September 11, Code Red, and the NIMDA attack have been great levelers for
Corporate India as far as their security ramp up is concerned. India Inc is now
going full throttle ahead–in fact almost at the same pace and at times much
faster than its global counterparts–in protecting its mission-critical
information assets.
According to the recently released CII-PwC Information Systems Security
Survey 2002-03, the percentage of Indian businesses that reacted to the
increased threat by substantially hiking their security budgets during the year
was much higher than the global average. As compared to 46% globally
(Information Research Global Security Survey 2001), 74% of the Indian companies
increased their security budgets over the previous year, with only 6% deciding
to decrease them. Also, while 85% of respondents–as compared to 88% globally–have
taken steps to protect their network, the role of security consultants have
gained more importance with 48% of the organizations using their expertise. This
is much higher than the global 17%. During the period, Indian organizations also
focused on the people issue for security management, with end user awareness
(54%, compared to 30% globally), and training security staff (28%, compared to
28% globally) gaining importance.
The investment trend
Despite insufficient budgets being touted as the biggest barrier for
effective security management in the country, 82% of this year’s respondents
have indicated that they plan to invest in enhancing their network security.
While 57% of the companies plan to embark upon the creation of secure network
architecture to protect their wired world, 60% plan to block unauthorized
access. "This," according to the report, is generally in tune with the
global trends.
The security survey report also indicates that Indian companies are looking
ahead to strengthen network security during this fiscal. Responding to the
question that allowed multiple responses, on what the tactical security
priorities would be, 49% companies indicated that they plan to enhance network
security by improving the OS whereas 42% talked about improvements in
application security. Security audits was another hot area with 62% companies
showing willingness to go for it. The most noticeable increase over 2000-01 in
security priority comes in the use of intrusion detection tools–up from 18% to
39%, and in implementing penetration testing, also known as ethical hacking–
from 8% to 25%.
Another global trend for business, according to the report, has been a
sustained move towards outsourcing. This approach enables organizations to focus
on their core competencies while outsourcing areas like IT management to
professionals. The survey indicates that outsourcing of security is the new
mantra for India Inc. While 16% of the respondents said they are planning to
outsource firewall and intrusion detection monitoring, 12% revealed that they
plan to outsource security staff.
Another 19% said they intend to establish a policy for outsourced
application. The driver for increased outsourcing, the report adds, could be the
non-availability of in-house skills.
There is, however, bad news–unlike the global trend, where 33% companies
said they plan to increase their security budget in the next two years, only 22%
of the Indian businesses had similar plans. PwC analysts suggest that this could
be due to the general budgetary cuts being imposed by a number of organizations.
"However, businesses would need to carefully plan these investments by
doing a risk analysis to ensure that available funds are used to mitigate the
higher risk security threats," cautions the report.
Budget is a barrier
Despite the fact that more than 77% of the respondents belonged to the high
revenue category of above Rs 100 crore, including 43% with revenues in excess of
Rs 500 crore, insufficient budgets has been referred to as the biggest barrier
to efficient security management in the country. Forty nine percent of the
respondents attribute capital expense as a big barrier to the effective security
deployment. This is up from a mere 4% during 2000-01.
With the downturn affecting almost all the sectors of industry, India Inc has
been fairly conservative in the overall resource allocation for IT security.
While the appropriate level of security investment is dependent on the nature of
the industry, risk profile, and business considerations, an allocation of 3%-10%
of the total IT spending for security is considered reasonable, with 63% of
corporates indicating an allocation of less than Rs 25 lakh for IS security–much
lower than the global average.
Also, 5% of the respondents indicated allocation of more than Rs 5 crore
towards strengthening of their IT security. Budget constraints notwithstanding,
69% of the Indian business claim that they have included the security budget as
a part of their overall IT budget–higher than the global trend of 62%.
|
Unfortunately, the survey also indicates that the importance of the human
element in IS security has yet to go down well with India Inc–only 46% of
respondents consider security training for employees as tactical security
priority as compared to 84% globally. Also a mere 7% of the companies showed
interest in hiring qualified staff. This is a sharp decline from the willing 28%
of Indian companies in 2000-01. While experts suggest that this may largely be
due to the employment freeze put in place by various companies, what is most
surprising is the deviation from the global trend of 35%. The Bluetooth security
technology is another area were the Indian corporate lag behind the global trend–as
compared to 11% globally, only 3% of the Indian respondents said they have plans
to use "Bluetooth" security over the next 12 months.
PwC’s executive director for global risk management solutions, Neel Ratan,
however, suggests that the solution to security need not necessarily depend on
increase in expenditure. "Organizations can use their current IT
infrastructure to increase the efficacy of there is security," adding that,
"More emphasis should be laid on business aspects like reviewing policies,
customer needs and enhancing general awareness of the security issues."