Indian CISOs need to re-engineer outsourcing for security

CISOs need to re-engineer their organization's current outsourcing process to better ensure the security of data with service providers, according to Forrester

CISOs need to re-engineer their organization's outsourcing process to better ensure the security of data with service providers, according to Forrester.

Indian businesses are increasing spending on IT services. Analyst company Pierre Audoin Consultants (PAC) expects the Indian IT services market to grow by 14% in 2013, compared with 2012. At the same time, India’s IT services suppliers are targeting the market as spending in the US and UK slows.

But there are questions over the security of India’s IT service providers, so Indian CISOs and CIOs must ensure data is safe before outsourcing.

“Outsourcing IT functions has many benefits, but when there are gaps in security and something goes wrong, it can have a serious impact on business. For example, in early 2013, authorities discovered a $45m case of ATM fraud in which hackers breached the computer systems of two payment processing companies in India and compromised the account details of pre-paid card account customers of two banks, one in the UAE and the other in Oman,’ said Manatosh Das, security and risk analyst at Forrester.

“Although Indian software service providers claim high standards, it is apparent that there are still weaknesses in their delivery. The main culprits are a lack of executive commitment, poor application coding, and the industrialization of software development,” he added.

Das said poor application coding persists despite lessons learned, with more than two-thirds of applications containing cross-site scripting vulnerabilities, half failing to validate input strings thoroughly, and nearly a third have the potential to fall foul of SQL injection (SQLi) attacks.

He said although most of the service firms’ leadership teams mean well, few appear to grasp the true potential for security breaches at their customers, the implications of those breaches, and the part that the outsourced partner must play in preventing them.

Das also described how development on an industrial scale can put clients at risk. “The traditional outsourcing model, which is architected primarily to reduce cost, is too narrow to accommodate expanding security, risk management, and compliance requirements,” he said.

KK Krishnakumar Natarajan, chairman at Nasscom, which represents Indian IT services firms, said through the Data Security Council of India (DSCI) the IT services industry is playing its part in improving security in India.

“Nasscom is actively involved in supporting the government’s cyber security policy through our sister organization DSCI, which is Nasscom funded.

Read more on IT risk management