When outsourcing, don't forget security, experts say

Companies often forget about cultural differences that may affect security

When it comes to outsourcing IT operations to countries such as India and China, companies often focus on slashing costs and gaining productivity but fail to take into account cultural differences that may affect their security, according to experts attending the Gartner IT Security Summit in London today.

"India is seen as an answer when outsourcing applications but is actually a problem in the security space," said Gartner India research vice president Partha Iyengar while moderating a panel on offshoring security.

At issue is not so much the security that outsourcing service providers use to protect companies' systems -- such as firewalls and data backup -- as it is the cultural differences, Iyengar said. For instance, standards of privacy are often looser in India because it's a close-knit society where, say, reading someone else's e-mail wouldn't be considered much of an intrusion, Iyengar said.

This more relaxed attitude toward privacy could have serious consequences when it comes to protecting corporate data, experts on the panel warned. Companies that outsource operations overseas are advised to train local staff to adhere to the company's global privacy standards and to check into the risk of government interception of sensitive confidential information.

"Fifty percent of companies understand that there are security issues with offshoring, but the real issues are cultural and in compliance and regulation," said Lawrence Lerner, senior technical architect of the Advanced Solutions Group at Cognizant Technology Solutions Corp.

Lerner said his company advises its clients to document its processes when outsourcing and get all parties involved to sign off on procedures to ensure transparency. He also suggests performing background checks on local staff.

As a result of high demand by Western companies looking to reduce costs, some outsourcing service providers in India and China are growing rapidly, hiring thousands of new employees in a month."When you are hiring 5,000 people at a time, you need to make sure that they all adhere to the same standards," Lerner said.

R.K. Raghavan, consulting adviser on security at Tata Consultancy Services Ltd., one of India's largest IT services companies, said his firm is feeling the effects of these client demands. "We are bending over backward on security, primarily to cater to our U.S. customers, which are a huge part of our market," Raghavan said.

Tata has recently changed the way in which it performs background checks on potential employees amid volume hiring and increased customer demands.

Previously, the company required two references from each applicant as a security measure but did not ensure that the applicant had no criminal record. Furthermore, the company found that fingerprinting is considered offensive in the Indian culture, Raghavan said. Finally, Tata decided to outsource security checks to the local police by requiring that applicants have an Indian passport, which can be acquired only by passing vigorous security checks by law enforcement officials, Raghavan said.

In addition to shoring up its own security checks, Tata has worked to increase security awareness among staff through training, according to Raghavan. "Employees need to think about security all the time to be competitive," he said.

As it turns out, so do the outsourcing providers. "We understand that India is still seen as a mythical place to many people, and we need to assure them that we can provide the same kind of security as they are used to," Raghavan said.

But even with the added assurances being given by outsourcing providers, the differences between doing business at home and doing it abroad can't be minimized, said Nigel Balchin, chief architect at Short Hills, N.J.-based The Dun & Bradstreet Corp. "We are all a little naive going in," Balchin said.

One way of ensuring that security and regulatory compliance concerns are met is by putting the onus on the outsourcing provider and writing it into the contract, he said. "It pays dividends to have the provider responsible for these issues," Balchin said. "For us, it's a distraction from our core business."

Cognizant's Lerner advises clients to take a more hands-on approach, however. "You must physically go and check any outsource center you have," Lerner said. "Do it regularly, and consider these centers as part of your own company."

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon