Gartner has warned companies that outsource to countries
like India and China not to overlook the impact of cultural
differences on security.
"India is seen as an answer when outsourcing applications but is
actually a problem in the security space," said Gartner's India
research vice-president Partha Iyengar.
Standards of privacy are often looser in India because, for
instance, reading someone else's e-mail would not be considered
much of an intrusion there, Iyengar said.
This more relaxed attitude toward privacy could have serious
consequences when it comes to protecting corporate data, experts
warned.
Companies that outsource operations overseas are advised to
train local staff to adhere to the company's global privacy
standards and to check into the risk of government interception of
sensitive confidential information.
"Fifty percent of companies understand that there are security
issues with offshoring, but the real issues are cultural, and in
compliance and regulation," said Lawrence Lerner, senior technical
architect of the Advanced Solutions Group at Cognizant Technology
Solutions.
Lerner said his company advises its clients to document its
processes when outsourcing and to get all parties involved to sign
off on procedures to ensure transparency. He also suggests
background checks on local staff.
As a result of the high demand from western companies looking to
cut costs some outsourcing service providers in India and China are
growing rapidly, hiring thousands of new employees in a month.
"When you are hiring 5,000 people at a time, you need to make sure
that they all adhere to the same standards," Lerner said.
RK Raghavan, consulting advisor on security at Tata Consultancy
Services, one of India's largest IT services companies, said that
his firm is feeling the effects of these client demands. "We are
bending over backward on security, primarily to cater to our US
customers," Raghavan said.
Tata has recently enhanced its background checks on potential
employees amid volume hiring and increased customer demands. It
used to require two references from each applicant as a security
measure, but did not ensure the applicant had no criminal
record.
Tata found that fingerprinting is considered offensive in the
Indian culture, Raghavan said, so it decided to outsource security
checks to the local police by requiring that applicants have an
Indian passport - this can only be acquired by passing vigorous
security checks conducted by law enforcement officials, Raghavan
said.
In addition to shoring up its own security checks, Tata has
worked to increase security awareness among staff through training,
according to Raghavan. "Employees need to think about security all
the time to be competitive," he said.
"We understand that India is still seen as a mythical place to
many people and we need to assure them that we can provide the same
kind of security as they are used to," Raghavan said.
But the differences between doing business at home and doing it
abroad should not be minimised, said Nigel Balchin, chief architect
at Dun & Bradstreet.
"We are all a little naive going in," Balchin said. One way of
ensuring that security and regulatory compliance concerns are met
is to put the onus on the outsourcing provider and write it into
the contract, he said. "It pays dividends to have the provider
responsible for these issues. For us it is a distraction from our
core business."
Lerner advises clients to take a more hands-on approach,
however. "You must physically go and check any outsource centre you
have. Do it regularly, and consider these centres as part of your
own company," Lerner said.
Scarlet Pruitt writes for IDG News Service