Interview with Balazs Fejes, CTO of EPAM Systems
by Mirko Zorz - HNS Chief Editor - Tuesday, 16 January 2007.
And of course you need to have large enough and powerful enough dedicated staff who audits our compliance to our security policies and procedures, beyond having regular external audits too from ISO27k or from SAS70 stand-point of view.

With outsourcing becoming very popular, has your strategic focus changed from previous years?

Yes it changed, via becoming popular, outsourcing made certain technologies and services a commodity, so to be on the edge and to be able to deliver value added services, we had to move our technology, process and services focus, and address subjects, such as:
  • SLA based services
  • Agile Processes
  • Web 2.0
  • Service Oriented Architecture
  • Open Source Component Usage/Open Source Licensing issues
  • IP Protection
  • Security Concerns
What advice would you give to a company interested in outsourcing some of its workload but worried about security compliance laws?

Beyond just following the standard advice of formulating your security requirements and including them in your due-diligence questionnaire and in the contract, go beyond that. Include the possibility of auditing the security regularly at the providerís premises, request IDS (Intruder Detection System) installation and have the logs of it sent to you regularly, require usage of source code scanning software to detect IP rights infringements and select your outsourcing destination based on your regulatory and compliance requirements, outsourcing to EU and inside NATO for example provides a much higher regulatory and security compliance then to outsource to India for example, this is one of the reasons EPAM follows a geo-diverse growth strategy to be able to serve our clients in jurisdictions/geographies, which best suit their needs.

And before starting the first engagement, go and look for yourself, do the first audit, everything looks perfect on PowerPoint.

Donít forget about business and disaster recovery, look and ask for records of DR testing, check infrastructure availability statistics and records (electricity, internet connectivity and availability, phone availability, server availability).

What are your clients most worried about?

In the last 6 to 12 months, clients are getting more worried about staff turnover and security, mostly because of their experience with India, where staff turnover reached critical level, compared to less 10%, which is maintained by EPAM in the last 5 years.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th