|
|
|
|
| Read more articles on: |
|
|
 |
|
BANGALORE: The infosecurity industry is poised for growth similar to that witnessed by the IT industry in the nineties. Design, development and deployment of systems that enhance security are currently gaining in prominence. Today, global organizations consider enterprise network security as a strategic priority.
There is an impending boom in the infosecurity industry in India as well. India has emerged as the second fastest growing IT security market in the Asia Pacific region. Indian enterprises are in the process of either establishing or reinforcing their network security architecture. IT budgets, with a focus on developing an effective IT security management processes are becoming increasingly substantial.
Rising global IT spends
To begin with, IT spend is definitely on the rise again, from a global perspective! In the US, IT spend was around US $1 trillion (IDC 2004 estimates). Global IT spend was US $2.1 trillion (roughly 6.6 percent of world's GDP). IDC found that the major spenders were the US at US $762 billion, Japan at US $362 billion and Germany at US $139 billion. Others in top 10 are Britain, France, Italy, Canada, China, Brazil and Australia (all IDC 2004 estimates).
Not surprisingly, IT security spend is the fastest growing segment at 25 percent CAGR. As per estimates from IDC, it is likely to grow from US$ 17 million in 2001 to US $45 million in 2006. An Information Week-PwC survey found that 10 percent of corporate expenses are incurred on security.
Threats and vulnerabilities are growing as well. According to Ms. Mayurakshi Ray, principal consultant, PriceWaterhouseCoopers (PwC), largest number of targeted attacks have been on the following segments - financial services, manufacturing, transportation, media/entertainment, telecom, high-tech, nonprofit, power and energy, etc.
Ms. Ray was speaking at a road show on ICT & Network Security 2006 International Exhibition and Conference, to be held concurrently with the 14th Convergence India 2006 event in New Delhi from 21-23 March, 2006. Organized by Delhi based Exhibitions India Pvt. Ltd., the ICT & Network Security 2006 will focus on five areas deemed critical to better information security - consumer awareness, early warning systems, corporate governance, technical standards and security across software development.
According to Ms. Ray, the reported vulnerabilities have been increasing at a rate of over 40 percent year-on-year, which is an alarming trend. Next, large pools of computers are getting infected as well, especially where it matters
She further highlighted that the IT complexity has been increasing as well. Technology is becoming more sophisticated and technology environments are no longer homogeneous. The threats are real and businesses are losing money. Table II lists some leading viruses and the damages those have inflicted.
Indian infosecurity scenario not encouraging
The Indian scenario is not very encouraging as of now! Indian corporate sites are more often hacked than others. As per a study by CERT India, among the Indian corporate Web sites, the .co.in domain is the most hacked, followed by the net.in and gov.in domains. Sites hosted in India are hacked more often than those located outside India.
Ms. Ray added that Indian PCs are more affected than the global average. New Delhi is the leading center with 41 percent of Indian bot-infected PCs, followed by Mumbai with 29 percent, Chennai with 10 percent, Bangalore with 6 percent and Hyderabad with 3 percent, as the top five centers, respectively.
According to a CII-PwC survey, larger numbers of Indian companies face breaches as well. It found that 58 percent of the companies faced one to two breaches, 24 percent faced three to five breaches, and 18 percent encountered more than six breaches.
Opportunities in managed security services
The Indian network security market is currently valued at US $29.9 million. About 62 percent of network security revenues come from the IT, ITeS and BFSI sectors. According to Frost & Sullivan, the overall network security market in India is likely to grow at a CAGR of 25 percent till 2010. All of this means lot more opportunities in the Indian market.
According to Ms. Ray, the opportunities would arise from the offshoring front. Managed security services (outsourced to third parties) have been growing at over 50 percent a year for last two years. A number of players are in the foray as established network companies (BT, Verizon, etc.), OEMs (Symantec, ISS, Computer Associates, etc.), and ISPs/ ASPs (AT&T, PSINet, Sprint, etc.). While some of the firms have established R&D and NOC in India like CA, Symantec, Verizon, etc., others would come to India as well, largely, a matter of time and availability of skill sets.
According to estimates from Gartner, the global revenue from managed security services would be at US $5.8 billion in 2005. IDC estimates that this segment is likely to grow by 50 percent every year till 2006.
Challenges before India
All of the above would require a clearly laid legal and policy framework, creation of skill sets/capabilities in India, and an improved Indian posture for security. So, have we successfully addressed these challenges?
Regarding the legislative and policy framework, Ms. Ray said that data protection issues are considered as critical for the global companies and India does not have one as of now. The IT 2000 Act is still said to be evolving. The IT Act is said to be very draconian and could be prone to misuse.
Employee security clearances and background verifications are considered as a second critical component. Indian states do not have one that could support high security/confidential/sensitive work to be offshored to India. Each country has a policy on electronic evidence gathering for forensic purposes as well. India does not have one, which is acceptable to judiciary and the outside world. We also need to develop the ability to solve cases and tackle litigations faster.
Regarding creation of skill sets/capabilities, the IT security skill sets are currently on high demand with low supply. Nearly no universities/technical colleges offer any specialized degree on security. Indian technical staff are perceived to be insensitive to IT security requirements as well. Finally, creation of awareness on security and Internet access at schools and colleges is negligible. Ms. Ray also added that there is a current requirement of 68,000 professionals, while the various engineering colleges and technical institutes are able to churn out only 19,000 students, annually. This needs to be addressed as high priority.
As for the Indian corporate posture on security, she said that the Indian corporate IT security posture is low globally. Spend on security in India is the lowest among the networked countries (CII-PwC survey). Over 40 percent of the Indian computers do not even have anti-virus programs installed (CII-PwC Survey). The sites hosted in India are more often intruded as compared to those outside (CERT-IN). India has the lowest level of reporting on incidents as well (CERT-IN). Awareness on IT security among CEOs is low. There is also a lack of IS security function and its independent reporting among the corporates.
Way forward
So what is the way forward? Getting the views of the potential companies for their requirements is prime. Next, there is a need to involve the academia for developing the necessary skills, and also creating and increasing the awareness among students.
There is a need to involve the police and investigation agencies to create a framework for forensic evidence capturing policy. The CERT must be involved for creating a co-operative framework to demonstrate the active participation between the industry and the agency. Various industries must also be involved to create better corporate posture and security compliance. Finally, leading industry associations, such as CII, FICCI, NASSCOM, etc., should be involved to drive member participation in the initiatives.
Earlier, Aninda Sen, regional head, Exhibitions India, remarked that the ICT & Network Security 2006 would focus on deploying, developing and investigating security solutions. The organizer is committed to delivering positive RoI for the exhibitors. The IPCC and the WCA are the two supporting associations for this event.
|