Basing IT services overseas is no longer a novelty to Bernard "Bud" Mathaisel, CIO of software development services provider Achievo. After all, he'd been working with outsourced IT and manufacturing for many years as CIO of Ford, Solectron, and others.
But a year ago, he noticed his companies' potential clients had the same top question when they toured his new China development centers: Will my intellectual property be protected in a country whose legal enforcement of intellectual property laws typically ranges from lax to nonexistent?
[ Discover what insights you can take advantage of from the other 2008 InfoWorld CTO 25 winners. ]
His experience with offshoring IT and related services in China, Mexico and central Europe had already led Mathaisel to put in stringent controls over access to code, which is or contains the customers' key intellectual property.
For example, in a China facility opened last year, developers work in a glass-walled room accessible only with electronic key cards. The workstations are not networked to each other or to the rest of the company's systems, nor do they have access to the Internet, e-mail, or other external conduits. The USB ports are disabled, and you can't burn discs. The systems do connect to one isolated server, to which code is checked in. A separate team reviews the code and moves it to testing and production systems. "There is a complete separation of duties," Mathaisel says.
There is also constant education and reinforcement of the need to protect data, expectations that get set during the hiring process. "It's like bringing back the World War II 'loose lips sink ships' mentality," he says.
But his customers' questions made Mathaisel realize that the issue was deeper than the controls put in any particular facility. Customers would want such controls to exist across all of his facilities and to be validated by a trusted third party. After researching the issue, he came across the ISO 27001 standard for ensuring security through a variety of business and IT processes. He hired a consultancy to review his China operations and see what needed to happen to meet those requirements, then set about making the necessary changes. Thanks to the work already done, that effort, and the independent certification that followed, took just three months at Achievo's top five China facilities.
Now Mathaisel is reworking his security approaches in Europe and the United States to meet the same ISO 27001 requirements, even though customers haven't yet asked for that in any large numbers at those facilities.