Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

Security outsourcing is a really hot trend today.

CIO View: Largely in sales presentations. Yes, routine security maintenance services are growing. But big time security management outsourcing is a long way off.

Research analysts, consultants and, most importantly, the security vendors, have been talking vehemently for quite some time that the Indian security market is gradually evolving towards the services model. The 2004-05 numbers do indeed justify their prognostication-the security services market had grown by 74% to reach Rs 157 crore. Contrast this with the Rs 203 crore security products market that had grown by 35% at the same time. Nothing could better illustrate the apparent shift harped about by the vendors.

So far, so good. However, many vendors, and even some consultants, are venturing further and claiming that a maturing services market reflects the growing tendency amongst Indian enterprises to outsource their security requirements as well as management to specialist third-party service providers. Even the product vendors are opening up their services arms to take care of this growing outsourcing bonanza.

A series of Dataquest symposiums on Managing IT, across few cities, involving interactions with a host of CIOs from different verticals, however, presented a different picture. While vendor claims about security services outsourcing in India Inc might not be outright fabrication, the reality seems to be that we have not yet touched the tip of the iceberg. In fact, most CIOs seem to be, at best, highly reticent about even considering outsourcing security services, if not outright rejecting such proposals.

That, however, indicates that the growing services market is still primarily constituted by the after-sales maintenance services offered by the product vendors rather than outsourcing security management. In light of this, it would not be wide off the mark to conclude that India Inc is still rather conservative in matters of security as compared to other arenas of IT where outsourcing is becoming a well-established trend. While outsourcing of IT infrastructure management has gained acceptance in India, the same cannot be said on the trend of enterprises letting a third party service provider manage IT security.

The technology vertical constituted by the IT services and BPO companies seem to be the vanguard of the anti-outsourcing brigade on matters of security. On first appearance this sounds paradoxical; some might even accuse them of maintaining double standards, they themselves being the votaries of offshore outsourcing on the global front. However, it is this very nature of their business, involving offshore outsourcing from global enterprises, that prevent them from allowing their security management to go to the hands of third-parties.

Says M Gajapathy, CTO, Transworks "Our overseas clients get jittery the moment they hear us planning to outsource our security management. And the concern is valid enough, as they fear their data can fall into untrustworthy hands." One cannot even accuse the global outsourcers of parochial short-sightedness here: in the absence of any data security and privacy laws, even BPOs themselves are on shaky grounds, especially in light of recent cases of fraud; and if they further outsource security one level down, there can hardly be any guarantee of information asset protection.

"One of the critical parameters that our customers look at is how we manage security. So it is much better to control security in-house," adds Gajapathy. Mithis Chitnavis, AVP-IS, MphasiS is in total agreement with Gajapathy. "During the selection of BPO service providers in India, our global clients conduct a 'rigorous due diligence to check whether all our processes are in place. And only when all their stringent process parameters are met satisfactorily, even more strict SLAs are drawn up that basically discourage further outsourcing," he informs.

So even in the case that Indian BPO players like MphasiS or Transworks outsource security management to external parties, similar due diligence exercises need to be carried out with robust auditing of all the processes of the security SI. And till such time, the Indian SIs are not conforming to the rigorous processes defined globally, there is little possibility of Indian BPOs looking at them to outsource their security requirements.

It is not only the BPOs, even IT services companies are rather conservative on the subject of security services outsourcing. Though they also share with BPOs the issue of SLAs with global clients because of their nature of business, it is not the only determining factor preventing security outsourcing in their cases. SLAs regarding processes are less stringent for IT services than BPOs, but even in the case of Wipro e-Peripherals, it is more the ready availability of in-house expertise that makes it keep security an internal function.

"Since IT is our core business we have the necessary skillsets and we would only opt for outsourcing in case the outsourced organization has the relevant expertise," adds Srinivas of WeP Peripherals. And it is not difficult to guess that again very few Indian security SIs would pass muster here. Even for managed service providers (MSPs) to mature to such extent on their security offerings is a long way off. Chitnavis has the last word: "We will consider outsourcing crucial processes like security only depending on how well our partners understand our business processes.

It is not only the IT/BPO players, even telcos are reticent about security outsourcing; Bharti, that has outsourced its entire IT infrastructure to IBM, is still an aberration. Argues Sridhar S, head-IT, Hutch, "Our core network is with the telecom department as they do not even trust the IT department for its maintenance. The IT team handles only the business support systems but since these are expanding at such a pace we need to outsource parts of it to third parties. Therefore, piecemeal security functions like network security or application security might get outsourced, but never the entire security management." Indian security SIs do have expertise on certain such areas, but they have not reached the maturity level where telcos can safely integrate third-party security services with their core network processes.

It is not that exceptions are not there. Providing a different viewpoint, Mukt Bihari, additional GM-IT, Indian Telephone Industries, opines that there is no point in enterprises outsourcing IT infrastructure minus security. Organizations like Rallis have outsourced their entire security processes outside. "The benefits are numerous, but the chief ones include minimal capital expenditure, reduced operational expenditures, established SLAs, freedom from platform and technology obsolescence, and the freedom of maintaining a round-the-clock expensive in-house support staff," feels Vikas Gadre, CIO, Rallis.

However, even banks, acknowledged universally as the most mature vertical in the automation lifecycle, are hesitant on total security outsourcing. Large banks like HDFC or ICICI have outsourced islands of processes, but most of the core components are still handled in-house. Rather, they have allocated separate expertise for security maintenance from their mundane IT functions-HDFC and even Punjab National Bank today indeed boast of separate Chief Security Officers (CSOs) from their regular CIOs. Even a new age bank like YES Bank flinches from going the whole hog. Says Ravi Shankar, Country Head, Direct Banking, YES Bank, "Ultimately security is tantamount to protecting the faith your customer has entrusted on you, and if outsourcing does not meet this criterion, it would be a futile exercise."

Notwithstanding such pronounced anti-outsourcing tendencies amongst Indian enterprises regarding security matters, opportunities still exist for SIs. Managed security service providers, feels Mathew Jacob, director, iWire Network Design, need to first understand the business processes of their clients and then conduct a proper risk analysis. "Currently most MSPs have no methodology, and think all threats or vulnerabilities are applicable to all businesses, in all cases, and therefore make the cardinal mistake of generalization," he opines.

Agrees Jayachandran B, Head-IT, Gokuldas Exports, "Most SIs do not know how to measure the vulnerability in a particular organization and, hence have no wherewithal to provide what that enterprise really requires."

Bottomline: MSPs need to ensure they have a proper framework to measure risk or vulnerability in each and every case and not follow a "one suits all" approach. Next, they should take cognizance of the business processes of their clients and work to empower the CIO and his team. These should ensure that SIs are also in a position to draw SLAs with their clients on security outsourcing where they too can guarantee the uptime of five 9s.

Indian enterprises are aggressively adopting new emerging security technologies.

CIO View: Outside the BFSI (financial services) community are a few scattered deployments. But emerging security technologies mostly remain in the realm of marketing-speak, as enterprises still grapple with developing a security framework..

Implementing emerging security technologies like biometrics, cyber forensics or complex encryption algorithms may sound glamorous, but ultimately these might not achieve anything unless they address specific requirements of individual enterprises. Rather than focusing on emerging technologies, the need of the hour, feels Chitnavis, is to concentrate on the social engineering aspect of security.

He illustrates the fraud case in his own organization, MphasiS in Pune, to drive home his argument. "Social engineering would ensure maintaining the basic proper security environment inside an organization like a paperless office. We do have features like biometrics, but not such technologies but proper social engineering instead that would ensure such frauds are not repeated." Agrees Gajapathy, "All BPO companies have taken the cue from the MphasiS experience. Enterprises might consider many technologies but the imperative is that users should understand the dos and don'ts of these."

The point is, even if an organization has a security policy in place and deploys technologies fitted around the policy, it has to see whether the processes are being strictly adhered to or implemented properly. Sridhar argues that a framework for security implementation helps, especially in the case of telcos. "We already have many of these new technologies in place, so it is more important for us to have a proper framework." Agrees RP Dhumasia, GM-IT, Great Eastern Shipping Company, "Security cannot be handled only with technology, but the basic need is how you educate your people in the organization."

Bottomline: Technologies come and go, but enterprises today are looking closely at the critical security threat of social engineering. "This is our biggest concern and we are focusing on how to reduce this," echo most CIOs.

Integrated security appliances are becoming the norm in Indian enterprises.

CIO View: They do have benefits and may become tomorrow's flavor. But CIOs are treading cautiously today, worried about becoming guinea-pigs.It is true that some integrated appliances are being deployed, but it is still happening only in cases of entry-level products like anti-viruses and firewalls. Most CIOs are still looking carefully at integration, albeit with a twitch of suspicion. Gajapathy asserts that integrated appliances sometimes compromise some of the business processes. His recipe: decentralize processes or applications and have different levels of security in different layers and then you can think of deploying integrated appliances in the less crucial layers.

Many CIOs still prefer the multi-vendor best-of-breed approach-a single unified platform might lead to single repository of information leaving it open to all sorts of vulnerabilities. Jacob suggests that SOHOs can do well with an integrated approach as that would bring down both their capex and opex costs. In fact, even marketing pashas of vendors try to sell an integrated approach to vendors by highlighting the cost benefits, but smartly hide away the fact that vulnerability in that case can jeopardize the complete business. "We do not look at an integrated system because it makes the system vulnerable to attack. So we prefer a multi-vendor scenario," asserts Chitnavis.

Apart from costs, there are other benefits of integration too-a unified threat management solution prevents from too many logs getting generated that otherwise becomes too complicated to reconcile. "On the other hand, an integrated appliance is more manageable," asserts Jacob. However, Jayachandran warns that this will be possible only when enterprises develop a framework that supports all these multiple solutions integrated together.

The integrated vs best-of-breed debate takes an interesting turn in light of many network vendors like Cisco or Nortel today embedding security appliances or functionalities within their network devices. However, Sridhar derides this as a complete marketing gimmick aimed at increasing business for the vendors and solving no purposes of the CIOs and their organizations. "Network vendors seem to be in an inclusive mode. But they cannot include everything in a box. However it would be good to have a security dashboard for alarms and alerts," he opines.

Bottomline: network vendors show some security features embedded in their devices to CIOs as carrots. Once the organization gets hooked on to the particular vendor, they come up with some entirely new products which not only impacts the capex but could also turn out to be a risky proposition for businesses.

Rajneesh De

Page(s)   1