A prescient security approach helps an outsourcer move quickly to address customer intellectual property protection needs Basing IT services overseas is no longer a novelty to Bernard “Bud” Mathaisel, CIO of software development services provider Achievo. After all, he’d been working with outsourced IT and manufacturing for many years as CIO of Ford, Solectron, and others.But a year ago, he noticed his companies’ potential clients had the same top question when they toured his new China development centers: Will my intellectual property be protected in a country whose legal enforcement of intellectual property laws typically ranges from lax to nonexistent?[ Discover what insights you can take advantage of from the other 2008 InfoWorld CTO 25 winners. ]His experience with offshoring IT and related services in China, Mexico and central Europe had already led Mathaisel to put in stringent controls over access to code, which is or contains the customers’ key intellectual property. For example, in a China facility opened last year, developers work in a glass-walled room accessible only with electronic key cards. The workstations are not networked to each other or to the rest of the company’s systems, nor do they have access to the Internet, e-mail, or other external conduits. The USB ports are disabled, and you can’t burn discs. The systems do connect to one isolated server, to which code is checked in. A separate team reviews the code and moves it to testing and production systems. “There is a complete separation of duties,” Mathaisel says.There is also constant education and reinforcement of the need to protect data, expectations that get set during the hiring process. “It’s like bringing back the World War II ‘loose lips sink ships’ mentality,” he says.But his customers’ questions made Mathaisel realize that the issue was deeper than the controls put in any particular facility. Customers would want such controls to exist across all of his facilities and to be validated by a trusted third party. After researching the issue, he came across the ISO 27001 standard for ensuring security through a variety of business and IT processes. He hired a consultancy to review his China operations and see what needed to happen to meet those requirements, then set about making the necessary changes. Thanks to the work already done, that effort, and the independent certification that followed, took just three months at Achievo’s top five China facilities. Now Mathaisel is reworking his security approaches in Europe and the United States to meet the same ISO 27001 requirements, even though customers haven’t yet asked for that in any large numbers at those facilities.The reason? An FBI report that showed the top five countries of concern for intellectual property theft and industrial espionage were China, India, and Russia — three that one might expect — but also France and the United States. “You know that old adage, ‘Why do thieves rob the bank? Because that’s where the money is’? Well, that’s where the software development is,” Mathaisel says. “The risk goes beyond China.”Mathaisel now preaches ISO 27001 to industry groups and customers, considering it to be as fundamental to well-run IT as are capability maturity models and the ITIL frameworks. Although described as a security standard, ISO 27001 is really a rigorous IT administrative management approach that covers everything from hiring through disaster recovery, he says. Applying it helps companies not just protect intellectual property but also adhere to Sarbanes-Oxley and other regulatory requirements related to due diligence. Careers