Why Indian CEOs Still Not prioritizing IT Security

by CXOtoday News Desk    Aug 05, 2015


When the rest of the world is raving about cyber security, what are Indian CEOs doing about it? Most of them seem to be relaxed - by choice or by circumstance- we do not know that but they are not doing much about it. At least a recent study gives the impression that there is a severe lack of awareness in terms of IT Security across all levels of the organization and the biggest risk for businesses is that the CEO in a usual company does not consider IT security as a top priority.

The CISO Platform report, which has collected the data point of more than 400 large enterprises in India in terms of the technologies adopted for securing their organizations over the last 3 years, states that India is at least 10 times behind USA in terms of security readiness and capabilities like Incident response, Threat intelligence etc.

The IT Security teams are generally not trained in emerging areas of security, according to the study and notes that there is a lack of indigenous IT Security technology companies from India. India has produced less than 25 indigenous IT security product companies compared to more than 500 in USA. As a nation, we need to allocate more resources towards building security technologies.

Some of the key insights from the report are rather startling. It says,   Indian Enterprises are more than 80% at par with the USA in terms of adoption of Prevention or Detection technologies. However, they are less than 10% at par for Response and Predictive Technologies.

IT security, Not A CEO Priority

The biggest risk for businesses is that the CEO in a usual company does not consider IT security as a top priority, the study further says. More than 90% of the e-commerce companies do not have a dedicated Chief Information Security Officer and typically their engineering head doubles up as the IT Security Head.

India is far behind in hiring IT Security Staff when compared globally: Average IT Security team size as a percentage to overall IT staff is less than 1% for all verticals in India, whereas recommended figure globally is 3-5%.

 Maturity of India for one of the most trending security initiative viz  Mobile Security is 35% whereas in US its almost 50%. Indian companies are also not prepared for large scale Distributed Denial of Service (DDOS) attacks. Adoption of DDOS technologies is less than 50% compared to USA.

Those prone to maximum risks

The security maturity Index for Large Scale Telecom emerged as the highest, with a score of 76.62 (out of 100). Major IT/ITES stood second with 74.66, followed by Major BFSI (Banking and Financial Services) with score of 70.16, followed by healthcare (53.13), Manufacturing (52.43).

Smaller BFSI emerged as the least secured vertical and has achieved a score of 44.95. Online and retails achieved a score of 51.52 is the second from the bottom.

Mobile security tops the chart

With 56% companies planning to implement Mobile Security this year, it tops the IT security initiative of the year; IT GRC Management Tools bagged second rank with 50% and DRM ranked 3rd position with 40%.

Anti-spam/Anti-malware (98% implementation), Content Security (93% implementation) and Patch Management (87% implementation) are top 3 Mature IT Security market in 2015.

More than half of the companies in the sample data set, tested their IT security infrastructure once in a quarter. However the Indian Industry is highly price sensitive and often compromises on quality.

State of e-commerce security

Online and E-commerce companies rank the second lowest, with a score of 51.52 compared to the Large Scale telecom companies with a maturity of 76.62, the study shows.

Online and E-commerce companies lack in terms of IT Security maturity and most of the companies do not have adequate protection against DDOS attacks or a well-tested Incident Response Program. Most of the young e-commerce companies also lack in key security requirements like Secure SDLC, In Depth Penetration Testing during every release, Web Application Firewall (WAF), SIEM etc.

Priyanka Aash, MD, CISO Platform believes the report would be particularly useful for the Board and the senior management so that they can have a data driven way to measure their security readiness, as well as create their strategic roadmap.