/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsBANGALORE, INDIA: According to Information Systems Security Survey, 2007-08 titled ‘From strength to strength’, conducted by the Indian Computer Emergency Response Team (CERT-In), Federation of Indian Chambers of Commerce and Industry (FICCI) and PricewaterhouseCoopers (PwC), no longer is security merely a line item in the overheads budget of Indian enterprises, nor is it a technical issue easily addressed by an off-the-shelf technology product,
The results of this year’s survey have been benchmarked with ‘The Global State of Information Security 2007’ study, conducted by CIO magazine, CSO magazine and PwC.
Indian enterprises have traditionally relied on technological controls for information security. Besides perimeter security, security of desktops, the source of a number of security breaches, has also assumed importance. In terms of employing technology safeguards, 91 percent of respondents indicated having data backup mechanisms in place.
There used to be significant gaps in the implementation of ‘people’ related controls. This scenario has improved in this survey as organisations have identified enhancement of security awareness as a top strategic priority. Today, more than 80 percent of the organisations focus on employee awareness programmes, as compared to 47 percent, as per global figures.
Monitoring of employee use of the internet and information use is the latest trend, with more than 78 percent of the organisations focusing on this, as compared to the global figure of 48 percent. India Inc. is also increasingly hiring specialised security staff. 51 percent of the organisations in India, as against 32 percent globally, have employed chief information security officers.
Sivarama Krishnan, executive director, information security practice, PwC, said: ”It is encouraging to see that Indian organisations have moved faster than their global counterparts in establishing processes for conducting periodic security audits and in having information security strategy in place. We expect this to continue as majority of the organisations have plans to increase their security spending by double digits”.
Unlike the trends shown in previous surveys, it is also encouraging to note that a lesser percentage of organisations have suffered security breaches, with viruses being the single largest source of breach (68 percent).
Gulshan Rai, director, CERT-In, said: “Indian enterprises can avoid security breaches further if they develop and implement an effective information security strategy and framework. An essential component of this framework is to view security as a strategic initiative and not as a cost centre.”
However, there is a flip side too. While, almost 83 percent of the organisations were found to have a business continuity/disaster recovery plan, 90 percent of these organisations do not conduct regular testing of their plans.
Amit Mitra, secretary general, FICCI, said: “In the event of a service disruption or disaster, these organisations might not be able to effectively resume their operations. Organisations need to re-look at their BCP/DRP strategies in a holistic manner to ensure effective recovery in the event of a disaster”.
Indian organisations today are facing increasing compliance obligations and are exposed to reputation risks. While they are increasingly becoming aware of the regulatory requirement; however a lot remains to be done in terms of achieving compliance.
“Organisations in India must realise that there are significant advantages in achieving compliance. It can result in more cost-effective processes and ensure top management support,” says Rai.
Lack of dedicated resources and adequate training are identified as the primary barriers for strengthening information security in India. “This clearly establishes the requirement of universities and colleges to come up with specialised training courses, so that information security professionals are equipped with necessary know-how and knowledge,” adds Mitra. “This is amiss at this point of time.”
The industry-wise analysis has revealed interesting results. The ITeS segment has gained the leadership position instead of the financial services sector, which has traditionally been at the top in terms of having security that is more effective. More than 83 percent of financial services and ITeS organisations justify their security investments on grounds of protecting customer information.
“Organisations in the ITeS segment have implemented security that goes far beyond in what is practised in the West. For example, BPO agents are required to surrender everything which could facilitate data compromise like mobile phones, PDA’s, pens and notebooks,” concludes Sivarama Krishnan.