Are outsourcing service providers in India paying lip service to security in performing the work entrusted to them by companies in the United States and elsewhere? A report by Forrester Research suggests that to at least some degree, they are.
According to an article on Computerworld, Forrester is warning that despite positive measures to bolster security taken by the Indian government and the Indian IT trade association Nasscom, there is cause for concern:
Forrester analyst Sudhir Apte, who authored the report, said that many of the security measures in place appear designed to appease concerns more than anything else. "What I am seeing is most vendors are checking the box" on technology controls to address security threats and business continuity issues. "They view it as marketing collateral" while pitching their services. One big issue continues to be an overemphasis on technology controls, achieving certifications and publishing policy statements, Apte said. The efforts appear designed to "showcase" security rather than coherently reduce threats. Key issues such as employee training and awareness are often completely ignored, and many companies have a casual approach toward access control and physical security. Apte also noted a lack of executive support for security programs. According to him, many Indian CSOs reported being overlooked by higher-ups and of executive support being sporadic, at best. Security only gets attention when there is a breach or when an incident is reported in the media.
Clearly, this assessment should be taken seriously by any company that's outsourcing work to India or considering doing so, and it should serve as a reminder that companies need to perform security due diligence before engaging the services of an outsourcer in India, or anywhere else, for that matter. But it would be extremely shortsighted to paint the Indian outsourcing landscape with a single "don't go there" brushstroke. No doubt, there are any number of U.S. companies that can provide glowing testimonials about exceptional work performed and security measures observed by outsourcing partners in India.
At the same time, given that most midmarket companies in the United States simply don't have the resources to perform an analysis of the security conditions at Indian outsources, many of those companies would be well advised to focus on domestic outsourcing alternatives.
The trade association TechAmerica has been doing a good job of educating U.S. IT professionals about those alternatives, especially economical alternatives made possible by a new emphasis on performing work in low-cost locations. In fact, it will host a free webinar on "Best Practices in Domestic Sourcing" on April 27 that might be worth checking out. The more choices we have, the better.