Security and compliance challenges in complex IT outsourcing arrangements: A multi-stakeholder perspective

Complex IT outsourcing arrangements promise numerous benefits such as increased cost predictability and reduced costs, higher flexibility and scalability upon demand. Organizations trying to realize these benefits, however, face several security and compliance challenges. In this article, we investigate the pressure to take action with respect to such challenges and discuss avenues toward promising responses. We collected perceptions on security and compliance challenges from multiple stakeholders by means of a series of interviews and an online survey, first, to analyze the current and future relevance of the challenges as well as potential adverse effects on organizational performance and, second, to discuss the nature and scope of potential responses. The survey participants confirmed the current and future relevance of the six challenges auditing clouds, managing heterogeneity of services, coordinating involved parties, managing relationships between clients and vendors, localizing and migrating data and coping with lack of security awareness. Additionally, they perceived these challenges as affecting organizational performance adversely in case they are not properly addressed. Responses in form of organizational measures were considered more promising than technical ones concerning all challenges except localizing and migrating data, for which the opposite was true. Balancing relational and contractual governance as well as employing specific client and vendor capabilities is essential for the success of IT outsourcing arrangements, yet do not seem sufficient to overcome the investigated challenges. Innovations connecting the technical perspective of utility software with the business perspective of application software relevant for security and compliance management, however, nourish the hope that the benefits associated with complex IT outsourcing arrangements can be realized in the foreseeable future whilst addressing the security and compliance challenges.