Security in Indian organisations is evolving at a rapid pace. No longer is security merely a line item in the overheads budget of Indian enterprises, nor is it a technical issue easily addressed by an off-the-shelf technology product, according to the Information Systems Security Survey,2007-08 titled ‘From strength to strength’, conducted by the Indian Computer Emergency Response Team (CERT-In), Federation of Indian Chambers of Commerce and Industry (FICCI) and PricewaterhouseCoopers (PwC). More than 140 organisations from a broad range of industries took part in the survey.
The results of this year’s survey have been benchmarked with ‘The Global State of Information Security 2007’ study, conducted by CIO magazine, CSO magazine and PwC.
Indian enterprises have traditionally relied on technological controls for information security. Besides perimeter security, security of desktops, the source of a number of security breaches, has also assumed importance. In terms of employing technology safeguards, 91% of respondents indicated having data backup mechanisms in place.
There used to be significant gaps in the implementation of ‘people’ related controls. This scenario has improved in this survey as organisations have identified enhancement of security awareness as a top strategic priority. Today, more than 80% of the organisations focus on employee awareness programmes, as compared to 47%, as per global figures. Monitoring of employee use of the internet and information use is the latest trend, with more than 78% of the organisations focusing on this, as compared to the global figure of 48%. India Inc. is also increasingly hiring specialised security staff. 51% of the organisations in India, as against 32% globally, have employed Chief Information Security Officers.
”It is encouraging to see that Indian organisations have moved faster than their global counterparts in establishing processes for conducting periodic security audits and in having information security strategy in place,” says Sivarama Krishnan, executive director in the information security practice of PwC. “We expect this to continue as majority of the organisations have plans to increase their security spending by double digits”.
Unlike the trends shown in previous surveys, it is also encouraging to note that a lesser percentage of organisations have suffered security breaches, with viruses being the single largest source of breach (68%). “Indian enterprises can avoid security breaches further if they develop and implement an effective information security strategy and framework.” says Dr. Gulshan Rai, Director of CERT-In. An essential component of this framework is to view security as a strategic initiative and not as a cost centre.”
However, there is a flip side too. While, almost 83% of the organisations were found to have a business continuity/disaster recovery plan, 90% of these organisations do not conduct regular testing of their plans. “In the event of a service disruption or disaster, these organisations might not be able to effectively resume their operations,” says Dr. Amit Mitra, Secretary General, FICCI. “Organisations need to re-look at their BCP/DRP strategies in a holistic manner to ensure effective recovery in the event of a disaster”.
Indian organisations today are facing increasing compliance obligations and are exposed to reputation risks. While they are increasingly becoming aware of the regulatory requirement; however a lot remains to be done in terms of achieving compliance. “Organisations in India must realise that there are significant advantages in achieving compliance,” says Dr. Rai. “It can result in more cost-effective processes and ensure top management support.”
Lack of dedicated resources and adequate training are identified as the primary barriers for strengthening information security in India. “This clearly establishes the requirement of universities and colleges to come up with specialised training courses, so that information security professionals are equipped with necessary know-how and knowledge,” adds Dr. Mitra. “This is amiss at this point of time.”
The industry-wise analysis has revealed interesting results. The ITeS segment has gained the leadership position instead of the financial services sector, which has traditionally been at the top in terms of having security that is more effective. More than 83% of Financial Services and ITeS organisations justify their security investments on grounds of protecting customer information. “Organisations in the ITeS segment have implemented security that goes far beyond in what is practised in the West. For example, BPO agents are required to surrender everything which could facilitate data compromise like mobile phones, PDA’s, pens and notebooks,” concludes Sivarama Krishnan.
Bookmarks