Advertisment

Getting Tough on Security

author-image
DQI Bureau
New Update

September 11, Code Red, and the NIMDA attack have been great levelers for

Corporate India as far as their security ramp up is concerned. India Inc is now

going full throttle ahead–in fact almost at the same pace and at times much

faster than its global counterparts–in protecting its mission-critical

information assets.

Advertisment

According to the recently released CII-PwC Information Systems Security

Survey 2002-03, the percentage of Indian businesses that reacted to the

increased threat by substantially hiking their security budgets during the year

was much higher than the global average. As compared to 46% globally

(Information Research Global Security Survey 2001), 74% of the Indian companies

increased their security budgets over the previous year, with only 6% deciding

to decrease them. Also, while 85% of respondents–as compared to 88% globally–have

taken steps to protect their network, the role of security consultants have

gained more importance with 48% of the organizations using their expertise. This

is much higher than the global 17%. During the period, Indian organizations also

focused on the people issue for security management, with end user awareness

(54%, compared to 30% globally), and training security staff (28%, compared to

28% globally) gaining importance.

The investment trend



Despite insufficient budgets being touted as the biggest barrier for

effective security management in the country, 82% of this year’s respondents

have indicated that they plan to invest in enhancing their network security.

While 57% of the companies plan to embark upon the creation of secure network

architecture to protect their wired world, 60% plan to block unauthorized

access. "This," according to the report, is generally in tune with the

global trends.

Advertisment

The security survey report also indicates that Indian companies are looking

ahead to strengthen network security during this fiscal. Responding to the

question that allowed multiple responses, on what the tactical security

priorities would be, 49% companies indicated that they plan to enhance network

security by improving the OS whereas 42% talked about improvements in

application security. Security audits was another hot area with 62% companies

showing willingness to go for it. The most noticeable increase over 2000-01 in

security priority comes in the use of intrusion detection tools–up from 18% to

39%, and in implementing penetration testing, also known as ethical hacking–

from 8% to 25%.

Another global trend for business, according to the report, has been a

sustained move towards outsourcing. This approach enables organizations to focus

on their core competencies while outsourcing areas like IT management to

professionals. The survey indicates that outsourcing of security is the new

mantra for India Inc. While 16% of the respondents said they are planning to

outsource firewall and intrusion detection monitoring, 12% revealed that they

plan to outsource security staff.

Another 19% said they intend to establish a policy for outsourced

application. The driver for increased outsourcing, the report adds, could be the

non-availability of in-house skills.

Advertisment

There is, however, bad news–unlike the global trend, where 33% companies

said they plan to increase their security budget in the next two years, only 22%

of the Indian businesses had similar plans. PwC analysts suggest that this could

be due to the general budgetary cuts being imposed by a number of organizations.

"However, businesses would need to carefully plan these investments by

doing a risk analysis to ensure that available funds are used to mitigate the

higher risk security threats," cautions the report.

Budget is a barrier



Despite the fact that more than 77% of the respondents belonged to the high

revenue category of above Rs 100 crore, including 43% with revenues in excess of

Rs 500 crore, insufficient budgets has been referred to as the biggest barrier

to efficient security management in the country. Forty nine percent of the

respondents attribute capital expense as a big barrier to the effective security

deployment. This is up from a mere 4% during 2000-01.

With the downturn affecting almost all the sectors of industry, India Inc has

been fairly conservative in the overall resource allocation for IT security.

While the appropriate level of security investment is dependent on the nature of

the industry, risk profile, and business considerations, an allocation of 3%-10%

of the total IT spending for security is considered reasonable, with 63% of

corporates indicating an allocation of less than Rs 25 lakh for IS security–much

lower than the global average.

Advertisment

Also, 5% of the respondents indicated allocation of more than Rs 5 crore

towards strengthening of their IT security. Budget constraints notwithstanding,

69% of the Indian business claim that they have included the security budget as

a part of their overall IT budget–higher than the global trend of 62%.

Unfortunately, the survey also indicates that the importance of the human

element in IS security has yet to go down well with India Inc–only 46% of

respondents consider security training for employees as tactical security

priority as compared to 84% globally. Also a mere 7% of the companies showed

interest in hiring qualified staff. This is a sharp decline from the willing 28%

of Indian companies in 2000-01. While experts suggest that this may largely be

due to the employment freeze put in place by various companies, what is most

surprising is the deviation from the global trend of 35%. The Bluetooth security

technology is another area were the Indian corporate lag behind the global trend–as

compared to 11% globally, only 3% of the Indian respondents said they have plans

to use "Bluetooth" security over the next 12 months.

PwC’s executive director for global risk management solutions, Neel Ratan,

however, suggests that the solution to security need not necessarily depend on

increase in expenditure. "Organizations can use their current IT

infrastructure to increase the efficacy of there is security," adding that,

"More emphasis should be laid on business aspects like reviewing policies,

customer needs and enhancing general awareness of the security issues."

Shubhendu Parth

Advertisment