“So could we agree that, assuming typical levels of due care, BRIC is worse than non-BRIC and outsourced is worse than in-house from a risk perspective?”

I don’t think so. I don’t think it is reasonable to use BRIC as some sort of arbitrary grouping for risk management purposes, and I believe two of the four have much more significant threat aspects to them.

Outsourced vs. in-house risk is pretty “cloudy” as well . I think the risk of insider abuse (insider = administrator with access to data) probably rises; but external risks could be reduced.

Of course, even in-house operations in those countries tend to have much higher incidences of information loss, giving us (optimistically) a qualitative risk grid of:

———– |BRIC | non-BRIC |
In-house | M | L |
Out-sourced | H | M |

(pardon the formatting)

So could we agree that, assuming typical levels of due care, BRIC is worse than non-BRIC and outsourced is worse than in-house from a risk perspective?

I mostly agree that outsourcing “core” (typically supply chain) functions is a key indicator of risk tolerance, but I believe location is relevant in the same way it matters to businesspeople – customs and legal environment matter quite a bit.

In addition with China, it seems to me that we have relevant information that suggests both industrial espionage and cybercrime are of higher risk there than many other countries (including U.S.). I would gladly change this opinion if shown evidence to the contrary.

Thanks,

Pete

Consider, for example, HTC. They used to be strictly a contract manufacturer. Now they develop their own products using knowledge learned doing contract manufacturing.

Primarily because China was in the article I was reading that sparked it, but more generally because it is the largest, most popular country for outsourcing with the largest, most active, hacking community. At least in my opinion.

It is certainly reasonable to apply this thought process to the others as well.