Startup Action Plan: What It Means to Security PractitionersExperts Discuss If Modi's Startup Action Plan Has Fueled Security Growth
Back at the start of 2016, Prime Minister Narendra Modi announced a slew of measures, including a three-year tax holiday and a self-certification compliance system, under the "Startup India Action Plan." The objective was to create local demand for home-grown products, including cybersecurity offerings.
See Also: A CISO's Guide to Adversary Alignment
Security leaders expected these programs would foster a conducive ecosystem for startups by accelerating their growth through local demand and developing innovative products. But so far, the Startup India campaign, which promised to offer income tax breaks, pledged government procurement of startup companies' products and offered government-backed venture capital funding, has yielded few tangible results.
"Despite the digital push by the government to encourage startups in India, there haven't been any specific measures for the cybersecurity industry," says Pavan Kushwaha, co-founder and CEO at Kratikal Tech, a security testing startup company. "There hasn't been any direct government impetus for indigenous cybersecurity startups, which has failed to create local demand."
No Benefits So Far
NASSCOM reports that India has more than 50 security startup companies involved in next-generation product innovation, and it expects the number to grow.
But the leaders of several Indian security firms, including startups, tell Information Security Media Group that although the government has announced well-meaning measures, there is no evidence of any startups actually benefitting from them because of various terms and conditions and certain regulatory mandates. (See: 'Made in India' Cybersecurity: Why Not?)
Ashish Tandon, founder and CEO at Indusface, an application security provider, argues that startup organizations are unable to leverage income tax breaks. "Most startups don't make a profit for the first few years, hence income tax sops have little impact," he says. "The government's current tax concession measures, such as TDS [tax deducted at source] deductions, are not helping us in improved cash flow or justifying the investments made."
The key regulatory hurdle for startups is meeting challenging requirements in order to be considered as government contractors. While large multinational companies are able to fulfill the criteria, smaller startups find it challenging.
"The government's tendering process is complicated as it states that startups need to generate revenue of nearly $2 million to get certification and eligibility to participate in the tendering process, which isn't practical," Kushwaha says.
To be considered for contracts with the government, security startups also must be empanelled by CERT-In.
Sanjay Deshpande, managing partner and chief scientist at FortyTwo Labs, a global cybersecurity research center, says the government is trying to have similar policies for both the IT and data security industries. "However, it needs to offer incentives or subsidies for startups toward having a judicious cost structure which can come in the form of investment."
Another challenge for security startups is the lack of interest from venture capitalists, many of which are focusing instead on consumer-focused internet companies.
But Deshpande contends VC interest in security startups could grow as demand for the products they offer increases among a variety of enteprises.
Dhruv Khanna, CEO at Data Resolve Technologies, a cybersecurity startup, says that if the government can bring down the cost of certifications, such as the Common Criteria for Information Technology Security Evaluation, that would ease efforts to hire the right professionals.
Impact on Security Practitioners
Despite the hiccups for security companies to find the right demand for their products and right incentives for growth, groups such as DSCI, which focuses on data protection in India, are making an effort to influence enterprises to consume indigenously manufactured security products.
Many security practitioners believe that home-grown cybersecurity firms can provide a cost advantage over companies from other nations.
Bangalore-based Lopa Mudraa Basuu, former head of enterprise security & risk governance at SLK Global, believes that having strong Indian companies will be a big boost for the ecosystem. "While we will have more options to choose, having a home-grown product will have a big impact on the cost and the support system," she says "If we have indigenous product companies, the support cost will come down as well."
Vinayak Godse, senior director at DSCI, notes: "Though India doesn't have a strong product story in the deep technology B2B segment like cybersecurity, we have observed some VC funding in this domain which is quite encouraging."
DSCI is lobbying the government to create a fund to help startups.
Godse still expects the government to roll out policies conducive to security companies and generate product demand.
"Relaxing entry barriers for Indian firms in the empanelment criteria for manufacturing products will not only help Indian organizations opt for home-grown products but also help in capacity building of cybersecurity professionals with increased employment," he says.
The CISO of a Mumbai-based large insurance company, requesting anonymity, tells ISMG: "Cost is a big factor, indeed, and if I can procure the same quality products for cheaper rate, my cost will come down, which will help me implement more measures."
The cybersecurity task force, formed by NASSCOM and DSCI to encourage security product manufacturing in India, is working on developing research and development capabilities to enhance security, which could help create opportunities for startups.
Some security practitioners say that working with local security product companies would make it easier to build customized solutions to address their key security concerns.
"The branded solutions leaves less room for customized implementation process as we need to go in for complete suite of products, while a local manufacturing company will have the flexibility to make products to suit our specific needs," says Bengaluru-based Satyanandan Atyam, associate vice president and CISO at Bharti AXA General Insurance.