Locked and Bolted?



Security outsourcing is a really hot trend today.

CIO View: Largely in sales presentations. Yes, routine security maintenance
services are growing. But big time security management outsourcing is a long way
off.

Research analysts, consultants and, most importantly, the security vendors,
have been talking vehemently for quite some time that the Indian security market
is gradually evolving towards the services model. The 2004-05 numbers do indeed
justify their prognostication-the security services market had grown by 74% to
reach Rs 157 crore. Contrast this with the Rs 203 crore security products market
that had grown by 35% at the same time. Nothing could better illustrate the
apparent shift harped about by the vendors.

‘Implementing a security solution is like locking your house. It is meant to keep honest people honest. Rogues will anyway somehow break into your systems’
-M Gajapathy
CTO, Transworks

So far, so good. However, many vendors, and even some consultants, are
venturing further and claiming that a maturing services market reflects the
growing tendency amongst Indian enterprises to outsource their security
requirements as well as management to specialist third-party service providers.
Even the product vendors are opening up their services arms to take care of this
growing outsourcing bonanza.

A series of Dataquest symposiums on Managing IT, across few cities, involving
interactions with a host of CIOs from different verticals, however, presented a
different picture. While vendor claims about security services outsourcing in
India Inc might not be outright fabrication, the reality seems to be that we
have not yet touched the tip of the iceberg. In fact, most CIOs seem to be, at
best, highly reticent about even considering outsourcing security services, if
not outright rejecting such proposals.

That, however, indicates that the growing services market is still primarily
constituted by the after-sales maintenance services offered by the product
vendors rather than outsourcing security management. In light of this, it would
not be wide off the mark to conclude that India Inc is still rather conservative
in matters of security as compared to other arenas of IT where outsourcing is
becoming a well-established trend. While outsourcing of IT infrastructure
management has gained acceptance in India, the same cannot be said on the trend
of enterprises letting a third party service provider manage IT security.

The technology vertical constituted by the IT services and BPO companies seem
to be the vanguard of the anti-outsourcing brigade on matters of security. On
first appearance this sounds paradoxical; some might even accuse them of
maintaining double standards, they themselves being the votaries of offshore
outsourcing on the global front. However, it is this very nature of their
business, involving offshore outsourcing from global enterprises, that prevent
them from allowing their security management to go to the hands of
third-parties.

‘As partners, we have to put security processes in place. But, beyond that, it is difficult to manage security, because there are no security-specific SLAs’
-Mathew Jacob, director,
iWire Network Design

Says M Gajapathy, CTO, Transworks “Our overseas clients get jittery the
moment they hear us planning to outsource our security management. And the
concern is valid enough, as they fear their data can fall into untrustworthy
hands.” One cannot even accuse the global outsourcers of parochial
short-sightedness here: in the absence of any data security and privacy laws,
even BPOs themselves are on shaky grounds, especially in light of recent cases
of fraud; and if they further outsource security one level down, there can
hardly be any guarantee of information asset protection.

“One of the critical parameters that our customers look at is how we
manage security. So it is much better to control security in-house,” adds
Gajapathy. Mithis Chitnavis, AVP-IS, MphasiS is in total agreement with
Gajapathy. “During the selection of BPO service providers in India, our
global clients conduct a ‘rigorous due diligence to check whether all our
processes are in place. And only when all their stringent process parameters are
met satisfactorily, even more strict SLAs are drawn up that basically discourage
further outsourcing,” he informs.

So even in the case that Indian BPO players like MphasiS or Transworks
outsource security management to external parties, similar due diligence
exercises need to be carried out with robust auditing of all the processes of
the security SI. And till such time, the Indian SIs are not conforming to the
rigorous processes defined globally, there is little possibility of Indian BPOs
looking at them to outsource their security requirements.

It is not only the BPOs, even IT services companies are rather conservative
on the subject of security services outsourcing. Though they also share with
BPOs the issue of SLAs with global clients because of their nature of business,
it is not the only determining factor preventing security outsourcing in their
cases. SLAs regarding processes are less stringent for IT services than BPOs,
but even in the case of Wipro e-Peripherals, it is more the ready availability
of in-house expertise that makes it keep security an internal function.

“Since IT is our core business we have the necessary skillsets and we
would only opt for outsourcing in case the outsourced organization has the
relevant expertise,” adds Srinivas of WeP Peripherals. And it is not
difficult to guess that again very few Indian security SIs would pass muster
here. Even for managed service providers (MSPs) to mature to such extent on
their security offerings is a long way off. Chitnavis has the last word:
“We will consider outsourcing crucial processes like security only
depending on how well our partners understand our business processes.

‘Simply including everything in a box does not solve a CIO’s problem. A box does not understand my business. it can neither infer vulnerabilities, nor analyze risks’
-Sridhar S, head-IT, Hutch

It is not only the IT/BPO players, even telcos are reticent about security
outsourcing; Bharti, that has outsourced its entire IT infrastructure to IBM, is
still an aberration. Argues Sridhar S, head-IT, Hutch, “Our core network is
with the telecom department as they do not even trust the IT department for its
maintenance. The IT team handles only the business support systems but since
these are expanding at such a pace we need to outsource parts of it to third
parties. Therefore, piecemeal security functions like network security or
application security might get outsourced, but never the entire security
management.” Indian security SIs do have expertise on certain such areas,
but they have not reached the maturity level where telcos can safely integrate
third-party security services with their core network processes.

It is not that exceptions are not there. Providing a different viewpoint,
Mukt Bihari, additional GM-IT, Indian Telephone Industries, opines that there is
no point in enterprises outsourcing IT infrastructure minus security.
Organizations like Rallis have outsourced their entire security processes
outside. “The benefits are numerous, but the chief ones include minimal
capital expenditure, reduced operational expenditures, established SLAs, freedom
from platform and technology obsolescence, and the freedom of maintaining a
round-the-clock expensive in-house support staff,” feels Vikas Gadre, CIO,
Rallis.

However, even banks, acknowledged universally as the most mature vertical in
the automation lifecycle, are hesitant on total security outsourcing. Large
banks like HDFC or ICICI have outsourced islands of processes, but most of the
core components are still handled in-house. Rather, they have allocated separate
expertise for security maintenance from their mundane IT functions-HDFC and
even Punjab National Bank today indeed boast of separate Chief Security Officers
(CSOs) from their regular CIOs. Even a new age bank like YES Bank flinches from
going the whole hog. Says Ravi Shankar, Country Head, Direct Banking, YES Bank,
“Ultimately security is tantamount to protecting the faith your customer
has entrusted on you, and if outsourcing does not meet this criterion, it would
be a futile exercise.”

Notwithstanding such pronounced anti-outsourcing tendencies amongst Indian
enterprises regarding security matters, opportunities still exist for SIs.
Managed security service providers, feels Mathew Jacob, director, iWire Network
Design, need to first understand the business processes of their clients and
then conduct a proper risk analysis. “Currently most MSPs have no
methodology, and think all threats or vulnerabilities are applicable to all
businesses, in all cases, and therefore make the cardinal mistake of
generalization,” he opines.

‘There are many security risks: leaving pen drives lying around with data, or leaving workstations with transaction screens open. People should be educated, to develop a proper security environment’
-Mithis Chitnavis,
AVP-IS, MphasiS

Agrees Jayachandran B, Head-IT, Gokuldas Exports, “Most SIs do not know
how to measure the vulnerability in a particular organization and, hence have no
wherewithal to provide what that enterprise really requires.”

Bottomline: MSPs need to ensure they have a proper framework to measure risk
or vulnerability in each and every case and not follow a “one suits
all” approach. Next, they should take cognizance of the business processes
of their clients and work to empower the CIO and his team. These should ensure
that SIs are also in a position to draw SLAs with their clients on security
outsourcing where they too can guarantee the uptime of five 9s.

Indian enterprises are aggressively adopting new emerging security
technologies.

CIO View: Outside the BFSI (financial services) community are a few scattered
deployments. But emerging security technologies mostly remain in the realm of
marketing-speak, as enterprises still grapple with developing a security
framework..

Implementing emerging security technologies like biometrics, cyber forensics
or complex encryption algorithms may sound glamorous, but ultimately these might
not achieve anything unless they address specific requirements of individual
enterprises. Rather than focusing on emerging technologies, the need of the
hour, feels Chitnavis, is to concentrate on the social engineering aspect of
security.

He illustrates the fraud case in his own organization, MphasiS in Pune, to
drive home his argument. “Social engineering would ensure maintaining the
basic proper security environment inside an organization like a paperless
office. We do have features like biometrics, but not such technologies but
proper social engineering instead that would ensure such frauds are not
repeated.” Agrees Gajapathy, “All BPO companies have taken the cue
from the MphasiS experience. Enterprises might consider many technologies but
the imperative is that users should understand the dos and don’ts of
these.”

The point is, even if an organization has a security policy in place and
deploys technologies fitted around the policy, it has to see whether the
processes are being strictly adhered to or implemented properly. Sridhar argues
that a framework for security implementation helps, especially in the case of
telcos. “We already have many of these new technologies in place, so it is
more important for us to have a proper framework.” Agrees RP Dhumasia,
GM-IT, Great Eastern Shipping Company, “Security cannot be handled only
with technology, but the basic need is how you educate your people in the
organization.”

Bottomline: Technologies come and go, but enterprises today are looking
closely at the critical security threat of social engineering. “This is our
biggest concern and we are focusing on how to reduce this,” echo most CIOs.

Integrated security appliances are becoming the norm in Indian enterprises.

CIO View: They do have benefits and may become tomorrow’s flavor. But CIOs
are treading cautiously today, worried about becoming guinea-pigs.It is true
that some integrated appliances are being deployed, but it is still happening
only in cases of entry-level products like anti-viruses and firewalls. Most CIOs
are still looking carefully at integration, albeit with a twitch of suspicion.
Gajapathy asserts that integrated appliances sometimes compromise some of the
business processes. His recipe: decentralize processes or applications and have
different levels of security in different layers and then you can think of
deploying integrated appliances in the less crucial layers.

Many CIOs still prefer the multi-vendor best-of-breed approach-a single
unified platform might lead to single repository of information leaving it open
to all sorts of vulnerabilities. Jacob suggests that SOHOs can do well with an
integrated approach as that would bring down both their capex and opex costs. In
fact, even marketing pashas of vendors try to sell an integrated approach to
vendors by highlighting the cost benefits, but smartly hide away the fact that
vulnerability in that case can jeopardize the complete business. “We do not
look at an integrated system because it makes the system vulnerable to attack.
So we prefer a multi-vendor scenario,” asserts Chitnavis.

Apart from costs, there are other benefits of integration too-a unified
threat management solution prevents from too many logs getting generated that
otherwise becomes too complicated to reconcile. “On the other hand, an
integrated appliance is more manageable,” asserts Jacob. However,
Jayachandran warns that this will be possible only when enterprises develop a
framework that supports all these multiple solutions integrated together.

The integrated vs best-of-breed debate takes an interesting turn in light of
many network vendors like Cisco or Nortel today embedding security appliances or
functionalities within their network devices. However, Sridhar derides this as a
complete marketing gimmick aimed at increasing business for the vendors and
solving no purposes of the CIOs and their organizations. “Network vendors
seem to be in an inclusive mode. But they cannot include everything in a box.
However it would be good to have a security dashboard for alarms and
alerts,” he opines.

Bottomline: network vendors show some security features embedded in their
devices to CIOs as carrots. Once the organization gets hooked on to the
particular vendor, they come up with some entirely new products which not only
impacts the capex but could also turn out to be a risky proposition for
businesses.

Rajneesh De

Leave a Reply

Your email address will not be published. Required fields are marked *