• United States

When outsourcing, don’t forget security, experts say

Sep 21, 20044 mins
Enterprise ApplicationsSecurity

When it comes to outsourcing IT operations to countries such as India and China, companies often focus on slashing costs and gaining productivity but fail to take into account the cultural differences that may affect their security, according to experts attending the Gartner IT Security Summit in London on Tuesday.

“India is seen as an answer when outsourcing applications but is actually a problem in the security space,” said Gartner India research vice president Partha Iyengar while moderating a panel on offshoring security.

At issue is not so much the security that outsourcing service providers use to protect companies’ systems – such as firewalls and data backup – as much as it is the cultural differences, Iyengar said.

For instance, standards of privacy are often looser in India because it’s a close-knit society where, say, reading someone else’s e-mail would not be considered much of an intrusion, Iyengar said.

This more relaxed attitude toward privacy could have serious consequences when it comes to protecting corporate data, experts on the panel warned. Companies that outsource operations overseas are advised to train local staff to adhere to the company’s global privacy standards and to check into the risk of government interception of sensitive confidential information.

“Fifty percent of companies understand that there are security issues with offshoring, but the real issues are cultural, and in compliance and regulation,” said Lawrence Lerner, senior technical architect of the Advanced Solutions Group at Cognizant Technology Solutions.

Lerner said his company advises its clients to document its processes when outsourcing and get all parties involved to sign off on procedures to ensure transparency. He also suggests background checks on local staff.

Due to high demand by western companies looking to reduce costs, some outsourcing service providers in India and China are growing rapidly, hiring thousands of new employees in a month.

“When you are hiring 5,000 people at a time, you need to make sure that they all adhere to the same standards,” Lerner said.

R.K. Raghavan, consulting advisor on security at Tata Consultancy Services, one of India’s largest IT services companies, said that his firm is feeling the effects of these client demands.

“We are bending over backward on security, primarily to cater to our U.S. customers which are a huge part of our market,” Raghavan said.

Tata has recently changed the way in which it performs background checks on potential employees amid volume hiring and increased customer demands.

Previously, the company required two references from each applicant as a security measure but did not ensure the applicant had no criminal record. Furthermore, the company found that fingerprinting is considered offensive in the Indian culture, Raghavan said. Finally, Tata decided to outsource security checks to the local police by requiring that applicants have an Indian passport which can only be acquired by passing vigorous security checks by law enforcement officials, Raghavan said.

In addition to shoring up its own security checks, Tata has worked to increase security awareness among staff through training, Raghavan said.

“Employees need to think about security all the time to be competitive,” Raghavan said.

As it turns out, so do the outsourcing providers. “We understand that India is still seen as a mythical place to many people and we need to assure them that we can provide the same kind of security as they are used to” Raghavan said.

But even with the added assurances being given by outsourcing providers, the differences between doing business at home and doing it abroad cannot be minimized, said Nigel Balchin, chief architect at Dun & Bradstreet.

“We are all a little naive going in,” Balchin said. One way of ensuring that security and regulatory compliance concerns are met is to put the onus on the outsourcing provider and writing it in the contract, he said. “It pays dividends to have the provider responsible for these issues. For us it’s a distraction from our core business.”

Cognizant’s Lerner advises clients to take a more hands-on approach, however.

“You must physically go and check any outsource center you have. Do it regularly, and consider these centers as part of your own company,” Lerner said.