II. The Wild, Wild East

India lags far behind the rest of the world in instituting even the most basic information security practices and tools. With the subcontinent claiming status as the outsourcing partner of choice for the biggest IT powerhouses in the world (49 percent of all offshore outsourcing implementations are located in India, with up to 90 percent of worldwide outsourcing revenue going to India, according to Duke University and Ciber/Archstone Consulting), these findings should be a source of considerable concern.

The widespread absence of even the most routine security tools (patch management, content filters and access control software) and policies (secure disposal of hardware, business continuity plans, setting security baselines for outside business partners) has left many Indian companies vulnerable to serious attack and the inevitable financial losses that follow. Extortion, fraud and intellectual property theft occurred last year at one in every five or six Indian companies—rates that are double and even quadruple those of the rest of the world. Nearly one in three Indian organizations suffered some financial loss because of a cyber¿attack last year, compared with one out of five worldwide and one out of eight in the United States. "You cannot take information security for granted in India," PwC’s Lobel warns.

While the survey does not identify companies by name, and most likely does not represent the security practices and levels of the popular Indian outsourcing companies, Lobel suggests taking a cautious tack before jumping into an outsourcing relationship. The first step companies should take when considering outsourcing work to India is to verify that an Indian-based unit’s security processes and policies are of the same caliber as its U.S. unit.

Second, Lobel suggests conducting a risk assessment of the Indian unit’s security practices. Even if an Indian organization says that it follows a familiar, specific security practice, don’t presume the organization defines the practice the same way that you do. "Conducting background checks may mean something entirely different in India than it does here," Lobel points out. Find out exactly what the practice involves.

Indian security officials have their work cut out for them, but they do say they plan to work to harden information security. Indian organizations lead their foreign counterparts (sometimes by a significant amount) in deploying new security measures and policies. And they’re not just tactical. A substantially larger percentage of Indian companies (nearly double the rate worldwide) reported plans to hire a C-level security executive this year. Whether the Indian organizations are able to follow through and begin to reduce the security gap is something that should show up in the 2007 survey. Stay tuned.