We start most interactions with prospective customers or vendors with a duly crafted Mutual NDA - for larger clients its mostly a CYA, while for the smaller outfits, I guess it provides a sense of security. That said, I've never had the occasion first or second hand to see any substantive breaches of these by anyone I know.
So when prospective customers do make a big deal out of it when sending out work to India, I'm frankly puzzled. Puzzled not because its not an issue -- there are horror stories, but because its all about common sense management of risk. So here are some things that will keep you safe so that you can focus on things that matter - like building better quality product and selling it to a large number of people.
#1. Honestly evaluate if you're at risk
I had a prospect who spent several days of his time and mine trying to figure how to protect his code base. His application? Available on the web for $19.99 per month unlimited usage. If I were a legitimate competitor, stealing his codebase would be the last thing on my mind.
#2. Know what's at risk
Years ago, we spent a lot of time consulting for large Telcos; at one of them, I was appalled to see the ease with which I could access its customer care information - including social security and credit card numbers. And this at a place teeming with contractors. They got lucky, nobody put that data on a CD and walked out.
When we outsourced our work, we spent a few hours classifying our assets into stuff (a) that could be sent out of the company with minimal risk - about 80% of what we had (b) needed to be obfuscated or dummied up - about 15% (c) under absolutely no circumstances should someone outside the core team have access to it - about 5%. It wasn't hard to do, and buys you a lot of peace of mind.
#3. Know your vendor
Its easy to do a reference check on your vendor. And ask a few questions about their internal practices - do they have separate repositories for each client/project? What kind of access restrictions and tracking do they do? What physical security do they have in place? Have someone local to help you do some due diligence - it's not hard to do.
These are steps you should be taking anyway, whether you're outsourcing or not. Maybe the possibility of sending your work out brought these issues to the forefront - think of it as a way to better your own practices than as an aggravation - your IP is important to you, isn't it?
So when prospective customers do make a big deal out of it when sending out work to India, I'm frankly puzzled. Puzzled not because its not an issue -- there are horror stories, but because its all about common sense management of risk. So here are some things that will keep you safe so that you can focus on things that matter - like building better quality product and selling it to a large number of people.
#1. Honestly evaluate if you're at risk
I had a prospect who spent several days of his time and mine trying to figure how to protect his code base. His application? Available on the web for $19.99 per month unlimited usage. If I were a legitimate competitor, stealing his codebase would be the last thing on my mind.
#2. Know what's at risk
Years ago, we spent a lot of time consulting for large Telcos; at one of them, I was appalled to see the ease with which I could access its customer care information - including social security and credit card numbers. And this at a place teeming with contractors. They got lucky, nobody put that data on a CD and walked out.
When we outsourced our work, we spent a few hours classifying our assets into stuff (a) that could be sent out of the company with minimal risk - about 80% of what we had (b) needed to be obfuscated or dummied up - about 15% (c) under absolutely no circumstances should someone outside the core team have access to it - about 5%. It wasn't hard to do, and buys you a lot of peace of mind.
#3. Know your vendor
Its easy to do a reference check on your vendor. And ask a few questions about their internal practices - do they have separate repositories for each client/project? What kind of access restrictions and tracking do they do? What physical security do they have in place? Have someone local to help you do some due diligence - it's not hard to do.
These are steps you should be taking anyway, whether you're outsourcing or not. Maybe the possibility of sending your work out brought these issues to the forefront - think of it as a way to better your own practices than as an aggravation - your IP is important to you, isn't it?
Posts
No comments:
Post a Comment