Have you noticed some new words creeping into the business vernacular recently? Words such as insourcing, inshoring, and reshoring are becoming more common, prompting me to think about their meaning in the context of cybersecurity.
In simple terms, insourcing is the process of bringing contractual and outsourced services back into the organization. Inshoring, or reshoring, brings back contractual and outsourced services or manufacturing from overseas to the US.
Given that information technology is the lifeblood of any organization today, I think there are some positive implications inshoring and reshoring have for information technology and information security. After all, cybersecurity is complex and challenging enough within the US borders. When multiple nations are involved, this complexity and challenge increase significantly.
So I see these new trends as having potential upsides. Here are a few I think worthy of mention:
Better control over supply-chain management. Integrity and a reliable chain of custody for all components of a system are important aspects of determining its information assurance level. This integrity is especially vital for control systems used in many critical national infrastructures.
International supply-chain management is inherently very complex. On top of that, the need to maintain integrity control of all components in a multinational environment further compounds this complexity -- frequently eliminating, and sometimes exceeding, the original cost advantages of outsourcing.
Better security of intellectual property. Though intellectual property is substantially at risk in any outsourced venture, international outsourcing increases the risk of US intellectual property loss dramatically. There could be loyalty issues, disclosure issues, or data retention issues. Communication links could be subject to unwanted or unknown surveillance. Additionally contractual and legal protections could be difficult to enforce.
Fewer risks to quality. In many cases, we have experienced quality reductions to unacceptable levels in various products and services that have been outsourced to international ventures. This has resulted in a return of these services and products back to the US shores.
Higher availability of the supply chain. International supply chains are frequently affected by international political, economic, and other forces that can negate the expected savings and reduce availability.
Reduced insider threat. Insiders are workers in an organization who have authorized access to systems and information. Inadvertent as well as malicious insider threats to information security are inherently most difficult to deal with. When this threat is spread across multiple countries, the risk is multiplied significantly. Value systems, cultural norms, workforce requirements, and normal everyday life can provide hostile outsiders the ability to foster insider threats. In addition, many types of personnel security controls and legal tools become unreliable and sometimes unavailable on foreign soil.
Easier access to US research institutions. Partnerships between government, industry, and US research institutions of higher learning have often been a major driving force behind innovation in technology. Without US-based manufacturing, such partnerships are weakened. Insourcing, inshoring, or reshoring from foreign countries back to the US should provide industry with increased access to US institutions of higher learning.
Fewer international technology transfer issues. Whenever technology leaves US borders, technology export laws are applicable. In addition, the laws of the foreign countries involved have to be considered. These considerations not only increase complexity and costs but can also introduce unacceptable levels of risk.
Reduced international data storage issues. Security of data at rest is always a challenge. When data crosses international borders, additional security considerations usually come into play.
Reduced exposure to international privacy laws. Data residing on foreign soil is subject to the privacy laws of the host country. In addition, US privacy laws may continue to be applicable. Reconciling all applicable laws is a significant challenge.
— Mansur Hasib has served in CIO/CISO and other leadership roles in the public, private, and education sectors.