Companies who send software development work to India need to ensure that their vendors take holistic measures to protect data and aren't simply "checking the box" on security issues, Forrester Research warned this week.

Many Indian companies have bolstered their security controls and business continuity measures in recent years, Forrester said in a report. But the lack of executive support for security efforts, an over-reliance on technology controls and inadequate training and awareness undermine the effectiveness of such measures.

"Clients should push their suppliers to invest in people and training, demonstrate C-level commitment, and push government agencies for a better legal framework and judiciary reforms for timely prosecution," the report said.

Forrester analyst Sudhir Apte, who authored the report, said that many of the security measures in place appear designed to appease concerns more than anything else. "What I am seeing is most vendors are checking the box" on technology controls to address security threats and business continuity issues. "They view it as marketing collateral" while pitching their services.

As part of an effort to shore up customer comfort, the Indian government, industry trade association Nasscom and many Indian firms have taken steps to bolster security, Apte noted. For instance, many big Indian vendors have deployed international security standards such as BS 7799, pledged more transparency in their financial reporting standards and ramped up physical security to protect against terrorist disruptions such as the one that hit Mumbai in December 2008. The BS7799 standard specifies a precise set of security controls for IT systems.

The Indian government, too, has played a role by passing the Information Technology Act and making it mandatory for every Indian IT company to have auditable data security programs. Nasscom's launching of the Data Security Council of India (DSCI) has also helped Indian IT services and BPO vendors improve security levels, the report said.

Apte quoted a survey by DSCI showing that almost all major IT services and BPO firms had appointed a chief security officer in the past two years and had robust disaster recovery and business continuity plans in place. Many Indian companies have also implemented end-point encryption technologies, governance tools and virtualisation security.

The report praised India's "intention to emerge as a safe and secure location," but said the results are mixed.

One big issue continues to be an overemphasis on technology controls, achieving certifications and publishing policy statements, Apte said. The efforts appear designed to "showcase" security rather than coherently reduce threats. Key issues such as employee training and awareness are often completely ignored, and many companies have a casual approach toward access control and physical security.

Apte also noted a lack of executive support for security programs. According to him, many Indian CSOs reported being overlooked by higher-ups and of executive support being sporadic, at best. Security only gets attention when there is a breach or when an incident is reported in the media.

Contributing to the situation is the fact that many U.S. companies outsourcing jobs to India pay little attention to security; The biggest focus of offshore evaluation teams is often on the rates that can be negotiated, especially on IT services jobs. "Clients are more sensitive in the BPO world," he said.

Jonathan Gossels, president of SystemExperts said that most major Indian firms are "fully capable of best-in-class security practices." But US clients need to "clearly articulate their security expectations." Because customers haven't known what to ask for, or have not been specific about their expectations, security tends to fall through the cracks.

"From my experience, leading companies are very responsive to the market. If their customers are demanding better security proactively, they respond," Gossels said.

Apte offered several recommendations for US companies that outsource to India. For instance, sourcing professionals need to ensure that their contracts cover not just information security threats but also risks from terrorist attacks and natural disasters.

Companies also need to ensure that vendors not only have remote disaster recovery facilities but also the skilled staff to man them. And companies need to push their vendors to participate in initiatives such as the DSCI, the report said.