Business Opportunties:Data Security & Privacy in BPO Industry

Over time, the Indian BPO Industry has withstood significant customer and regulatory scrutiny, and has been able to demonstrate that it is able to embrace data security and privacy governance processes that are required as a minimum baseline for providing outsourcing services in a high trust mode.

KPMG and Data Security Council of India (DSCI) jointly conducted a survey in association with CERT-In, to assess current state of data security and privacy practices being adopted by the Indian BPO industry and to gain insights into how the Indian BPO industry is addressing security and privacy related concerns.

As part of this initiative, organizations were surveyed with the following objectives:

• Positioning of data security and privacy in the BPO organizations – analysing Chief Information Security Officers (CISO) role and the tasks performed by security organisation
• Maturity and characteristics of key security disciplines such as ‘Threat & Vulnerability Management’ and ‘Incident Management’ in the wake of rising data breaches globally
• Level of perceived risks in different Lines of Service (e.g. Customer Interaction and Support, Payroll, Finance & Accounting, etc.)
• Managing risks arising from clients’ environments
• Mechanisms adopted for conducting employee background screening
• Strategic options adopted by BPO organizations for Business Continuity and Disaster Recovery management
• Impact of IT (Amendment) Act, 2008 on the industry
• Evolution of physical security and its integration with data security

Dr. Kamlesh Bajaj, CEO, DSCI, said, “I am pleased to state that the detailed and in-depth survey this year has resulted in findings that are insightful and can help organizations benchmark their practices. It is encouraging to see that security leaders are getting increasingly involved in strategic business decision making, thereby reflecting the recognition of security as a business enabler. It is also heartening to see the increased level of maturity in the area of privacy as a significant number of surveyed organizations have reported presence of a dedicated privacy function.”

The survey study outcomes have been broadly categorized to understand aspects relating to –

• Drivers and maturity of data security and privacy,
• Information security governance in the organization,
• Risks relating to client environment and third party,
• Tracking regulatory requirements and its compliance, and
• Internal process robustness

Mr. Akhilesh Tuteja, Executive Director, KPMG , said, “ During the initial years of BPO industry’s growth phase, organizations have gone through intense rigor of customer audits, which helped organizations develop stronger level of information protection preparedness. The survey highlights that while the industry participants have developed comprehensive frameworks for addressing the information security concerns, the aspects relating to privacy haven’t matured as much.”

The organizations have initiated focus on data privacy to address rising concerns of clients’ end customers’ data, which is also related to organizations being concerned of their brand image and they want to avoid any bad publicity in media. The study indicates that organizations are maturing to understand and distinguish security related operational tasks from strategic security tasks; thus optimizing CISOs time for strategic activities. Further, organizations are bridging gaps in the security skills by availing services of external consultants for the specialized security tasks.

There is an increase in adoption of ‘Third Party Risk Assessment Framework’ along with conducting Vendor Risk Management exercise by organizations for their service providers to mitigate third party related risks.

The study further reveals that organizations continue to consider regulatory requirements as a primary driver for their investments. However, the implications of ITAA 2008 are gradually being realized. Although Indian BPO organizations are taking steps to stay updated on new threats, there is a need to have more collaboration within the industry (with peers) to stay ahead of these threats.

As the industry witnesses robust growth through this process of internal and external factors, in the next few years it would be setting standards for other industry verticals to follow on data security and privacy.

Akhilesh also added that, “This survey should act as a useful guide for senior executives of BPO companies in formulating their future positions and will be a good tool for many CISOs in developing business cases for comprehensive information security programs.”

About KPMG

KPMG is the global network of professional services firms of KPMG International. KPMG member firms provide audit, tax and advisory services through industry focused, talented professionals, who deliver value for the benefit of their clients and communities.

KPMG in India has offices in Mumbai, Delhi, Bangalore, Chennai, Hyderabad, Kolkata, Pune, Chandigarh and Kochi and services over 5,000 international and national clients. The firms in India have access to more than 5000 Indian and expatriate professionals.