer of cyber defenses — they should be there in the first place. Security policies for employees should be extended to contractors. The chance of a disgruntled former employee planting an exploit or copying proprietary code before they leave is no smaller than external contractor doing the same. This is why operational measures, such as code reviews and static code analyzers, should be part of any development-team procedure.
Second, smart use of technology can significantly reduce the risk of unauthorized data access. The choices are endless, but three things are standard fare. Even for companies hesitant about running critical data systems in the cloud, PaaS are a very efficient, and very secure, place to set up development environments. Automated data obfuscation techniques ensure efficient development and testing without risking client data.
Last but not least, clever DevOps and deployment automation minimize the need for humans to access and manage real production environments. The fewer people who have access to critical databases, the smaller the risk. And the only way to ensure it without losing productivity is smart automation.
Finally, the classic issue of “us vs. them” must be dealt with from the outset. Management will only buy in to the idea of relying on a vendor for a complex distributed project when the concept of “outsourcing” is replaced by “co-creating.” By structuring the relationship so that the vendor is motivated by the system’s long-term success, the company can significantly reduce its security exposure.
Long-term, build-and-operate contracts with significant clawback provisions are helpful in aligning interests, as are many other operational and legal techniques. Such methods have been used for years to reduce all kinds of risk. Now, with distributed teams becoming increasingly critical to project success, it is time to add cybersecurity risk to the list.