Does India Spend Enough on Security?New PwC Report Suggests Budgets Out of Synch with Threats
As the financial toll of data breaches escalated by 20 percent in 2014, information security budgets in Indian enterprises actually slumped by 17 percent.
This is the startling conclusion derived from the Indian edition of PricewaterhouseCoopers' annual Global State of Information Security Survey.
Tightening purse strings in spite of the real and present danger suggests that Indian organizations might not be giving security its due degree of seriousness, says Sivarama Krishnan, PwC's Executive Director and Leader - India Cyber Security, Governance, Risk and Compliance.
"To better understand these rather counter-intuitive results and what they mean, we need to look at how the information security paradigms have changed in India in the last year," he says.
In this exclusive interview with Information Security Media Group, Krishnan also discusses:
- Why security budgets are out of synch with threats;
- The role of government in fostering cybersecurity;
- The impact of culture on India's security posture.
Krishnan is an executive director in PwC's Consulting Practice. With more than 18 years of experience, Krishnan's focus is on financial services, e-governance, IT security and telecom. He has helped many large organisations establish appropriate information security policies and procedures, including designing IT architecture, regulatory compliance framework, risk management policies and procedures.
Following is an edited excerpt of the interview with Krishnan.
On Security Budgets in India
Varun Haran: Siva, the recent PwC GISS report's Indian edition found that organizations are spending less on security while the average cost of breaches has doubled. Can you explain this?
Sivarama Krishnan: To better understand these rather counter-intuitive results, we need to look at how the information security paradigms have changed in India in the last year. But first, this statistic requires a little clarity. While the amount spent overall on IT is going up, the percentage of this budget earmarked for security is going down. This would mean that security budgets may have increased, albeit not at a share commensurate with 2013 and not in keeping with the increased cost of security.
In the past, most of the security was largely focused on internal infrastructure, policies and procedures. Security today has moved largely from being infrastructure-driven, to being user-driven. Contemporary issues this year like nation-state sponsored cyber espionage were not part of security discussions before now. This biggest examples of this from an Indian perspective are organized attempts by Chinese actors to compromise Indian IT companies or the U.S. government's notification to U.S. corporations about nation-state sponsored attempts at industrial espionage.
Haran: Could the way security is being measured have a bearing on this? What are some of the cost parameters to this equation?
Krishnan: In India, most of the time, only money spent on hardware and software is being computed. Cost of services is not being computed by Indian organizations unless outsourced. Further, as security is seen as only coming under compliance and policy, not every business project's spend on security is factored in.
For instance, while effective identity and access management is one of the best ways to safeguard business data, most times this is not being factored into the project cost. Given this paradigm, spending in India on IAM for instance, is going down, whereas globally most enterprises have some component of their project budgets earmarked for security.
A lot of this suggests Indian organizations might not be giving security its due degree of seriousness. This situation taken together with today's sophisticated threat environment has opened up potential gaps in the security posture for Indian organizations.
Lack of Preparedness
Haran: What are the implications of this for Indian enterprises?
Krishnan: The cybersecurity preparedness in India with a reducing budget is a concern. A large part of this is the continuing focus on compliance and standards without paying heed to effective security needs. While India has adapted well to standard and compliance requirements in terms of defining policies, this growth is not commensurate with the technology requirements and deployment.
While they are defining comprehensive polices, [Indian enterprises] are less worried about spending money on security. Security policies can only be as good as the ability to oversee compliance. Large companies will not be able to enforce compliances without proper technology enablement.
This lack of technology enablement is a barrier to enforcement. Moreover, the biggest drivers for security are the regulated industries like financial services, retail, telecom, and most importantly, the government.
Haran: So what can be done from a government and regulatory point of view?
Krishnan: Globally, governments are driving security requirements by setting the example. The Indian government does not drive any security requirements today. For instance, the Indian government's spend on cybersecurity is less than 1 percent of its IT budget. Government spending in security is sure to invigorate interest and commitment to security. Not only do government and regulators need to define, they also need to invest first
Having government security infrastructure in place is the first step to enforcement. Laws alone won't be enough for a consistent security posture. For example in the U.S., the NSA has been tasked with assessing the security posture of mission-critical companies. India currently lacks the framework/ infrastructure to do the same. The Indian government and its agencies need to build up this world-class infrastructure themselves and affect a role change from being regulators to facilitators and supporters.
The Securities and Exchange Board of India is a classic example. India is the largest market in electronic trade today, and SEBI has implemented and enforces transaction surveillance that is world-class for its own use in addition to mandating it for all exchanges in the country. RBI does not use a similar system for fraud monitoring, nor does it mandate that Indian banks use such systems. Setting an example in the industry would ensure that the government's ability to enforce improves.
Haran: Are there any cultural aspects to how security is approached in Indian organizations that makes them more vulnerable?
Krishnan: I believe that culturally Indians are a lot less sensitive about sharing private and confidential data. This is an important aspect that influences budgetary spends, and drives the organization culture as well. While companies are proactive about safeguarding their confidential information that is business sensitive, sensitive customer data may not be enjoying the same level of protection.
The regulatory requirements and fines in India are not stringent enough as compared to more developed markets. If a card breach amounting to 40-50k cards were to take place in India, RBI may slap a small fine at the most. Contrast this with the situation in the U.S., where the fines are substantial and disclosure is mandatory. This may be serving as an effective incentive to invest in security. Indian regulatory and compliance standards are not necessarily up to these global levels.
Companies in India are not very concerned about reputational risks to date, except for the BPO industry, for whom it is a business imperative. Breach disclosure is not mandatory in India, which means that companies have no cause to worry about reputational risks. While the Indian data privacy act is expected to address some of these concerns when it comes out, the effectiveness also depends on the government's ability to enforce.