Security's big business

IT security companies are mushrooming in India

Arun K Anand

One group of people aren't exactly shattered about India's medium risk profile on information security "� information security consultants and auditors, whose ranks are swelling, thanks to growing concerns over information security.

Keeping global consulting majors like Ernst & Young, Deloitte, PricewaterhouseCoopers and KPMG company are infotech companies (GTL's Global eSecure, HCL Comnet, to name just two), old economy companies (Miel e-Security of the Mukand group) and quality certification agencies like Norwegian firm DNV. Also getting into the act are boutique companies of all sizes.

While certification companies verify compliance with and implementation of standards by companies, the consultants check the vulnerability of networks and advise companies on how the standards are to be implemented.

A typical information security audit involves risk and vulnerability assessments of networks, checking the implementation of security policies and procedures as well as the effectiveness of procedures through ethical hacking and other tests, identifying gaps and suggesting solutions.

Some consultants provide patches and other security tools, while selling products is a no-no for others.

Estimates about the number of security consultants are hard to come by but this niche area is definitely growing. "The pie is growing and there are many organisations jumping in," says Terry Thomas, partner, risk and business solutions practice, at Ernst & Young.

Consider the Delhi-based Coral e-Secure, the newest kid on the block. Its founder-CEO Probal Choudhuri, after some years in project management and business development in the IT industry, took up a BS 7799 certification course with the British Standards Institution (BSI). He then worked as a trainer with the BSI for two years, during which he realised the potential for consulting in this arena. In December 2003, he set up Coral eSecure and has four people working with him.

In a somewhat different league is Sanjay Pandey, who worked with the Mumbai Police for 14 years before quitting to join TCS. In 2001 he set up iSec Services with the idea of providing IT security to industry. The venture effectively started working only in 2002 and now Pandey has a team of 12 working in Delhi and Mumbai, and has an office in west Asia.

Existing players are also expanding. Ernst & Young's own risk and business solutions practice has grown from just around 10 people in the early 1990s to 100 dedicated IT security professionals now.

What's more, the work profile has also changed tremendously. Starting with merely providing general IT audit, the practice has now evolved to providing a range of technology risks and security-related services, with dedicated teams for banking and financial services, telecom and infotech (offshore development and IT enabled services or ITES).

What's more, there's also a research laboratory in Chennai from where it carries out work on ethical hacking and has clients for just this.

The Kuala Lumpur-headquartered Network Security Systems (NSS) started as a four-person venture in Pune in 2001.

Set up by Jagdeep Kairon, a former Indian Army Special Services officer and Scott Graham, a former Royal Air Force officer who was then working with risk management firm Hill & Associates, the company now has a consulting strength of 150 people and has offices in Singapore, Baltimore in the United States, apart from Delhi, Pune and Mumbai.

Miel e-Secure, which forayed into the field in 1998, has increased its staff strength from four to 48.

Thomas lists three factors that are driving the growth of this industry "� regulatory requirements in the West, especially in the banking and financial sectors; demands made by offshore development customers on their service providers; and an increase in general awareness about the need for information security.

But the biggest growth propellor is undoubtedly the boom in the offshore development and the IT enabled services (ITES) sectors. These firms account for the bulk of the clientele of security auditors, though other industries like the financial sector, telecom and pharmaceuticals also provide a big chunk of business.

And security concerns in India are still, the general consensus goes, almost entirely client-driven.

Offshoring clients, which would earlier either hire IT security consultants abroad or send their own teams for security audits, are increasingly turning to Indian consultants (including Indian arms of global consultants).

It's working out to be far cheaper. The pricing contracts is complicated, depending on the complexity of the audit involved and the number and quality of people to be deployed.

But, on an average, while an American consultant's fee ranges between $ 100 and 250 an hour, Indian companies charge Rs 10,000-15,000 per manday.

That's what some global consultants are also known to charge, their formidable brand names giving them an edge over other players.

But it's a cutthroat world out there, with companies offering rock bottom rates to get business. Thomas says his company hasn't lost out significantly because of price undercutting, but there's this story about one contract where a global consultant quoted a fee of Rs 16 lakh and a large Indian company Rs 10 lakh.

The contract was finally picked up by a small company for Rs 4 lakh. Of course, the project is said to have run into trouble soon after. Even global consultants are rumoured to cut prices just to win large contracts that could lead to a long-term relationship.

Apart from money there's another reason offshoring companies prefer local auditors. "Audit practices are the same worldwide but we understand the local culture better and our local presence helps when problems arise later in the course of implementing security measures," says Arun K Anand, senior general manager, operations, at NSS.

Incidentally, the information security space seems to be a natural playing ground for people with armed forces backgrounds. Apart from iSec's ex-cop Pandey, NSS's management team has 10 former army, navy and air force personnel.

And the director and CEO of Mumbai-based Secure Synergy, Felix Mohan, was director of information technology in the navy. What Anand (a former Special Forces member) says of NSS could well apply to the others as well: "We understand security at its roots. We have a holistic picture of what security ought to be."

But does everyone? More worrisome than price undercutting is the fact that any number of 'friendly auditors' assure the companies they are auditing that they will take care of any 'delicate' issues that arise.

Organisations tend to fall for this line, not realising that their responsibility does not diminish and that they could be liable for legal action.

"One or two incidents of improper audits carried out by inexperienced auditors may affect the entire industry," says Sreeram Srinivasan of DNV, who rues the fact that a small incident in India gets blown out of proportion in the West.

Tackling this won't be easy since, barring the brand equity of the larger players, the entry barriers to this business aren't very high. It doesn't require much capital and there are courses to qualify as Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) and BS 7799 lead auditors.

Some fear that fly-by-night operators could kill a fledgling industry, but Thomas is less pessimistic. "They will perish after two nights," he says, "and won't cause more than a blip on the industry radar."