Tuesday, April 12, 2011
Indian Firms unable to realise the value of Security Professionals
“Security Professionals stay hungry” is a frequent comment from independent security professionals and smaller Indian firms selling security services in the Indian market. There are two main reasons why this occurs. Companies are not investing in security and more predominantly buyers do not pay sufficiently for security services.
A good security professional has a thorough knowledge of both the domain (e.g. IT, Network, Software Development, etc) and related security specialization. Security consultants put in a significant amount of research in enriching and updating their knowledge. For example, cloud is a new trend and security consultants master both cloud technology and cloud security. For the same reason a book trained security/IT professional cannot provide the same quality of input as a security specialized software professional in secure software development. Therefore good consultants command salary premiums over IT counterparts.
The procurement process adopted by companies primarily relies on a tendering system to arrive at the best price. This system technical qualifies a group of security vendors who later bid. The lowest price wins. Many vendors subcontract the project or use low cost IT professional with basic security training to win bids at low prices. Since technical qualification is done at firm level and not on the basis of the actual team that delivers, this strategy succeeds in putting quality conscious security vendors out of business. In India, most of the top security talent works for Indian outsourcing firms for their global clients.
The second reason is the lack of regulatory compliance drivers and penalties that motivate companies to actively invest in security. Security projects are taken up on the basis of acceptable use, lack budgets and are without time pressure. In-house IT staff take on the responsibility of security solution design and implementation supported by vendors and auditors. While this approach may not be incorrect it needs to be backed up by outsourced specialized expert services in security architecture, design and review to be successful. Security is a specialized activity requiring daily research which enterprise IT and security operation staff may find difficult to do while addressing day to day priorities. In-house staff can however maintain and contribute significantly due to their knowledge of business operations.
Although, I have cited the Indian example, it is a common problem the world over. Many organizations have spent more to redo failed security projects.