Locked and bolted?

CIO View:

Largely in sales presentations. Yes, routine security maintenance

services are growing. But big time security management outsourcing is a long way

off.

Research analysts, consultants and, most importantly, the security vendors,

have been talking vehemently for quite some time that the Indian security market

is gradually evolving towards the services model. The 2004-05 numbers do indeed

justify their prognostication-the security services market had grown by 74% to

reach Rs 157 crore. Contrast this with the Rs 203 crore security products market

that had grown by 35% at the same time. Nothing could better illustrate the

apparent shift harped about by the vendors.






So far, so good. However, many vendors, and even some consultants, are venturing
further and claiming that a maturing services market reflects the growing

tendency amongst Indian enterprises to outsource their security requirements as

well as management to specialist third-party service providers. Even the product

vendors are opening up their services arms to take care of this growing

outsourcing bonanza.

A series of Dataquest symposiums on Managing IT, across few cities, involving

interactions with a host of CIOs from different verticals, however, presented a

different picture. While vendor claims about security services outsourcing in

India Inc might not be outright fabrication, the reality seems to be that we

have not yet touched the tip of the iceberg. In fact, most CIOs seem to be, at

best, highly reticent about even considering outsourcing security services, if

not outright rejecting such proposals.

That, however, indicates that the growing services market is still primarily

constituted by the after-sales maintenance services offered by the product

vendors rather than outsourcing security management. In light of this, it would

not be wide off the mark to conclude that India Inc is still rather conservative

in matters of security as compared to other arenas of IT where outsourcing is

becoming a well-established trend. While outsourcing of IT infrastructure

management has gained acceptance in India, the same cannot be said on the trend

of enterprises letting a third party service provider manage IT security.

The technology vertical constituted by the IT services and BPO companies seem

to be the vanguard of the anti-outsourcing brigade on matters of security. On

first appearance this sounds paradoxical; some might even accuse them of

maintaining double standards, they themselves being the votaries of offshore

outsourcing on the global front. However, it is this very nature of their

business, involving offshore outsourcing from global enterprises, that prevent

them from allowing their security management to go to the hands of

third-parties.

'Implementing a security solution is like locking your house. It is meant to keep honest people honest. Rogues will anyway somehow break into your systems' -M Gajapathy CTO, Transworks

Says M Gajapathy, CTO, Transworks "Our overseas clients get jittery the

moment they hear us planning to outsource our security management. And the

concern is valid enough, as they fear their data can fall into untrustworthy

hands." One cannot even accuse the global outsourcers of parochial

short-sightedness here: in the absence of any data security and privacy laws,

even BPOs themselves are on shaky grounds, especially in light of recent cases

of fraud; and if they further outsource security one level down, there can

hardly be any guarantee of information asset protection.

"One of the critical parameters that our customers look at is how we

manage security. So it is much better to control security in-house," adds

Gajapathy. Mithis Chitnavis, AVP-IS, MphasiS is in total agreement with

Gajapathy. "During the selection of BPO service providers in India, our

global clients conduct a 'rigorous due diligence to check whether all our

processes are in place. And only when all their stringent process parameters are

met satisfactorily, even more strict SLAs are drawn up that basically discourage

further outsourcing," he informs.

So even in the case that Indian BPO players like MphasiS or Transworks

outsource security management to external parties, similar due diligence

exercises need to be carried out with robust auditing of all the processes of

the security SI. And till such time, the Indian SIs are not conforming to the

rigorous processes defined globally, there is little possibility of Indian BPOs

looking at them to outsource their security requirements.

It is not only the BPOs, even IT services companies are rather conservative

on the subject of security services outsourcing. Though they also share with

BPOs the issue of SLAs with global clients because of their nature of business,

it is not the only determining factor preventing security outsourcing in their

cases. SLAs regarding processes are less stringent for IT services than BPOs,

but even in the case of Wipro e-Peripherals, it is more the ready availability

of in-house expertise that makes it keep security an internal function.

"Since IT is our core business we have the necessary skillsets and we

would only opt for outsourcing in case the outsourced organization has the

relevant expertise," adds Srinivas of WeP Peripherals. And it is not

difficult to guess that again very few Indian security SIs would pass muster

here. Even for managed service providers (MSPs) to mature to such extent on

their security offerings is a long way off. Chitnavis has the last word:

"We will consider outsourcing crucial processes like security only

depending on how well our partners understand our business processes.

It is not only the IT/BPO players, even telcos are reticent about security

outsourcing; Bharti, that has outsourced   its entire IT infrastructure to

IBM, is still an aberration. Argues Sridhar S, head-IT, Hutch, "Our core

network is with the telecom department as they do not even trust the IT

department for its maintenance.






The IT team handles only the business support systems but since these are
expanding at such a pace we need to outsource parts of it to third parties.

Therefore, piecemeal security functions like network security or application

security might get outsourced, but never the entire security management."

Indian security SIs do have expertise on certain such areas, but they have not

reached the maturity level where telcos can safely integrate third-party

security services with their core network processes.

It is not that exceptions are not there. Providing a different viewpoint,

Mukt Bihari, additional GM-IT, Indian Telephone Industries, opines that there is

no point in enterprises outsourcing IT infrastructure minus security.

Organizations like Rallis have outsourced their entire security processes

outside. "The benefits are numerous, but the chief ones include minimal

capital expenditure, reduced operational expenditures, established SLAs, freedom

from platform and technology obsolescence, and the freedom of maintaining a

round-the-clock expensive in-house support staff," feels Vikas Gadre, CIO,

Rallis.

However, even banks, acknowledged universally as the most mature vertical in

the automation lifecycle, are hesitant on total security outsourcing. Large

banks like HDFC or ICICI have outsourced islands of processes, but most of the

core components are still handled in-house. Rather, they have allocated separate

expertise for security maintenance from their mundane IT functions-HDFC and even

Punjab National Bank today indeed boast of separate Chief Security Officers (CSOs)

from their regular CIOs. Even a new age bank like YES Bank flinches from going

the whole hog. Says Ravi Shankar, Country Head, Direct Banking, YES Bank,

"Ultimately security is tantamount to protecting the faith your customer

has entrusted on you, and if outsourcing does not meet this criterion, it would

be a futile exercise.

'As partners, we have to put security processes in place. But, beyond that, it is difficult to manage security, because there are no security-specific SLAs' -Mathew Jacob, director, iWire Network Design

Notwithstanding such pronounced anti-outsourcing tendencies amongst Indian

enterprises regarding security matters, opportunities still exist for SIs.

Managed security service providers, feels Mathew Jacob, director, iWire Network

Design, need to first understand the business processes of their clients and

then conduct a proper risk analysis. "Currently most MSPs have no

methodology, and think all threats or vulnerabilities are applicable to all

businesses, in all cases, and therefore make the cardinal mistake of

generalization," he opines.

Agrees Jayachandran B, Head-IT, Gokuldas Exports, "Most SIs do not know

how to measure the vulnerability in a particular organization and, hence have no

wherewithal to provide what that enterprise really requires."

Bottomline:

MSPs need to ensure they have a proper framework to measure risk or

vulnerability in each and every case and not follow a "one suits all"

approach. Next, they should take cognizance of the business processes of their

clients and work to empower the CIO and his team. These should ensure that SIs

are also in a position to draw SLAs with their clients on security outsourcing

where they too can guarantee the uptime of five 9s.

 Indian enterprises are aggressively adopting new emerging security

technologies.

CIO View: Outside

the BFSI (financial services) community are a few scattered deployments. But

emerging security technologies mostly remain in the realm of marketing-speak, as

enterprises still grapple with developing a security framework..

Implementing emerging security technologies like biometrics, cyber forensics

or complex encryption algorithms may sound glamorous, but ultimately these might

not achieve anything unless they address specific requirements of individual

enterprises. Rather than focusing on emerging technologies, the need of the

hour, feels Chitnavis, is to concentrate on the social engineering aspect of

security.

He illustrates the fraud case in his own organization, MphasiS in Pune, to

drive home his argument. "Social engineering would ensure maintaining the

basic proper security environment inside an organization like a paperless

office. We do have features like biometrics, but not such technologies but

proper social engineering instead that would ensure such frauds are not

repeated." Agrees Gajapathy, "All BPO companies have taken the cue

from the MphasiS experience. Enterprises might consider many technologies but

the imperative is that users should understand the dos and don'ts of

these."

The point is, even if an organization has a security policy in place and

deploys technologies fitted around the policy, it has to see whether the

processes are being strictly adhered to or implemented properly. Sridhar argues

that a framework for security implementation helps, especially in the case of

telcos. "We already have many of these new technologies in place, so it is

more important for us to have a proper framework." Agrees RP Dhumasia,

GM-IT, Great Eastern Shipping Company, "Security cannot be handled only

with technology, but the basic need is how you educate your people in the

organization."

Bottomline: Technologies

come and go, but enterprises today are looking closely at the critical security

threat of social engineering. "This is our biggest concern and we are

focusing on how to reduce this," echo most CIOs.

Integrated security appliances are becoming the norm in Indian

enterprises.

CIO View:

They do have benefits and may become tomorrow's flavor. But CIOs are treading

cautiously today, worried about becoming guinea-pigs.It is true that some

integrated appliances are being deployed, but it is still happening only in

cases of entry-level products like anti-viruses and firewalls. Most CIOs are

still looking carefully at integration, albeit with a twitch of suspicion.

Gajapathy asserts that integrated appliances sometimes compromise some of the

business processes. His recipe: decentralize processes or applications and have

different levels of security in different layers and then you can think of

deploying integrated appliances in the less crucial layers.

Many CIOs still prefer the multi-vendor best-of-breed approach-a single

unified platform might lead to single repository of information leaving it open

to all sorts of vulnerabilities. Jacob suggests that SOHOs can do well with an

integrated approach as that would bring down both their capex and opex costs. In

fact, even marketing pashas of vendors try to sell an integrated approach to

vendors by highlighting the cost benefits, but smartly hide away the fact that

vulnerability in that case can jeopardize the complete business. "We do not

look at an integrated system because it makes the system vulnerable to attack.

So we prefer a multi-vendor scenario," asserts Chitnavis.

Apart from costs, there are other benefits of integration too-a unified

threat management solution prevents from too many logs getting generated that

otherwise becomes too complicated to reconcile. "On the other hand, an

integrated appliance is more manageable," asserts Jacob. However,

Jayachandran warns that this will be possible only when enterprises develop a

framework that supports all these multiple solutions integrated together.

The integrated vs best-of-breed debate takes an interesting turn in light of

many network vendors like Cisco or Nortel today embedding security appliances or

functionalities within their network devices. However, Sridhar derides this as a

complete marketing gimmick aimed at increasing business for the vendors and

solving no purposes of the CIOs and their organizations. "Network vendors

seem to be in an inclusive mode. But they cannot include everything in a box.

However it would be good to have a security dashboard for alarms and

alerts," he opines.

Bottomline:

Network vendors show some security features embedded in their devices to CIOs as

carrots. Once the organization gets hooked on to the particular vendor, they

come up with some entirely new products which not only impacts the capex but

could also turn out to be a risky proposition for businesses.