|
|
|
|
| Read more articles on: |
|
|
 |
|
Rajneesh De
Security outsourcing is a really hot trend today.
CIO View: Largely in sales presentations. Yes, routine security maintenance services are growing. But big time security management outsourcing is a long way off.
Research analysts, consultants and, most importantly, the security vendors, have been talking vehemently for quite some time that the Indian security market is gradually evolving towards the services model. The 2004-05 numbers do indeed justify their prognostication-the security services market had grown by 74% to reach Rs 157 crore. Contrast this with the Rs 203 crore security products market that had grown by 35% at the same time. Nothing could better illustrate the apparent shift harped about by the vendors.
So far, so good. However, many vendors, and even some consultants, are venturing further and claiming that a maturing services market reflects the growing tendency amongst Indian enterprises to outsource their security requirements as well as management to specialist third-party service providers. Even the product vendors are opening up their services arms to take care of this growing outsourcing bonanza.
A series of Dataquest symposiums on Managing IT, across few cities, involving interactions with a host of CIOs from different verticals, however, presented a different picture. While vendor claims about security services outsourcing in India Inc might not be outright fabrication, the reality seems to be that we have not yet touched the tip of the iceberg. In fact, most CIOs seem to be, at best, highly reticent about even considering outsourcing security services, if not outright rejecting such proposals.
That, however, indicates that the growing services market is still primarily constituted by the after-sales maintenance services offered by the product vendors rather than outsourcing security management. In light of this, it would not be wide off the mark to conclude that India Inc is still rather conservative in matters of security as compared to other arenas of IT where outsourcing is becoming a well-established trend. While outsourcing of IT infrastructure management has gained acceptance in India, the same cannot be said on the trend of enterprises letting a third party service provider manage IT security.
The technology vertical constituted by the IT services and BPO companies seem to be the vanguard of the anti-outsourcing brigade on matters of security. On first appearance this sounds paradoxical; some might even accuse them of maintaining double standards, they themselves being the votaries of offshore outsourcing on the global front. However, it is this very nature of their business, involving offshore outsourcing from global enterprises, that prevent them from allowing their security management to go to the hands of third-parties.
Says M Gajapathy, CTO, Transworks "Our overseas clients get jittery the moment they hear us planning to outsource our security management. And the concern is valid enough, as they fear their data can fall into untrustworthy hands." One cannot even accuse the global outsourcers of parochial short-sightedness here: in the absence of any data security and privacy laws, even BPOs themselves are on shaky grounds, especially in light of recent cases of fraud; and if they further outsource security one level down, there can hardly be any guarantee of information asset protection.
"One of the critical parameters that our customers look at is how we manage security. So it is much better to control security in-house," adds Gajapathy. Mithis Chitnavis, AVP-IS, MphasiS is in total agreement with Gajapathy. "During the selection of BPO service providers in India, our global clients conduct a 'rigorous due diligence to check whether all our processes are in place. And only when all their stringent process parameters are met satisfactorily, even more strict SLAs are drawn up that basically discourage further outsourcing," he informs.
So even in the case that Indian BPO players like MphasiS or Transworks outsource security management to external parties, similar due diligence exercises need to be carried out with robust auditing of all the processes of the security SI. And till such time, the Indian SIs are not conforming to the rigorous processes defined globally, there is little possibility of Indian BPOs looking at them to outsource their security requirements.
It is not only the BPOs, even IT services companies are rather conservative on the subject of security services outsourcing. Though they also share with BPOs the issue of SLAs with global clients because of their nature of business, it is not the only determining factor preventing security outsourcing in their cases. SLAs regarding processes are less stringent for IT services than BPOs, but even in the case of Wipro e-Peripherals, it is more the ready availability of in-house expertise that makes it keep security an internal function.
"Since IT is our core business we have the necessary skillsets and we would only opt for outsourcing in case the outsourced organization has the relevant expertise," adds Srinivas of WeP Peripherals. And it is not difficult to guess that again very few Indian security SIs would pass muster here. Even for managed service providers (MSPs) to mature to such extent on their security offerings is a long way off. Chitnavis has the last word: "We will consider outsourcing crucial processes like security only depending on how well our partners understand our business processes.
It is not only the IT/BPO players, even telcos are reticent about security outsourcing; Bharti, that has outsourced its entire IT infrastructure to IBM, is still an aberration. Argues Sridhar S, head-IT, Hutch, "Our core network is with the telecom department as they do not even trust the IT department for its maintenance. The IT team handles only the business support systems but since these are expanding at such a pace we need to outsource parts of it to third parties. Therefore, piecemeal security functions like network security or application security might get outsourced, but never the entire security management." Indian security SIs do have expertise on certain such areas, but they have not reached the maturity level where telcos can safely integrate third-party security services with their core network processes.
It is not that exceptions are not there. Providing a different viewpoint, Mukt Bihari, additional GM-IT, Indian Telephone Industries, opines that there is no point in enterprises outsourcing IT infrastructure minus security. Organizations like Rallis have outsourced their entire security processes outside. "The benefits are numerous, but the chief ones include minimal capital expenditure, reduced operational expenditures, established SLAs, freedom from platform and technology obsolescence, and the freedom of maintaining a round-the-clock expensive in-house support staff," feels Vikas Gadre, CIO, Rallis.
However, even banks, acknowledged universally as the most mature vertical in the automation lifecycle, are hesitant on total security outsourcing. Large banks like HDFC or ICICI have outsourced islands of processes, but most of the core components are still handled in-house. Rather, they have allocated separate expertise for security maintenance from their mundane IT functions-HDFC and even Punjab National Bank today indeed boast of separate Chief Security Officers (CSOs) from their regular CIOs. Even a new age bank like YES Bank flinches from going the whole hog. Says Ravi Shankar, Country Head, Direct Banking, YES Bank, "Ultimately security is tantamount to protecting the faith your customer has entrusted on you, and if outsourcing does not meet this criterion, it would be a futile exercise."
Notwithstanding such pronounced anti-outsourcing tendencies amongst Indian enterprises regarding security matters, opportunities still exist for SIs. Managed security service providers, feels Mathew Jacob, director, iWire Network Design, need to first understand the business processes of their clients and then conduct a proper risk analysis. "Currently most MSPs have no methodology, and think all threats or vulnerabilities are applicable to all businesses, in all cases, and therefore make the cardinal mistake of generalization," he opines.
Agrees Jayachandran B, Head-IT, Gokuldas Exports, "Most SIs do not know how to measure the vulnerability in a particular organization and, hence have no wherewithal to provide what that enterprise really requires."
Bottomline: MSPs need to ensure they have a proper framework to measure risk or vulnerability in each and every case and not follow a "one suits all" approach. Next, they should take cognizance of the business processes of their clients and work to empower the CIO and his team. These should ensure that SIs are also in a position to draw SLAs with their clients on security outsourcing where they too can guarantee the uptime of five 9s.
|