Companies who send software development work to India need to ensure that their vendors take holistic measures to protect data and aren't simply "checking the box" on security issues, Forrester Research warned this week.

Many Indian companies have bolstered their security controls and business continuity measures in recent years, Forrester said in a report. But the lack of executive support for security efforts, an over-reliance on technology controls and inadequate training and awareness undermine the effectiveness of such measures.

"Clients should push their suppliers to invest in people and training, demonstrate C-level commitment, and push government agencies for a better legal framework and judiciary reforms for timely prosecution," the report said.

Forrester analyst Sudhir Apte, who authored the report, said that many of the security measures in place appear designed to appease concerns more than anything else. "What I am seeing is most vendors are checking the box" on technology controls to address security threats and business continuity issues. "They view it as marketing collateral" while pitching their services.

As part of an effort to shore up customer comfort, the Indian government, industry trade association Nasscom and many Indian firms have taken steps to bolster security , Apte noted. For instance, many big Indian vendors have deployed international security standards such as BS 7799, pledged more transparency in their financial reporting standards and ramped up physical security to protect against terrorist disruptions such as the one that hit Mumbai in Dec. 2008. The BS7799 standard specifies a precise set of security controls for IT systems.

The Indian government, too, has played a role by passing the Information Technology Act and making it mandatory for every Indian IT company to have auditable data security programs. Nasscom's launching of the Data Security Council of India (DSCI) has also helped Indian IT services and BPO vendors improve security levels, the report said.

Apte quoted a survey by DSCI showing that almost all major IT services and BPO firms had appointed a chief security officer in the past two years and had robust disaster recovery and business continuity plans in place. Many Indian companies have also implemented end-point encryption technologies, governance tools and virtualization security.

The report praised India's "intention to emerge as a safe and secure location," but said the results are mixed.

One big issue continues to be an overemphasis on technology controls, achieving certifications and publishing policy statements, Apte said. The efforts appear designed to "showcase" security rather than coherently reduce threats. Key issues such as employee training and awareness are often completely ignored, and many companies have a casual approach toward access control and physical security.

Apte also noted a lack of executive support for security programs. According to him, many Indian CSOs reported being overlooked by higher-ups and of executive support being sporadic, at best. Security only gets attention when there is a breach or when an incident is reported in the media.