PwC in collaboration with CII has conducted surveys on the state of information security in India Inc in 2003 and 2004. Another such survey is in progress. Radhieka Mittal interviews Anirban Sengupta, principal consultant, Business Solutions, PwC on how the security scenario has changed since their last survey and where India Inc stands today.
1. What is the overall security scenario of India Inc. today?
There is a contrasting demand on information security for Indian organizations. On one hand, security has to enable. It represents the business imperative that the right people, including customers, suppliers, partners and the enterprise workforce require controlled access to the right resources. On the other hand, security has to protect. This means that the information assets must be protected to ensure integrity, privacy and reliability. It implies that opening the infrastructure for unlimited collaboration is also not an option, and the safeguards must be established within the infrastructure to ensure that a breach does not occur.
This contrasting demand on information has posed a significant challenge to India Inc. To add to this, there is increase in control requirements (eg. Sarbanes-Oxley, Clause 49) as well as increase in threats and vulnerabilities.
The PwC studies and survey results show that Indian organizations are slowly but steadily gearing up to meet these challenges. Security is increasing being seen as a strategic business asset by top management. The banking and financial services and ITES / BPO segments have turned out to be the top performers amongst all industry segments in India and their statistics and figures either match or are quite close to the global figures. However, the other industry segments such as manufacturing are far behind and require lot to be done to catch up.
2. What is the perception of Indian Inc. on security and its needs? How has it changed in the last few years?
In 2002-03, only 68% of the Indian organizations (compared to 80% globally) accorded a high priority to information security. One must remember that the 2002-03 survey was conducted immediately after the September 11 attack-the time when security concerns were widely highlighted.
The 2004 survey results also showed similar results, with over 70% respondents assigning it a high priority. This trend continues even today, with majority of the Indian organizations according a high priority towards information security. Information security, in India, is now often seen as a tool for gaining competitive advantage and for deriving better business benefits rather than just a tool for preventing negative media coverage, as in the earlier years.
3. Since the last survey in 2004, what are the changes that have been seen?
Organizations in India are now putting a lot of focus in monitoring its employees, an aspect which was not seen in the previous surveys.
The reasons can be due to a number of factors. Organizations are interested to control instant messaging and other applications, which can be easily used for leaking information. Organizations are also interested to limit insider threats i.e. attacks originating from employees or ex-employees and partners.
Indian organizations are also attempting to ensure that security policies and guidelines are more aligned with the business requirements. More number of Indian organizations now have dedicated information security staffing, specifically in the ITES / BPO and banking and financial services segment.
4. Has there been any improvement in the IT security levels? How much ground has been covered since then?
The maturity and awareness about information security amongst Indian organizations is still quite low. This is evident from the information security surveys, conducted by PwC, which identified that a large percentage of security breaches were caused due to primitive levels of security lapse.
However, the scenario is not always dismal. In the CII-PwC Information Security Survey conducted in 2002-03, it was reported that Indian business discovered breaches largely by reactive measures like data / Information loss. It is quite encouraging to note that this has changed significantly as reported in 2004 CII-PwC Information Security Survey, with the percentage dropping to 15% from 36%.
This trend still continues with a corresponding increase in the number of breaches detected by proactive measures like analysis of logs and by the use of Intrusion Detection Systems. However, the use of proactive measures for breach detection is still lower than global figures.
5. Has the frequency of security breaches increased or decreased? To what extent has this increase or decrease been?
The number and frequency of security breaches have remained steady for Indian organizations over the last 4 to 5 years. As indicated in the surveys conducted by PwC, more than 80% of the Indian organizations do face with at least with one security breach over a period of one year.This figure, however, is much higher than the global average.
6. What is the level of awareness about security policy? Is a need for that felt?
The level of awareness amongst employees about an organization's information security policy is generally poor, though the intent might be different.
As per the 2002-03 survey, 54% of the Indian organizations had expressed their intent to spend money for improving end-user awareness. This was much higher than the then global figure of 30%.
The intent today is also in similar lines, though the awareness on-the-ground is found to be lacking in many cases. A possible explanation might be that awareness programs often score high as a strategic priority in the surveys because they are relatively low-cost.
7. Do companies in India have a dedicated IT security budget?
Most of the organizations in India do not have a dedicated IT security budget i.e. a separate line item in the corporate budget, which refers to funds specifically dedicated to information security. Instead, the general Information Technology budget usually includes funds for information security.
8. Do companies realise that they need to keep on updating their IT security as everyday the threat increases due to new loopholes, viruses etc?
Organizations in India do realise the importance that Information Systems need to be updated or hardened on a regular basis to counter the growing menace of threats. However, the on-ground pictures are often different. This may be due to factors such as lack of process, lack of time, complexity of technology or lack of qualified staff, which were cited by Indian organizations as the major barriers for information security.