/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow Us/dq/media/post_attachments/6a7c5ebd5344bf299d95fc0941d3e16f000dbbeaf7b27b35c50ec45ad1fc4c0d.jpg)
Information security has been a growing concern for the entire global business community in the last decade. The industry has witnessed organizations putting their stakes on, to prevent cyber crime.
The Global Security study is based on in-depth research and detailed interactions with 963 organizations around the world out of which sixty-two are based in India. Deloitte in India owns one of the biggest risk advisory practices. It has worked extensively in the field of information security, technology transformation, and risk management with the biggest names in the industry.
Senior professionals in Deloittes information & technology risk services practice conducted focused discussions with information technology (IT), security, privacy, and risk management executives of leading organizations worldwide emphasizing on key aspects of strategic and operational areas of security, privacy, risk management, and compliance across all industries. This report presents a summary of the learning and responses of the Indian participants in both qualitative and quantitative formats.
The fourth annual Global Security studyIndia Perspective, reports the outcome of focused discussions between Deloittes information technology risk professionals and security, privacy, and risk management executives of top global companies spread across all industry verticals the world over.
These discussions were aligned to identify how companies are dealing with information security. A particular emphasis was placed on identifying the types of risks that companies in the industry are concerned about, levels of perceived risks, and the resources which companies are using to mitigate these risks. The results of these discussions are presented in this study. The study also identifies the technologies which are being used to improve security, and what is being gained from companies security and privacy investments.
Independent Attestation Still Nascent
Choosing your vendors can be an arduous task. There are several vendors today who appear to know what your organizations want, especially when it comes to the security of your intellectual property. However, are these organizations really doing the right things? And, are they doing these right things right?
Independent security attestations can assist organizations in evaluating their vendors practices, and help them remediate, if necessary. On the other side of the table, when organizations requiring vendor services approach the latter, having certificates of such attestations can also dramatically enhance the trust and reputability as well.
The Global Security survey indicates that, while 29% organizations, globally, require some sort of independent attestations for security of work outsourced to third-party vendors, only 13% of the respondents in India go in for such independent attestations to understand whether information security practices are adequately used within the vendors organizations. In addition, only 8% of the organizations in India engage an independent third party to assess third parties capabilities. This number stands closer to 11% globally.
On the other hand, most Indian companies sign confidentiality and/or non-disclosure agreements with their service providers. Additionally, some of the organizations prefer to perform random spot checks of third parties sites.
As one can see, the organizations in India appear to be more lenient in their approach, which makes them vulnerable.
Information Security Budgets in Right Direction
During the 2009 Global Security study, the economy was going through turmoil due to the global recession and organizations were reviewing and cutting corners through every mean including security. The damages done by last years budget cuts are reflected this year in the respondents responses. Although 48% organizations in India believe they are on plan in dealing with security threats, 44% of the organizations still believe that they are falling behind or catching up in dealing with security threats.
/dq/media/post_attachments/9042a42664ba6719ae93b8069b55325039a773f61503ba1835fd07a29429d35d.jpg)
This years study shows a slight increase in security investment in anticipation of an economic recovery. After more than a year of restricted spending and postponed projects, significant security and infrastructure upgrades are finally underway. The survey reveals that in 2010, despite the global economic downturn of last two years, there is a significant drop as compared to last year, in the number of respondents who state that lack of sufficient budget is a major barrier that their organization faces (only 38% respondents this year versus 56% respondents last year globally). This number further reduces for India as only 18% organizations claim lack of budget as a major barrier. This may well be a product of a general dawning of the realization that, as the information security environment gets more and more complex, investment in data protection must get more serious. Given this, the security function must now be prepared to demonstrate RoI or EoI to further cement this trend. Top spending priorities in 2010, include Identity and Access Management (IAM), data protection, security infrastructure improvement, regulatory and legislative compliance, and information security compliance remediation based on the findings of internal and external auditors.
The study also shows a noteworthy increase in information security budgets over the last one year. 10% of respondents increased their budget by more than 10% and 57% increased their budget by up to 10%. In addition, there was also a considerable decline in the proportion of organizations reducing their information security budget. For example, the number of organizations in the TMT industry that reduced their information security budgets declined to 23% this year as compared to 32% last year. In India, only 3% organizations reported a decrease in their IT budget.
/dq/media/post_attachments/54bca78c5548f16a33e4281489f3b5c5abf3b957e79c773ce4af9b8ab954f4bf.jpg)
In light of the global recessionand still fragile recovery47% of the respondents have established metrics/initiatives aligned with business value to measure the effectiveness of their security investments, while another 42% are somewhat aligned, and swiftly moving in that direction. These figures show that organizations are trying to spend their information security budgets wisely. They want to obtain high security levels at a reasonable price and are positioning themselves for an optimistic (but still uncertain) future.
Third-party/Vendor Security Capabilities Still Doubted
Today, very few businesses are entirely self-contained. Most rely heavily on extended enterprise, supply-chain partners, and other third parties for key business activities. Ensuring security across such highly distributed and complex value chain is much more challenging than ensuring security within an organizations security walls.
Managing an external business partner presents a different set of security requirements than managing an internal department. According to our study, the most common approach for ensuring security with third parties is signing confidentiality and non-disclosure agreements (71%). The other common approaches are contracts and controlling access of the third party to systems and data.
Effective security requires more than agreements and contracts. Given the increased importance of security and privacy, and the growing threat of attacks, many Indian organizations are scrambling to ensure their business partners security capabilities are up to date and verified. The study found that 59% of Indian organizations have identified the security capabilities and controls of their business partners, however, only 31% have actually tested them. 7% of Indian organizations say they simply do not know what security capabilities and controls, their partners have in place. In the current environment, this is no longer acceptable since it jeopardizes the continuity of every organization in the chain.
Despite the lack of testing and verification, 23% of Indian organizations have high confidence in their third parties, and 43% are somewhat confident. Only 3% are not confident.
Tighter security regulations could force organizations to take action on this issue. However, regulations alone might not be enough. Most rules and regulations are still based on physical business models rather than online business models which are gaining prominence in the Indian marketplace. According to the study, 69% of the respondents believe they receive adequate commitment and funding from the senior executives to effectively address regulatory or legal requirements, compared with 53% globally. However, as was the case last year, most respondents believe regulatory requirements are at best somewhat effective for improving their information security.
Compared to global organizations, Indian organizations are more likely to handle security activities in-house. Outsourcing of security technology services in Indian organizations is at par with their global counterparts, but the use of external providers for business continuity and other security related services is significantly lower (15% in India compared to 20% globally).
/dq/media/post_attachments/e1ab78f983a2fa33e1ff9f70a54985ee7d3a2763f9c5825c0b007eb332e63ef4.jpg)
Increased Focus on T&D
People are key to an organization. Organizations should, therefore, focus more on the human facet of security, and specifically so for internal vulnerabilities.
The challenges of internal security are greater than ever, thanks to mobile devices, wireless networking, and social media. Today, most employees are equipped with a laptop and smart phone, and are able to work and access the Internet from almost anywhere. Unfortunately, technological advancement and the new usage behaviors, have generally outpaced employee awareness of the risks of working remotely.
Employees have easy access to release sensitive business information without realizing the consequences of their actions. Potential problems range from losing a laptop to inadvertently sharing sensitive information while using social media.
According to our study, organizations are increasingly confident in their ability to handle these internal challenges. This year, 57% of Indian respondents categorize themselves as very confident or extremely confident with regard to internal threats. Yet many organizations still lack confidence in their internal security practices. Almost half of the organizations experienced at least one internal security breach during the past one year; 32% of Indian respondents believe their information security professionals are missing competencies to handle existing and foreseeable security requirements, compared to 50% across the world.
Indian organizations are trying to address the problem through training and development. In fact, information security awareness and training is among the top three security initiatives for the coming year as was the case in 2007 and 2008, and 50% of the Indian organizations studied have plans on organizing training for employees to identify and report suspicious activities, compared to 35% globally.
Having mentioned the focus on training and development, it is also noteworthy that executives and third party contractors in most of the organizations do not receive customized security training, which might limit their ability to serve as role models for security awareness. Most security awareness programs start with an e-learning module, which raises awareness and knowledge, but does not necessarily alter behavior. More extensive training will likely be needed to address more serious threats such as social engineering, which take advantage of the human nature and reflexive behaviors.
In addition to training, other techniques and methods such as data protection must be deployed to help reduce dependency on human judgment and ensure a high level of security. In this years study, data protection ranks among the top five security initiatives undertaken by Indian organizations. Respondents state that data protection is one of the highest priorities along with Identity and Access Management (IAM).
There appears to be a marked difference between internal and external attacksa respectable 66% state that they are very confident or extremely confident in their ability to thwart external attacks. Data loss prevention is a major undertaking that begins with the most time-consuming part: Classifying existing information to identify what information needs protection and from whom. But as daunting as the project may be, organizations appear to recognize how crucial it isrespondents indicate that data loss prevention will be one of the most piloted technologies in the next twelve months. Both data protection and data loss prevention technology piloting have shown a rise from last year. Key issues around data loss prevention are access certification and data governance.
Information Privacy Still Lagging
/dq/media/post_attachments/68d830ad174adad62bfa2c835b191f4b18cb0e459474c731c453cd887a798348.jpg)
Few years ago, it would have been hard to imagine the President of the United States focusing on information security but now the case seems opposite. Back then, attacks were typically associated with kids experimenting with computers in their basements. The usual outcome was often little more than a stern reprimand.
Fast-forward to 2010, and US president Barack Obama has made defense against cyber warfare, a top national priority. The US government along with many others has appointed national cyber coordinators. NATO has set up the Cooperative Cyber Defense Centre of Excellence (CCDCOE). This dramatic shift is being prompted by the growing professionalization of cyber criminals and cyber terrorists. Geeks showing off to their friends are no longer the main problem. Instead, sophisticated organizations with political, criminal, and social agendas have become a major driving force behind information security threats. For example, the famous Mariposa botnet (a botnet or robot network is a term largely associated with malicious software), which infected more than 15 mn computers around the world, was perpetrated by criminals with limited computer skills who downloaded the necessary software from the Internet for less than a thousand dollars. Fortunately, one of them was so unsophisticated that, by using his home computer for his activities, he led police right to his door.
Cyber has given rise to an entire underground economy in which criminals and terrorists can buy not only credit card numbers but also malicious software and networks (such as botnets) and tools to launch Denial-of-Service attacks. Organizations world over find themselves stuck in the middle of this, both as high-profile targets and as the infrastructure and service providers that enable cyber crime and cyber warfare.
Almost half (47%) of organizations polled across all industries in India have regarded the increasing sophistication of threats as a major barrier to ensuring effective information security. Indian organizations perceive this as a greater barrier relative to their global counterparts (a 17% difference) and with good reason. Technology organizations world over are watching helplessly as their devices are used for cyber crime or cyber terrorism; telecommunication operators see their networks being used illicitly and their customers enticed by botnets; media organizations face the risk of blackmail, with criminals threatening to bring down their online channels unless paid. Although in India, organizations have recognized implementation of security related to technological advancements as one of their top security initiatives for 2009, such implementations will not be effective if they are implemented without a proper plan. As per our survey, only 25% of the respondents in India suggested the existence of an information privacy program within their organizations. The corresponding number globally is closer to the 46% mark.
Hence, it can easily be concluded that these threats to organizations and infrastructure affect the entire marketplace and in extension, the society as a whole. Imagine what would happen if the phone system or Internet were suddenly unavailable or if private and confidential information was exposed to the whole world. Today, the security environment is virtually unrecognizable from the early daysa single decade has produced fascinating but chilling developments. The bottom line is that the game has changed and no one is immune. Indian organizations, in close cooperation with the government, must find ways to counter these growing threats. If they do not, they put themselvesand our modern way of lifein jeopardy.
Conclusion
To sum up, it is evident from this years Global Security survey that a turning point in the industry has arrived. Organizations world over have begun recognizing the importance of data privacy and security. With the advent of concepts like cloud computing in the marketplace, a fundamental change in IT service delivery has been forecasted by industry experts. However, it has also been noted that in order for cloud computing to reach its full potential, it must overcome a number of major obstacles, particularly concerning to privacy and security. Organizations are laying down a systematic approach to ensuring information security within their structure. From having documented IS Governance Structures and properly formulated IS Strategies, to actually undergoing structural convergence for ensuring proper reporting structure, organizations are leaving no stone unturned to follow a proactive approach to IS in order to become early adopters. As per the report, Indian organizations appear more proactive compared to their global counterparts. Information security is no longer considered a budget gobbler and majority of the organizations are going for an increase in budget allotted for information security.
Moreover, information security has graduated to be perceived as a business requirement and not just an IT issue. Information security and business continuity are an integral part of the business. Reporting frequency and reporting relationships are changing to reflect the increasing importance. In addition, organizations are heavily focusing on aligning their IS initiatives with the business. Both business and technical executives are being engaged in IS decision making. The survey suggests that more Indian organizations have their business initiatives aligned with their IS initiatives compared to global organizations.
/dq/media/post_attachments/d91a7797cd60fcef2ef9e21cc36f3b35c4d704cb32883f2d35f83655c1a03e3b.jpg)
It has also been observed that regulatory compliance is becoming a key priority for organizations. They are clearly expecting more regulatory pressure. They also recognize the competitive and reputational requirement to meet or exceed industry leading practice and standards set by professional and industry associations. Respondents to the survey pointed regulatory and legislative compliance as one of their top five initiatives and are hiring more internal auditors to resolve internal and external audit findings. For the first time in the history of the survey, information security compliance remediation based on the findings of internal and external auditors is one of the major security initiatives of organizations. Although lack of oversight and compliance to security control requirements is far down the list of internal/external audit findings (only 12% globally and 8% in India), organizations are shoring up for an anticipated increase in regulation. This is a clear indication that the environment has moved from one of tell me youre in control of significant financial and non-financial risks to prove to me. Therefore, the need to be able to evidence this at any time for regulators, in particular, and as part of good governance practice, is an enterprise wide issue for financial institutions. As per the survey, global organizations treat compliance more seriously compared to Indian onesthey are more compliant compared to Indian organizations.
Identity & Access Management (IAM) and Data Loss Prevention (DLP) form two of the greatest security initiatives by organizations. Governance, Risk and Compliance (GRC) tend to be the driving forces behind IAM. Key issues, borne out by the top internal/external audit findings, are access certification, knowing who has access to information, whether it is appropriate, and documenting it and strong governance that establishes automated, continuous processes for managing user access to information resources. Organizations are beginning to look at IAM for customers (ie, using IAM tools for customer identification). However, IAM processes and practices tend to be expensive and thus require buy-in from the lines of business to ensure its success. The security function needs to learn how to sell itself in order to get the required funding for IAM initiatives. According to the findings of internal/external auditors, granting of excessive access rights is bigger an issue globally. DLP has also taken on new urgency. Indian organizations are following global trend of implementing DLP techniques.
In a nutshell, Indian market is faring to be more favorable and responsive to the changes taking place globally.
However, organizations in India still have a long way to go in order to effectively ward off the potential threats faced for adequately securing their information/data.
Deloitte Global Security Survey 2010
mail@dqindia.com