89 percent of Indian companies are confident of the effectiveness of their security systems: PwC survey :
The survey reveals that organizations in India are faring equally or better than global peers on most counts in ensuring security. However, there is a lack of agility and undue focus on the traditional information security safeguards.Indian companies are spending more than INR 25 crore on information security as they are reporting an increase in security incidents. This marks a 100 per cent increase in companies spending above this amount, compared to 2012, according to PwC’s The State of Information Security Survey – India 2014.
There has been a 98 percent increase in number of security incidents in the same period. Around 89 percent of the respondents are confident of the effectiveness of their security systems while 57 percent feel that they are “frontrunners” in strategy and security systems. However, an evaluation by PwC based on key criteria such as effectiveness of strategy, evaluation of security events etc revealed that only 38 percent of respondents can be considered as having an advanced security system in place.
The survey that covered 624 CXOs and senior management from across 17 industry sectors in India reveals that organizations in India are faring equally or better than global peers on most counts. However, there is a lack of agility and undue focus on the traditional information security safeguards. Over 90 percent respondents claim that their security policies and spending are aligned with business objectives, but there has also been a sharp increase in the number of security incidents and resultant financial losses. This suggests that old security models in use may be broken or ineffective.
Sivarama Krishan, leader for Information Technology Risk Management, PwC India said, “Organizations need to be more agile to face the changing threat landscape, which is becoming more complicated and complex. Since the threats are evolving the key is to tackle them by assessing and evaluating security strategies and practices continuously.”
“The survey results show that a focus on emerging technologies and safeguards is the route to improvement. Organizations must identify their most valuable assets and prioritize protection. Security incidents should be seen as a critical business risk that may not always be preventable, but can be managed to acceptable levels” he added.
Compared to global figures, India is playing catch-up in deployment of safeguards like behavioral profiling and monitoring, security information and event management technologies and threat intelligence. Information security needs to become a part of the business strategy and should be championed by senior management, the CEO and board.
Other key findings of the survey are:
- Incidents on the rise because of chinks in security armor: The number of incidents detected in the past 12 months has increased by 98 percent, perhaps an indication of today’s elevated threat environment. It is troubling that over 1/3rd respondents claim to have learnt of security incidents from external sources, such as customers or managed service providers.
- New technologies implemented before secured: Enterprise mobility and cloud services are gaining greater traction with organizations in India. Yet information security for mobile devices and cloud services lags behind adoption rates. Less than 50 percent of the respondents claim that their organizations have fundamental information security controls for mobile security and even less than 20 per cent have policies addressing use of mobile phones.
- Information security lacks management support: Nearly 30 percent of the respondents report that leadership and strategy are two most common obstacles in effecting a strong information security function within their organizations.
- Lack on focus on the “real” intruders: Insider threats are on the increase. Insiders, particularly current or former employees, are cited as a source of security incidents by almost 75 percent of the respondents. Lack of solutions around behavioral profiling and event management adds up to the problem. Yet many organizations do not have plans for responding to insider threats. Even today, justification for information security spending is more focused on external factors, such as client and regulatory requirements.