UPDATED: September 16, 2018: A survey by Deloitte reveals that nearly two-thirds of Indian organisations fear that their management of cyber security risks is inadequate. The survey covered more that 100 companies across sectors; more than 40% of these companies had turnover in excess of Rs 7,500 crore. The security inadequacy is leading to more security breaches, such as the recent Cosmos Bank incident. The security weaknesses are largely attributed to the shortage of skilled and experienced cyber security experts in the country.
According to the Cyber Security Preparedness Survey conducted by Netrika Consulting, Indian corporates do not have dedicated staff for cyber/network. As per the survey, 65% of the participant organisations do not even have a department to manage network security while 35% of the participant organizations do, which include 14% organisations who have separate department to manage network security and 21% organisations have department which is a part of IT team.
Speaking to Digital Creed at the Gartner Security & Risk Management Summit in Mumbai last month, Siddharth Deshpande, research director at Gartner said, “We need to retrain existing IT professionals to start thinking about security. A lot of security is about common sense. It is not just about recruiting CISSPs (Certified Information Systems Security Professionals). It is about understanding how systems work in a business context, and applying common sense principles to make sure that at least you are getting the basics right. ”
Most organizations in India have lean security teams either to save costs, due to the shortage of security professionals or due to the high rate of attrition. Experienced security professionals are in demand.
Mohan Veloo, Vice President-Technology, Asia Pacific, F5 Networks confirms this and provides more details.
“There is an acute shortage of security talent in India. A lot of companies that we talk to have just one person handling their security. These companies cannot afford to have a team of people. In India, it is common to see trained security professionals leaving to join other companies that offer higher salaries,” said Veloo.
Veloo is also of the opinion that security training should begin early, at the secondary school level.
“The universities and schools are not training people in security. How do you educate your internal people when it comes to security? And this education should start at the school level. Kids of today have access to, and have multiple accounts. There needs to be some form of simple curriculum — things like changing passwords regularly — to generate a sense of security from a very young age,” he said.
The near-term solution
To cope with the shortage of professionals, organizations are increasing outsourcing their security management to Managed Security Service Providers (MSSPs). These MSSPs have their own Security Operations Centres (SOCs) and offer a range of services. They can remotely monitor and manage an organisation’s infrastructure. (See our story: 10 Reasons Why Your Organization Must Outsource Security).
“Large tier-1 cloud providers like Microsoft, Google and Amazon, have a better level of infrastructure and application security than what most organisations would be able to do by themselves. It would take a lot of investments for these organisations (to get their security to the same level),” said Gartner’s Deshpande.
Outsourcing to MSSPs may not be a viable option for the smaller companies. So what do they do?
Deshpande talks about the shared services model.
“They are using MSSPs that are offering shared services. They are leveraging the economies of scale that managed security services providers can offer. The MSSP’s SOC may have 50 analysts and they will serve a range of customers. It is cheaper as well and they are getting access to highly skilled resources but in a shared manner, and 24×7”, he said.
Small and medium businesses are increasingly turning to cloud service providers, not just to address their security requirements.
“The other approach is to use more cloud based infrastructure. Not just from a security perspective but overall. Using cloud providers takes away some of the responsibility from the security team. They in-house team can then focus on other things,” added Deshpande.
Security systems in organisations throw up millions of alerts on a daily basis. But many of those are false positives and may not be malicious. It is not possible for humans to identify the malicious threats from the huge volume of alerts. But that’s where cloud and automation can help, says Akshay Aggarwal, Director, Solution Specialist, Oracle India.
“The biggest challenge today is that customers do not have enough people or skilled resources to run a big security operation centre. Obviously, you want to secure your environment but most organisations will never have enough budget for a large security operations centre, with plenty of highly qualified people, who have the capabilities for analysing sophisticated threats. So that’s where automation is helping us, because cloud actually gives you that scale that is required. It actually provides a mechanism where you can ingest lot of data into a big data repository; with AI and ML you are able to run lot of these algorithms on top of that data which is going into that repository, and make it more variable,” said Aggarwal.
Increased security spending
According to the latest forecast from Gartner Inc., enterprise spending on information security products and services in India is on pace to reach US$1.7 billion in 2018, an increase of 12.5 percent from 2017. In 2019, the market is forecast to total US$1.9 billion.