Nasscom’s new Data Security Watchdog: it has bark, will it have bite?

It seems Nasscom is trying to address the information security perception problem in India by creating a new Data Security Watchdog (as reported in CIO India).

The National Association of Software and Services Companies (Nasscom) is setting up a watchdog organization that will focus on the introduction and monitoring of best data security and privacy practices in the country's IT services, call center and business process outsourcing industries. The move is one of several measures by Nasscom and the IT industry to strengthen data security and privacy in the Indian call center and BPO industries.

"We are planning a self-regulatory organization (SRO) that will be initially set up by Nasscom, but will operate independently with an independent chief executive officer and board," said Sunil Mehta, vice president of Nasscom in Delhi.

"Being a member of the SRO will in effect be a certification, as member companies will have to follow the best practices specified by the SRO," he said.

Besides setting benchmarks and training companies on the best data protection and data privacy practices, the new organization will also have the authority to punish and expel erring member companies

The SRO will be funded for one year by Nasscom, which has budgeted Rs 1.35 crore for the purpose. After the first year, the SRO is expected to finance itself from membership, training, and audit fees.

This sounds like a great idea, especially as this organization can become a forum for sharing information security best practices. I have been impressed by the information security and fraud detection methodologies used by some Indian vendors and if they start helping each other they can improve even more rapidly. I am a firm believer in incentives, and here I think the outsourcing vendors’ incentives are properly aligned: When one Indian outsourcer has an information security or fraud problem, every Indian outsourcing vendor suffers from the negative press. Japanese manufacturers helped each other build the “made in Japan = quality” perception, Indian outsourcing firms have to do likewise.

I am however not sanguine about the incentives for the enforcement component of this watchdog. After the first year, the watchdog will be funded by the dues paid by its membership and the only way for it to punish a member would be to “expel” the “erring member” and thus lose their “membership, training, and audit fees.” This sounds like classic incentive misalignment. I hope that the Nasscom leadership will address this problem before the organization goes live. Perhaps the organization could be funded by the outsourcing customers instead? Rs 1.35 crore (approximately $300,000) split among even thirty large outsourcing customers sounds like a very good investment. If that $10,000 a year helps them avoid a single information security breach, or more likely a PR headache, it would be money well-spent.