Security controls and practices in leading outsourcing locations such as India, China and Brazil are now as good, if not better, than the US, according to a survey from PricewaterhouseCoopers (PwC).
The survey, completed on more than 7000 C-level executives and security managers from 119 countries, shows that India in particular is making vast strides in its information security practices.
Gerard Verweij, a PwC partner and CIO of its advisory line of business, said: "The thing that stood out this year is the breadth and depth of the advance in India. In terms of overall security posture, India has outpaced the others."
More companies in India than in the U.S. reported having an enterprise-wide security strategy (72 percent as opposed to 65 percent). Similarly, about 77 percent of the Indian companies reported employing either a CSO or a CISO compared to only 52 percent of U.S. companies. And while 78 percent of the Indian respondents said they conduct annual risk assessments, just 6 in 10 companies in the U.S. do the same.
The gaps are even wider when the security practices in India are compared to those of companies in Europe and Australia.
Looking ahead, India appears poised to widen the gap, considering that 72 percent of the companies polled said they plan to boost security spending over the next 12 months compared to fewer than 40 percent of companies in the U.S. who plan to do that.
Companies in China and Brazil also appear to have made significant gains. For example, 68 percent of Chinese companies reported having CISOs or CSOs, 74 percent said they do annual risk assessments and 61 percent plan to spend more on security over the next year. Meanwhile, on many of these same issues, Brazilian companies were tied with or only marginally behind U.S. companies.
However, another survey, from Cisco Systems Inc., shows that cultural differences and employee attitudes toward information security can sometimes pose big risks to corporate data overseas.
Among the issues Cisco cited is a greater tendency among employees in places such as India and China to sometimes share sensitive information with family and friends, change the security settings on their business PCs and use unapproved software and services on their work computers.
The Cisco report found that about 11 percent of end users in India almost never or only rarely adhere to corporate security policies, compared to about 4 percent in the U.S. Similarly, 77 percent of Chinese respondents said that their employees violated security policies because security is just not a major issue for them. In the U.S., that number was just 34 percent. And fewer companies in India and China were likely to destroy company data that's no longer needed than companies in the U.S.
What the data suggests is that companies looking to outsource work overseas need to have policies in place that address such issues, said Fred Kost, director of security solutions at Cisco. "You need to be aware of the culture you are operating in and make sure you communicate your expectations," Kost said.