India’s attempts to transform into a digital economy have brought the country’s preparedness on cybersecurity into the limelight. With growing instances of cybertheft and crime, there is an urgent need for a well-crafted, national-level cybersecurity framework. Industry experts share their views on the key trends, challenges and opportunities in the Indian cybersecurity space…
How has the cybersecurity market in India evolved over the years? What are the emerging trends in this space?
Today, state-sponsored cyber espionage has reached new heights where data is stolen from classified computers, mobile devices and network equipment. India has seen an exponential rise in cybersecurity incidents and events like malware, zero-day vulnerabilities, cyber terrorism, ransomware and phishing in the recent past.
The cybersecurity market in India is growing at a relatively fast pace as compared to previous years. With an increase in the number of attacks and breaches targeted at India, enterprises are becoming more aware of cybersecurity. The top trends that we see in India are around application security, distributed denial of service (DDoS) mitigation, advanced malware detection and prevention.
The cybersecurity market in India is both evolving and maturing, with the launch of digital and online connected systems that have blurred enterprise boundaries. The regulatory mandates are furthermore defining the playing field and the corresponding safeguards in the form of protective and preventive systems. The market is showing more depth with vendors offering specific point solutions as well as end-to-end security capabilities.
Cybersecurity is evolving at a faster pace both globally as well as in India. Most enterprises think of cybersecurity as IT security. But with internet of things (IoT), wearables and sensor devices coming in, cybersecurity is becoming far more pervasive than just IT security. Everything that has an internet protocol (IP) address, whether it is dynamic or static, is vulnerable to a hack or a mis-hack. There are different kinds of hackers in the world, ranging from the immature to the highly sophisticated. Thus, cybersecurity needs to address not just enterprise investments in IT but a lot of non-IT areas as well.
The second big trend is that enterprises will need to shift from a static to a more proactive approach to ensure that an enterprise is truly and securely protected.
Thirdly, enterprises will have to bring about a paradigm shift, a position from which they are able to predict where the potential compromise in security is likely to arise. This will require advanced analytics. The encouraging part is that all of the data is IP-based and you have an electronic record of all the data coming in. You just have to be better at predicting where the essential compromise in your enterprise might come from. The third trend is enterprises moving towards a “predictive mindset” rather than a “reactive mindset.”
What are the key security solutions being deployed by various industries? What is the outlook for cloud-based solutions?
Burgess Cooper and Amit Mittal
As organisations move their security controls from a traditional perimeter to cloud-based platforms, the traditional corporate network is becoming irrelevant. The adoption of cloud platforms and security-as-a-service may continue in the future. The year 2017 may witness hyper-virtualised security.
Every industry vertical is very unique in its sense and functions quite differently. There are verticals like financial services, which demand confidentiality along with accessibility to the general public from across locations and devices. On the contrary, critical infrastructure like energy, and oil and gas need not require universal access.
The banking, financial services and insurance (BFSI) sector is often affected by DDoS, data theft, insider attacks and website hackings when customers try to access online banking, credit card payment and online brokerage. Cybersecurity products and solutions like next generation firewall, DDoS protection, web application security, data security and breach prevention works out well in securing the overall ecosystem. Similarly, for the retail industry, retailers and store managers need to secure the point-of-sale (PoS) systems to avoid cybertheft. Security products like endpoint protection and authentication suites are also a must in such instances.
In the current scenario, where cybersecurity requirements have increased considerably, enterprises are looking for options that are cost effective and also take care of the necessary security needs. The cloud-based model remains an ideal choice for organisations where there are no capital investments and the whole security environment is managed by a service provider.
Indian enterprises are deploying various solutions to protect themselves from targeted attacks and breaches. Since the traditional tools are not efficient enough to cope with such attacks, organisations are deploying solutions like network sandboxing, end-point detection and response tools, deception technology tools and web application firewalls. In addition, they are building effective and intelligent security operations centres to increase threat detection and ensure an appropriate response.
Globally, the adoption of cloud-based solutions is increasing at a very fast rate, the primary reason being their scalability. Indian enterprises are also very open to cloud-based solutions and the demand is growing, but most of these solutions have their data centres based outside the country.
There are multiple vendors and solutions available across the cybersecurity ecosystem, covering identity and access management, point security solutions, security analytics and correlation engines. We believe that a simple “buy-and-deploy” is not the best way forward. Organisations need to look at their specific industry security profile, business context, risk appetite, threat profiling, etc.
Cloud is and will continue to be interwoven with how security products operate, covering communications and relationships with employees and partners.
Most enterprises have got numerous tools for cybersecurity, for different layers of architecture. These include end-point security, server security, storage security and network security. The challenge is not so much with respect to finding more solutions, but with respect to deploying the available solutions more effectively.
We expect enterprises to move towards buying essentially three layers of security. One is the basic and commodity-based service. The second will be a more end-point solution that will have usage across the enterprise. The third layer will be predictive solutions utilising highly advanced analytics tools. The foundational layer is already there in most enterprises. The second layer is also there to some extent, but what is missing is the third layer to drive a more forward-looking approach towards cybersecurity.
How is the adoption of IoT/machine-to-machine (M2M) technologies likely to impact the cybersecurity space?
M2M and IoT will increase communication among people and most of the talking would happen through machines. However, this would involve large volumes of data being transacted every second, which would lead to deep-rooted security problems like impersonation, identity theft, hacking and, in general, cyberthefts.
Globally, the adoption of IoT is going to impact the overall cybersecurity of an enterprise on a large scale. With the recent DDoS attacks targeted at IoT devices, it is evident that IoT vendors are not focusing much on the security of these devices. Enterprises should have a clear understanding of the security features of the IoT devices they are procuring or they already have in place as this will impact the overall cybersecurity of their enterprise. In India, the adoption of IoT devices is slower as compared to other parts of the world.
The cybersecurity players now need to delve deeper as the sheer number of endpoints have gone up exponentially and automation has added to the complexity of the deployment. It also brings a whole new element of addressing privacy and regulatory mandates. To cater to this challenge, cybersecurity will be decentralised with security checks being done at the end-point and double check being done on the hub side. There are limited solutions capable of addressing large deployments so it will be exciting to see how the industry and vendors scale up with this technology.
Most enterprises do not have the know-how of how to use and manage IoT. Earlier, hackers made breaches through a long and traditional IT environment. IoT is only going to promote a security mindset across the enterprise.
What are some of the challenges that the cybersecurity solution providers face in India?
Burgess Cooper and Amit Mittal
Organisations are still following a reactive approach. In order to effectively curb incidents of cybersecurity, a proactive approach is needed. Second, there is lack of awareness about security problems and practices. Third, many organisations find complying with various government laws and regulations, (SoX,HIPAA, etc.) as well as industry standards (e.g. PCI-DSS) a significant challenge. Also, limited resources are a problem for large and small organisations.
For growing companies, the greatest challenge is keeping the organisation and its critical assets secure in times of rapid expansion. As the size and scope of operations grow, it becomes difficult to maintain a consistently high level of security. An added challenge is when this expansion includes acquisitions or opening up systems to external partners.
“For curbing cybersecurity incidents effectively, a proactive approach is needed.” Burgess Cooper and Amit Mitta
Most businesses still believe that putting a basic security feature in place, like a firewall or an antivirus, would put to rest all their worries. This perception is due to the lack of knowledge among enterprises on the latest trends in cybersecurity, the gamut of security products available in the market and capability of each of these solutions in fighting specific cyberthreats. In such a situation, security solution providers need to understand the customer issues and address their ignorance through a consultative sales approach.
“Security solution providers need to address the issue of customer ignorance through a consultative sales approach.” Rajarshi Dhar
There is a huge demand for local cybersecurity vendors/solution providers as international vendors do not provide adequate support and implementation services in India. Moreover, clients like to deal directly with the vendor for bigger deals; however, they often have to go through a channel partner when dealing with international vendors . Price is an important criterion for selecting a vendor. A solution provider needs to focus on offering better services to clients during implementation and technical support.
“We need to have more granular cybersecurity guidelines in place.” Rajpreet Kaur
The Indian market is still rather fragmented and only just starting to mature. Businesses do not fully understand their risk profiles and the myriad threats they experience every day. The challenge of effectively addressing cybersecurity in the realm of emerging technologies might seem an impossible task.
“An intelligent and evolutionary approach to cybersecurity is the key to staying ahead of cyber criminals.” Shree Parthasarathy
Currently, the approach to cybersecurity is very price-driven and tactical. The right kind of questions with respect to cybersecurity are not being asked. Recently, banks in India had a massive breach where details of about 34 million cards were stolen. Apart from the financial losses it caused, there was also a lot of reputational damage that cannot be even quantified. When such breaches happen, the approach of enterprises with respect to cybersecurity changes rapidly. Thus, it is important that cybersecurity is not reduced to just a request for proposal-driven process of choosing a vendor.
“A key trend is enterprises moving towards a “predictive mindset” rather than a “reactive mindset.” Arshad Sayyad
What are your views regarding the existing regulatory and policy framework on cybersecurity in the country?
The current state of the industry points to a limited cybersecurity policy towards critical infrastructure like energy, defence, telecom and space. The government, the product/service companies and the regulatory bodies have been making efforts to improve the existing cybersecurity regulations. However, they have faced challenges in formalising them into laws.
At a time when the Indian government has rolled out ambitious plans like the “Digital India” initiative, the latest being an aim to create a cashless economy, there is an urgent need for a well-crafted cybersecurity framework.
We do have a cybersecurity framework and guidelines in India. However, not many organisations, other than large BFSI organisations, follow them. We need to have more granular cybersecurity guidelines in place, which should be regulated by the respective governing bodies.
India has practically leap-frogged on the cyber policy and regulatory frameworks. The government and associated regulatory bodies have already identified cybersecurity as a key consideration. The work done by the Reserve Bank of India, the Insurance Regulatory and Development Authority and others has led to a clear operating environment, which is in line with the global standards. Businesses are just coming around to integrate and realign their systems.
The efficacy of controls still needs to be looked at over a mid- to long-term period since the underlying threats are rather dynamic. Overall, it is the right step in the right direction.
The regulatory environment in India is getting better. India is taking a fairly progressive view as far as cybersecurity is concerned, but a lot more needs to be done. The move towards digital and cashless payments, which puts the consumers into a lot of risks, will require more regulatory controls.
What is the outlook for the cybersecurity market in the country?
The Indian government has targeted security investments in digital inclusion and infrastructure modernisation projects, which would directly drive the cybersecurity market. The boom in smartphone usage and the concept of bring-your-own-device have further pushed the need for a secure cybersecurity framework among organisations. India is likely to see much higher adoption of cybersecurity products, if enterprises become well informed on the latest trends in security threats and the country mandates stricter security laws.
Cybercrime is fuelled by increasingly sophisticated technologies along with relatively new trends in mobility, social media and the rapidly expanding connectivity, all in the hands of the more organised online criminal networks. In this environment, an intelligent and evolutionary approach to cybersecurity is the key to staying ahead of cyber criminals and the competition.
India is among the top 20 targeted countries in the world. With India rapidly going digital, hackers are turning their attention to the country and this activity is likely to pick up. Moreover, the enterprises, including even the best of enterprises in India, are leapfrogging in terms of technology. As such the need for cybersecurity in the country is going to accelerate.