Tuesday, April 12, 2011

Indian Firms unable to realise the value of Security Professionals

“Security Professionals stay hungry” is a frequent comment from independent security professionals and smaller Indian firms selling security services in the Indian market.  There are two main reasons why this occurs. Companies are not investing in security and more predominantly buyers do not pay sufficiently for security services.
A good security professional has a thorough knowledge of both the domain (e.g. IT, Network, Software Development, etc) and related security specialization. Security consultants put in a significant amount of research in enriching and updating their knowledge. For example, cloud is a new trend and security consultants master both cloud technology and cloud security. For the same reason a book trained security/IT professional cannot provide the same quality of input as a security specialized software professional in secure software development. Therefore good consultants command salary premiums over IT counterparts.
The procurement process adopted by companies primarily relies on a tendering system to arrive at the best price. This system technical qualifies a group of security vendors who later bid. The lowest price wins. Many vendors subcontract the project or use low cost IT professional with basic security training to win bids at low prices. Since technical qualification is done at firm level and not on the basis of the actual team that delivers, this strategy succeeds in putting quality conscious security vendors out of business. In India, most of the top security talent works for Indian outsourcing firms for their global clients.
The second reason is the lack of regulatory compliance drivers and penalties that motivate companies to actively invest in security. Security projects are taken up on the basis of acceptable use, lack budgets and are without time pressure. In-house IT staff take on the responsibility of security solution design and implementation supported by vendors and auditors. While this approach may not be incorrect it needs to be backed up by outsourced specialized expert services in security architecture, design and review to be successful. Security is a specialized activity requiring daily research which enterprise IT and security operation staff may find difficult to do while addressing day to day priorities. In-house staff can however maintain and contribute significantly due to their knowledge of business operations.
Although, I have cited the Indian example, it is a common problem the world over. Many organizations have spent more to redo failed security projects. 


  1. I think the cloud concept is just another flavour of Out sourcing. There is not enough of groud work done in this domain. We have already implemented a few cloud components from our end. Some applications like email,backup and also video streaming seems to work. Lucius I think you are doing a good job educating the public on this topic.Keep it up

  2. My experience is that security compliance is driven mostly by regulatory requirements - if you are in fear of an auditor finding something, you're going to place more emphasis on hiring a security professional who can help you make sure that the auditor will not find much if anything. That being said, what sorts of federal or industry mandated security controls must your clients comply with, and what are the consequences if they are found out of compliance? The punishment (fines, theft/destruction of data, damaged reputation) must hurt more than the solution (hiring infosec professionals who prevent fines, theft, and damaged reputation from occurring).

    The degree to which security controls are implemented is a risk management exercise. Can I afford to hire the expertise to do it? Or should I take my chances, do nothing, and hope that I don't get into trouble (either in an audit or through a breach), or if I do get trouble that it will cost less than doing things right in the first place?