The next big BPO question

Information security environment is said to equal the best globally.

At the EXL Services office at Noida on the capital's outskirts, all visitors have to dip into a covered box and take out a ball while entering and leaving the building.

If you pick a white ball, security personnel will check only your bag. A pink ball means you're subjected to a body search.

At the GTL office in Navi Mumbai, a guard is reluctant to let a journalist going to interview BPO & IT Services CEO Aparup Sengupta take a tape recorder in.

"Tape ke bina interview nahin ho sakta? (can't the interview be done without the recorder?" he asks Sengupta's secretary, who has to ask the head of security to intervene).

At Hero ITES in Gurgaon in Haryana, non-disclosure agreements are translated into Hindi for security guards to read and sign.

Pointless obsession? Especially when 70 per cent of security breaches happen internally, like the one at a leading call centre company which has where an employee memorised a credit card number and bought himself a computer, resulting in the company losing a 300-seat account.

Not really. The security challenges Indian business process outsourcing (BPO) and information technology outsourcing (ITO) companies face will only intensify as the size and complexity of deals increases, warns Partha Iyengar, research vice-president at Gartner India.

By 2006, he says, offshore security issues will be addressed at the CXO (top management) level and political leadership at all levels. "Security will replace backlash as the single largest issue before the industry," he alerted delegates at the Gartner summit in Mumbai last month.

Key security issues in offshoring

• Security
  People
  Physical infrastructure
  Data
  Software
  Network
  
• Intellectual property
  Patents
  Trade secrets
  Copyrights
  Trademarks
  
• Privacy
  Data confidentiality
  Customer records
  Regulatory compliance
  Protecting trust
  
• Intangible assets
  Agreements
  Non compete covenants
  Information/knowledge base
  Business goodwill
  

Security issues haven't been a focus area for outsourcing clients even in their countries, but, Iyengar says, are taking centrestage as companies increasingly outsource high-end work. The concerns get "magnified by orders of magnitude" when such work is offshored and individual countries' data protection, information security and privacy laws and regulations influence outsourcing decisions.

Failure to address security concerns could, he warns, force a rethink about the very concept of offshoring these activities.

On a scale of low to high risk, India ranks medium, with its risk potential high in only three out of 11 counts "� enforcement of privacy laws, patent laws and enforcement and enforcement of copyrights.

That's far better than China, Russia, Philippines and the Baltic countries, all in the high risk category. The National Association of Software and Service Companies (Nasscom), too, claims that the Indian information security environment benchmarks with the best globally and that several Indian laws provide adequate safeguards.

But that's not good enough for offshoring clients, many of which, says Ernst and Young's national director, risk and business solutions practice, Sunil Chandiramani, "from the security perspective make stringent demands" of their Indian service providers, which are delivering that.

Agrees Nilesh Kothari, HeroITES' vice-president, business development and finance: "International clients seek the same level of information security from Indian vendors as their international vendors.''

Indeed, most Indian BPO firms have gone in for BS 7799 certification (which has 10 parameters) and some have also opted for the stringent SAS 70 reporting tool, where an independent auditor issues an extremely detailed report which has to be signed by an American partner as well. Chandiramani says details of security measures are written into contracts, including issues like how employee checks and referrals are done, how physical security is ensured, and the configuration and monitoring of equipment and the moving of machines within the office.

Regular client audits are common. At HeroITES, such reviews take place sometimes every quarter when six to 12 representatives of the client fan out across the office. Companies are also appointing Indian agencies to conduct security audits on their behalf.

Some of HeroITES' clients insist that even staff not connected to their processes walking past their process area should not be able to see what is happening, forcing the company to erect tall ground glass partitions.

The company also signs all contracts as being enforceable in the client's countries, to give them higher comfort levels "� a common practice in the BPO industry.

A better legal environment in India could reduce the onus on companies, says Chandiramani, but the pressure may not entirely disappear. Laws may exist on paper (though they are not on a par with those in clients' countries), but non-existent enforcement mechanisms and dilatory court cases make a mockery of these.

The fact remains, points out Iyengar, that Indian companies, while being liable themselves, are unable to proceed against rogue employees who have quit. Security checks and employee referrals practices are also not as robust as in the West, though HeroITES is among those companies that hire private agencies to do background checks of employees.

The company also has a 12-member security council which regularly reviews policies, shares best practices and reviews even minor incidents like an agent taking a cellphone into the work area.

Security breaches occur even abroad but incidents in countries like India are blown out of proportion and feed into the backlash in the West. However, Chandiramani feels some of the concerns are real.

Nasscom may gloat over Indian industry's robust security practices but the fact remains that there is a lower sensitivity to security issues generally.

Ernst & Young's annual Global Information Security Survey, 2003, points out that though 92 per cent of the Indian companies polled said information security was of high importance for achieving business objectives, only 28 per cent had complied with security driven regulations.

Indian organisations also cited the lack of formal information security management processes or written policies as their main hurdle. "The framework with which western companies operate is quite different," says Iyengar.

Right now, Indian companies aren't losing out on business because of the less than perfect security scenario. But there's little room for complacency. Warns Iyengar: "The bigger hurdle for India now is skill-based but once companies clear this hurdle, they will hit the security issue."

Companies will then, he says, have to do things like rotating employees across processes every six months and compartmentalising information in such a way that no one gets the full picture.

This will, he admits, push up costs but companies will have to measure this against the increased opportunity cost of likely security breaches.

Ultimately, there's no getting away from the country-level issues being addressed. Though Nasscom has been driving a lot of regulatory changes and laws are coming into place, progress, says Chandiramani, is not up to the speed that international clients would like it to be. Is someone in the information technology ministry listening?