[ISN] When outsourcing, don't forget security, experts say

InfoSec News isn at c4i.org
Wed Sep 22 06:51:48 EDT 2004


By Scarlet Pruitt
SEPTEMBER 21, 2004 

When it comes to outsourcing IT operations to countries such as India
and China, companies often focus on slashing costs and gaining
productivity but fail to take into account cultural differences that
may affect their security, according to experts attending the Gartner
IT Security Summit in London today.

"India is seen as an answer when outsourcing applications but is
actually a problem in the security space," said Gartner India research
vice president Partha Iyengar while moderating a panel on offshoring

At issue is not so much the security that outsourcing service
providers use to protect companies' systems -- such as firewalls and
data backup -- as it is the cultural differences, Iyengar said. For
instance, standards of privacy are often looser in India because it's
a close-knit society where, say, reading someone else's e-mail
wouldn't be considered much of an intrusion, Iyengar said.

This more relaxed attitude toward privacy could have serious
consequences when it comes to protecting corporate data, experts on
the panel warned. Companies that outsource operations overseas are
advised to train local staff to adhere to the company's global privacy
standards and to check into the risk of government interception of
sensitive confidential information.

"Fifty percent of companies understand that there are security issues
with offshoring, but the real issues are cultural and in compliance
and regulation," said Lawrence Lerner, senior technical architect of
the Advanced Solutions Group at Cognizant Technology Solutions Corp.

Lerner said his company advises its clients to document its processes
when outsourcing and get all parties involved to sign off on
procedures to ensure transparency. He also suggests performing
background checks on local staff.

As a result of high demand by Western companies looking to reduce
costs, some outsourcing service providers in India and China are
growing rapidly, hiring thousands of new employees in a month."When
you are hiring 5,000 people at a time, you need to make sure that they
all adhere to the same standards," Lerner said.

R.K. Raghavan, consulting adviser on security at Tata Consultancy
Services Ltd., one of India's largest IT services companies, said his
firm is feeling the effects of these client demands. "We are bending
over backward on security, primarily to cater to our U.S. customers,
which are a huge part of our market," Raghavan said.

Tata has recently changed the way in which it performs background
checks on potential employees amid volume hiring and increased
customer demands.

Previously, the company required two references from each applicant as
a security measure but did not ensure that the applicant had no
criminal record. Furthermore, the company found that fingerprinting is
considered offensive in the Indian culture, Raghavan said. Finally,
Tata decided to outsource security checks to the local police by
requiring that applicants have an Indian passport, which can be
acquired only by passing vigorous security checks by law enforcement
officials, Raghavan said.

In addition to shoring up its own security checks, Tata has worked to
increase security awareness among staff through training, according to
Raghavan. "Employees need to think about security all the time to be
competitive," he said.

As it turns out, so do the outsourcing providers. "We understand that
India is still seen as a mythical place to many people, and we need to
assure them that we can provide the same kind of security as they are
used to," Raghavan said.

But even with the added assurances being given by outsourcing
providers, the differences between doing business at home and doing it
abroad can't be minimized, said Nigel Balchin, chief architect at
Short Hills, N.J.-based The Dun & Bradstreet Corp. "We are all a
little naive going in," Balchin said.

One way of ensuring that security and regulatory compliance concerns
are met is by putting the onus on the outsourcing provider and writing
it into the contract, he said. "It pays dividends to have the provider
responsible for these issues," Balchin said. "For us, it's a
distraction from our core business."

Cognizant's Lerner advises clients to take a more hands-on approach,
however. "You must physically go and check any outsource center you
have," Lerner said. "Do it regularly, and consider these centers as
part of your own company."

More information about the ISN mailing list