Walking the info security talk with PWC’s Vishal Salvi

Sonal Desai

Multiple devices and an information deluge is compelling CXOs of organizations—large and mid-size to looking at information security in a mature manner.

A recent report by KPMG further iterates the point. According to KPMG, the information security market in India including hardware, software and services, will be nearly Rs 1,200 crore in FY2014-15, and will grow by 50 percent in the next three years.

Asserts Vishal Salvi, Partner Advisory, Cyber Security, PwC, financial services (FS) and technology information, communication and entertainment (TICE) are two sectors that are reporting a continuing focus on information security. In a tete-a-tete with CIOL, Salvi discusses the trends and challenges of IS in India. Excerpts from an edited interview.

What are the trends driving information security in India?

We are living in a work where cyber security has caught everybody’s imagination. If you see the new trends, the attacks are more related to the physical assets, which in turn translates into data or information loaded on the asset. For instance the data on our ATM cards.

Organizations are therefore preparing a cyber resilience strategy which includes predicting the attack, strengthening the defense and then responding.

Contextually, strict audits and statutory requirements are compelling the CXOs to ask questions about cyber security readiness of their organizations. With growing online presence and connected world, information security is being imperative. Not only large enterprises and MNCs, but more and more Indian companies are coming to us.

As an industry, there is a huge demand for trained personnel, and we are in a sweet spot.

Most attacks are financially motivated and BFSI with 27 percent is the most targeted vertical. Second is the telcos. But again these two verticals have agile and active regulators, and therefore, they are more mature as compared to the rest of the industries.

 

All said and done, it is difficult for an IT organization to show immediate RoI on the IT investments. Moreover, IT is seen as a cost center. Under such circumstances, are enterprises willing to invest in IS?

IS is not about math, but about credibility. If you can mitigate risks, an organization will invest in you because you have demonstrated your IT investment. It is a process that includes continuous engagement and customer mapping.

So are decisions related to IS more of tactical or strategic in nature?

Although many organizations are talking about information security, not many have walked the talk. The reason being, info security as of today comes under the purview of the IT organization.

This is a major challenge as the first objective of the IT is to keep an enterprise always available, and ensure business continuity.   Secondly and especially during new product launches, the IT is at the back and call for immediate fixes and debugs. CISOs are more operational, and should therefore, take a call.

Secondly, there are not too many leaders of stature to drive the innovation in an organization, therefore it is important to groom industry leadership. Not that enterprises do not have budgets for IS—it is a significant 8 percent.

What are the future trends that will drive IS adoption?

IS will leapfrog. We are talking about IoT which will significantly change the security scenario. Secondly technology innovation is happening at very fast, and IS will have to keep pace.

Many organizations have invested in security operations center (SoC), the heart of the operations now has to be in response time reduction. And for that I am re-emphasizing that there is a need skilled personnel.