In gloomy economic times, organisations across the board look to cut costs—and one key way of doing this is to contract out business functions to partners through outsourcing. Research just published by Quocirca entitled Winning outsourcing strategies, commissioned by Ounce Labs, looks to gauge how 200 of the largest organisations in the UK and US are handling a fast growing area of outsourcing—that of software application development and delivery.

Custom-made and customised applications are of great value to organisations, supplementing the more general capabilities of commercial off-the-shelf packaged applications in a number of ways. Yet, while outsourcing of the development or delivery of software applications can bring a number of benefits in terms of access to specialised resources and potentially lower costs of service delivery, it is not without its risks.

Does this mean that organisations that are outsourcing the most are putting themselves at greatest risk? On the contrary; as Quocirca's research shows, industries with the least history of outsourcing experience the most difficulties in successful project completion and are exposing themselves to high levels of risk. Among the five vertical industries surveyed—retailers, transport companies, large enterprises, the public sector and financial institutions—the finance sector comes out at the bottom of the pile.

And these problems rub off on the outsourcing partner as well, with 90 per cent of respondents from the financial sector believing that outsourcers should fix any problems that occur at their own cost—far higher than for any other industrial sector.

So where should the blame lie? The importance of getting the outsourcing contract right cannot be stressed enough. However the research shows that generally organisations are their own worst enemies, often placing themselves in a poor position in terms of being able to verify that the applications delivered will perform as required. Through use of lackadaisical processes, many organisations, including those in the financial sector, could be leaving themselves at serious risk of attack.

Not only are the processes uncovered in this research that are used for more traditional outsourcing by financial firms poorly defined, but the problems are likely to be compounded as the financial sector is one of the keenest proponents of fast-emerging application delivery outsourcing mechanisms.

Where does this leave finance firms? This sector has certainly come in for some flak recently—much of which can be laid at the door of poor business processes. Back in April 2008, the UK's Financial Services Authority (FSA) published research, Data security in financial services, that largely confirms the findings of Quocirca's research, concluding that data security in financial services firms needs to be improved significantly.

Concerning the use of outsourcers, it found "little evidence that firms either performed data security due diligence on their third parties before agreeing a contract or that they exercised audit rights to ensure that third parties were meeting agreed standards throughout the contract term." The FSA has already stepped up enforcement action against transgressions such as these that have led to data breaches and much more is likely to come. Unless they can get their houses in order, we can expect to hear further tales of woe from the financial sector.