Indian organisations fare better than global organisations in Information System Security

[Snake08]

Security in Indian organisations is evolving at a rapid pace. No longer is security merely a line item in the overheads budget of Indian enterprises, nor is it a technical issue easily addressed by an off-the-shelf technology product, according to the Information Systems Security Survey,2007-08 titled ‘From strength to strength’, conducted by the Indian Computer Emergency Response Team (CERT-In), Federation of Indian Chambers of Commerce and Industry (FICCI) and PricewaterhouseCoopers (PwC). More than 140 organisations from a broad range of industries took part in the survey.

The results of this year’s survey have been benchmarked with ‘The Global State of Information Security 2007’ study, conducted by CIO magazine, CSO magazine and PwC.

Indian enterprises have traditionally relied on technological controls for information security. Besides perimeter security, security of desktops, the source of a number of security breaches, has also assumed importance. In terms of employing technology safeguards, 91% of respondents indicated having data backup mechanisms in place.

There used to be significant gaps in the implementation of ‘people’ related controls. This scenario has improved in this survey as organisations have identified enhancement of security awareness as a top strategic priority. Today, more than 80% of the organisations focus on employee awareness programmes, as compared to 47%, as per global figures. Monitoring of employee use of the internet and information use is the latest trend, with more than 78% of the organisations focusing on this, as compared to the global figure of 48%. India Inc. is also increasingly hiring specialised security staff. 51% of the organisations in India, as against 32% globally, have employed Chief Information Security Officers.

”It is encouraging to see that Indian organisations have moved faster than their global counterparts in establishing processes for conducting periodic security audits and in having information security strategy in place,” says Sivarama Krishnan, executive director in the information security practice of PwC. “We expect this to continue as majority of the organisations have plans to increase their security spending by double digits”.

Unlike the trends shown in previous surveys, it is also encouraging to note that a lesser percentage of organisations have suffered security breaches, with viruses being the single largest source of breach (68%). “Indian enterprises can avoid security breaches further if they develop and implement an effective information security strategy and framework.” says Dr. Gulshan Rai, Director of CERT-In. An essential component of this framework is to view security as a strategic initiative and not as a cost centre.”

However, there is a flip side too. While, almost 83% of the organisations were found to have a business continuity/disaster recovery plan, 90% of these organisations do not conduct regular testing of their plans. “In the event of a service disruption or disaster, these organisations might not be able to effectively resume their operations,” says Dr. Amit Mitra, Secretary General, FICCI. “Organisations need to re-look at their BCP/DRP strategies in a holistic manner to ensure effective recovery in the event of a disaster”.

Indian organisations today are facing increasing compliance obligations and are exposed to reputation risks. While they are increasingly becoming aware of the regulatory requirement; however a lot remains to be done in terms of achieving compliance. “Organisations in India must realise that there are significant advantages in achieving compliance,” says Dr. Rai. “It can result in more cost-effective processes and ensure top management support.”

Lack of dedicated resources and adequate training are identified as the primary barriers for strengthening information security in India. “This clearly establishes the requirement of universities and colleges to come up with specialised training courses, so that information security professionals are equipped with necessary know-how and knowledge,” adds Dr. Mitra. “This is amiss at this point of time.”

The industry-wise analysis has revealed interesting results. The ITeS segment has gained the leadership position instead of the financial services sector, which has traditionally been at the top in terms of having security that is more effective. More than 83% of Financial Services and ITeS organisations justify their security investments on grounds of protecting customer information. “Organisations in the ITeS segment have implemented security that goes far beyond in what is practised in the West. For example, BPO agents are required to surrender everything which could facilitate data compromise like mobile phones, PDA’s, pens and notebooks,” concludes Sivarama Krishnan.

[Steve123]

PricewaterhouseCoopers Pvt. Ltd. provides industry - focused tax and advisory services to build public trust and enhance value for its clients and their stakeholders. PwC professionals work collaboratively using connected thinking to develop fresh perspectives and practical advice. Complementing our depth of industry expertise and breadth of skills is our sound knowledge of the local business environment in India. PricewaterhouseCoopers is committed to working with our clients to deliver the solutions that help them take on the challenges of the ever-changing business environment.

PwC has offices in Ahmedabad, Bangalore, Bhubaneshwar, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai, and Pune.

“PricewaterhouseCoopers”, a registered trademark, refers to PricewaterhouseCoopers Private Limited (a limited company in India) or, as the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.

The name PricewaterhouseCoopers is one word, with uppercase P, uppercase C, and all other letters in lower case.

[Steve123]

PricewaterhouseCoopers' business advisory professionals provide clients with the confidence to succeed by helping them anticipate, create and manage change. Whether clients are proactively implementing change or reacting to an unplanned event, we leverage our Firm's resources, deep industry experience, and functional acumen across the areas of operations, finance, organizational strategy and structure, process improvement, human resources optimization, technology integration and implementation, risk mitigation and crisis management to help organizations effect sustainable change.

[Steve123]

The Federation of Indian Chambers of Commerce and Industry (FICCI), set up in 1927 is the largest and oldest apex business organisation of Indian business. With a nationwide membership of over 1500 corporates and over 500 chambers of commerce, FICCI espouses Indian businesses and speaks directly and indirectly for over 2,50,000 business units. FICCI maintains the lead as the proactive business solutions provider through research, interactions at the highest political level and global networking.

FICCI organises a large number of exhibitions, conferences, seminars and business meets for promoting business.

[Steve123]

The Indian Computer Emergency Response Team (CERT-In) is a national initiative to tackle emerging challenges in the area of information security and country level security risks and vulnerabilities. CERT-In is coordinated by the Department of Information Technology, Ministry of Communication and Information Technology, Government of India in cooperation with several agencies in the Government, Academia and Industry. The mission of CERT-In is to enhance the security of India’s communications and information infrastructure through proactive action and effective collaboration.

The activities at CERT-In are the joint efforts within its partner network. In all of its endeavours, CERT-In depends on its system, network and staff, but most importantly, as professional, CERT-In depends on each other, and that’s why information sharing is one key word for achieving success in its endeavours.

The motto is to build trusted relationship right across the various sectors and enhance this work by conducting our own research and actively looking for problems before they arise.