One of the most frequent questions I get asked regarding moving project work offshore is around Intellectual Property (IP) protection. Often, this question is asked based on perception that doing software work offshore, inherently puts a company’s IP at greater risk than how work is done today at that company. While there are certainly safe-guards you (and your provider) must absolutely put in place – often, the questions around IP are driven more by rhetoric than reality – and this can sometimes drive the conversation to a place which isn’t terribly effective at increasing the security of a company’s IP and sensitive information.
So I thought I might write a few thoughts (in a step by step based approach) based on some years of experience with this topic – trying to emphasize some of the key things you should be looking at when deciding to either move some development work offshore, or evaluating your current multi-shore arrangement.
Step 1: Take a realistic view of your risk
Just because something is valuable to you, doesn’t mean it’s valuable to the open market. Value on the open market is a main motivation for IP theft. Be realistic. Is that 10 year old, CORBA based integration layer to home grown legacy internal systems really that valuable that someone would lift the code and resell it on the open market? Unlikely. But could someone exploit the knowledge of the architecture to compromise your systems? Potentially. Does the loss of customer PHI (Personal Health Information) represent a severe legal risk to your company? Yep. Best advice is to follow a standard risk assessment. Probability of loss x impact of loss ($).
Step 2: Ensure your partner takes IP risk seriously
Ask about policies, enforcement and security in the development center. Ask about connectivity options, data masking vs rule based data generation options, VPN vs virtualized desktop. Data storage, encryption, access control, etc. They should be able to talk to all levels of ISO/IEC 2700x (perimeter, personnel, data, network, etc.)
And while we’re on the subject of “standards” – make sure you are knowledgeable about which standards / guidelines / certifications apply to the type of work you’ll be doing. Understand the difference between standards, guidelines and certifications. There is a great amount of ‘marketing’ that is thrown around with regard to various security standards and guidelines – but practical adherence to the ‘spirit’ of those guidelines, specifically with regard to your situation is much more important than the ‘logo on the PowerPoint deck’.
Don’t be afraid to ask if your partner has experienced past security incidents in the past. For confidentiality reasons, they may not be able to discuss specifics, but they should be able to talk about the types of incidents they have detected and stopped.
Step 3: Be realistic about litigation options
Litigation means you’ve already lost your IP. You’re now just trying to clean up the mess. IP infringement pursuits are costly, time consuming and lengthy. Outcomes are usually compromises or settlements and then of course there is the issue of judgment collection.
However – you should still take care in packing this reserve chute with the hope that you will never need to deploy it. Look at the big picture. Become educated on the statistics of various offshore venues. For example – I often hear that *everyone knows* that China is notorious for IP infringement – right? Well – sort of…. China has more incidents of IP infringement than other nations mostly because China has been an offshore textile manufacturing powerhouse for decades. It’s a statistical inevitability.
But we’re not discussing watches, DVDs, purses and running shoes. We’re talking about custom software development and sensitive customer information being protected in your partners offshore development center. Actual IP infringement incidents of that type are rare per Gartner and other groups I’ve discussed this with. Note that even the recent cyber-attacks in the news are very different scenarios and motivation than what we are specifically discussing here. And keep in mind that China hosts an impressive who’s-who list of Multi-National Corporations in industries such as health-care, finance, technology R&D and software development. All doing business there for years, leveraging best practices to keep IP and sensitive information secured.
Another mis-conception is around IP laws themselves. China’s IP laws are improving, but still behind others. India has stronger IP laws, but court backlogs are measured in decades. In other words – strong IP laws on paper and governmental lip-service doesn’t translate to real protection. Again – you have to look at the whole picture.
Your best bet is to stick with a financially sound, publically traded US corporation that operates an office in the offshore destination that is wholly owned. That way all contracts are subject to US law and courts. You should ensure that your provider doesn’t make use of third party foreign firms – meaning that they have complete, autonomous control over their policies, infrastructure and personnel. It’s not an ‘accident’ why Perficient and a few others are structured in this way. These are conscious decisions we’ve made to ensure our operations are the most secure possible. We do a lot of our own IP development and R&D out of our own China delivery center.
Finally (deep breath)….. Are you going the route of crowd-sourcing sites or offshore brokerage body shops that mass eMail potential US customers? Better not send anything you want to hold on to. You are also well advised to inspect all returning code for quality issues, back-doors and potential infringement of other IP being incorporated illegally into your code. There go your cost savings.
Step 4: Follow-through (let me repeat that – follow-through)
Secure operating procedures and audits go hand in glove. Don’t be afraid to ask your provider to provide routine process audits and readouts on a monthly basis. They should have a mature Process or Quality Audit organization and process in place to ensure compliance on a project by project level. A paper process doesn’t protect you – rather it’s the incarnation of that process in the team’s day to day mindset and daily activities that ensure protection.
Summary: Be specific, concrete and follow-through
Hopefully this gets a concrete and specific conversation started in your organization. IP protection in a multi-shore arrangement should be approached in the same way you approach your domestic IP protection (and in fact any other legal / engineering task). There are just a few additional moving parts. Feel free to post questions or comments – would love to hear from you.
And don’t put an undo sense of security on the geographical distance separating you and the rest of the world. The world is indeed flat and connected – and a data packet can travel around it in less than a second.