Kahlil Gibran, a renowned poet and artist in the 19th Century said: “If you reveal your secrets to the wind, you should not blame it for revealing them to the trees.” But what if the wind promises to be an efficient, better and cost-effective way of managing your business? Like outsourcing?
When it comes to sensitive corporate information, an enterprise’s concerns regarding data leakage are not misplaced. Nor are these concerns new.
But with security breaches dotting headlines globally, trusting an outsourcing provider’s security capabilities is going to get difficult. Consider this: A 2010 Deloitte report on global security says that only 23 percent of enterprises in India (and 32 percent globally) were comfortable with information security practices of their outsourcing vendor.
This is evident from the security measures that CIOs from client organizations are demanding from their outsourcers.
“Although in a typical IT outsourcing model, the management and access of core data is always restricted to internal employees. But today, organizations want to put additional security controls and safeguards to ensure an extra layer of security around their infrastructure,” says Prasun Roy Burman, global head-Information Security Services, HCL Technologies.
While some want to increase security controls, others want expert advice. CIOs aren’t leaving anything to chance. “Earlier, our clients used to enquire about the kind of standards we follow. Now, before the deal is offered to us, they are bringing third party security expert consultants to do a due diligence on us and our existing processes,” says Prashanth Maranayakanahalli, CTO at Firstsource.
Third-party consultants apart, Indian organizations today are increasingly keeping themselves abreast of international security and auditing standards–like Statement on Auditing Standards (SAS70)–over and above their baseline security certifications such as ISO 27001. It is an auditing statement followed globally by service organizations. It provides guidance to service auditors while performing internal controls assessment of a service organization.
Also, new technologies are on the top of their list of worries when it comes to the security of outsourced data. For example, despite a slightly favorable response to cloud computing—compared to a year ago–CIOs are still wary of data co-location on the cloud. “Even in the traditional infrastructures, some clients still ask us for a complete physically segregated network as they don’t want to take any chances,” says Firstsource’s Prashant.
Technical requirements not withstanding, client organizations are emphasizing on scanning through employees at the outsourcer’s end–employees who are the privileged users of their data.
A 2011 Data Security Council of India (DSCI) study on insider threat reveals that all client organizations have mandated service providers to conduct background checks of their employees. In turn, vendor organizations are exploring new and innovative methods for employee screening such as social networking and credit card history check.
India’s new data privacy rules aren’t making life any easier for outsourcers. The good news is that CIOs are increasingly taking a closer look at security. After all, its a risk putting an organizations’ reputation at stake – and no one wants to take it.
Source:http://www.cio.in/news/indian-cios-want-stringent-security-outsourcers-149062011
