Archives || Search || About Us || Advertise || Feedback || Subscribe-
Issue of June 2005 

[an error occurred while processing this directive]

 Home > Cover Story
 Print Friendly Page ||  Email this story


Security agenda

Security equates with survival for today's organisations. So how much are Indian enterprises spending upon this all-important aspect of IT infrastructure? by Anil Patrick R

This year's IS survey shows that security has matured from being a marginal investment to a necessary (and larger) element of the IT budget.

IS 2005 reveals increasing levels of existing security investments among organisations over the years (47 percent in 2003, 55 percent in 2004 and 59 percent in 2005). Among the issues to be addressed with these investments, viruses (85 percent of organisations) and Internet security (58 percent) are the most critical for Indian businesses.

On the planned investment front, 55 percent of Indian businesses plan to invest in security during the present fiscal. This can be attributed to the fact that most organisations have made their initial investments and they are taking care of marginal maintenance.

Tech talk

Executive Summary
Security agenda

Indian organisations are taking security seriously and documenting security policies. Security audits are also commonplace.

Power Pill

Your security investments are as good as wasted if you don't have documented security policies and audits to back up the technology. Enforcing policies combined with user education is equally important to achieve a complete security infrastructure.

Viruses and Internet security are top of the security agenda for most Indian organisations. It is not surprising to see that most companies focus primarily on anti-virus and firewalls for protection.

Of the respondents who have made security investments, 97 percent have already invested in anti-virus solutions and 78 percent in firewalls during the previous fiscal. This covers only the network perimeter. Advanced protection mechanisms such as intrusion detection systems and access control mechanisms need to be present for comprehensive security coverage. Presently, only 42 percent of organisations have invested in these.

On the IDS front, BFSI (68 percent), BPO (65 percent) and oil/power (60 percent) have reasonable adoption levels. 50 percent of the telecom companies surveyed have invested in integrated security appliances and identity management. Access control and biometric devices are favourites with BPO and oil/power; 70 percent and 30 percent of companies in these verticals have adopted these technologies respectively.

It is true that the majority of Indian organisations do not have a documented security policy. This does not mean
that they do not have any
IT security

Indian organisations plan to invest in firewalls (52 percent) and anti-virus (50 percent) during the present fiscal. IDS and access control investments are on the anvil for 34 percent and 28 percent of organisations respectively.

A majority of telecom and oil/power organisations plan to invest in IDS during the present fiscal (83 and 60 percent respectively). Apart from this, 66 percent and 83 percent of companies in the telecommunications vertical plan to invest in integrated security appliances and access control devices respectively.

Setting it in stone

Satish Mahajan
Manager - IT, Hinduja Group

Corporates need to have documented security policies for effective security practices. The IS 2005 results show that only 61 percent of Indian organisations (which have already invested in security or are planning to invest) have a documented security policy. Among these, data security and unauthorised employee access top the list of priorities with 92 percent and 79 percent of organisations respectively addressing it in their security policies.

According to Satish Mahajan, Manager - IT, Hinduja Group, "It is true that the majority of Indian organisations do not have a documented security policy. This does not mean that they do not have any IT security. Measures will be available and practised, but they might just not be documented."

Documenting security policies is crucial for its effectiveness. This will be useful if the company needs to connect with external networks or plans to go in for certifications such as BS7799. It is also helpful for conducting security audits to determine security effectiveness.

"Documenting security policies is a matter of how much the organisation gives importance to security. Sadly, sometimes, this importance is not given until an incident occurs," says Pratap Gharge, Senior GM and Head (IT), Bajaj Electricals.

Leading the pack

Research highlights
  • A documented security policy is used by 61 percent of organisations that have invested in security or are planning to do so.
  • 63 percent of Indian organisations do not conduct security audits.
  • More than half (58 percent) of the organisations perform security audits once in six months.
  • Viruses and Internet security remain the most critical concern areas (85 percent and 58 percent respectively).
  • Integrated security appliance adoption is highest (50 percent) in telecom.

Given the Indian business' present focus on scaling up to global operations/standards, it is interesting to see that its forerunners have already secured themselves. BPO leads the pack with 87 percent of companies already having a documented security policy. Oil/power and BFSI verticals follow with 80 percent and 62 percent respectively saying that they have a documented security policy in place.

Enforcing security

Security policies are of no use if they are not enforced. This is where the involvement of business heads, policy reviews, security audits and user education become important. Security is discussed at the board room level in 49 percent of organisations, which is a positive sign.

When it comes to framing a security policy, CIOs (70 percent) and functional heads (67 percent) are involved in most organisations. CEOs also play a role in 44 percent of the organisations. 36 percent of organisations use external security consultants for help with drafting the policy.

Security policies need to be reviewed at frequent intervals and modified if required. 29 percent of organisations review their policies once in three months, while 30 percent do it once in six months. Reviews once a year are the order of the day for 28 percent of organisations. The telecom sector (67 percent) and BPO (55 percent) lead with reviews once in three months.

The next stage of enforcement is through security audits. One of the best practices used is to have separate audits conducted by the internal IT team as well as by an external agency.

The frequency of security audits varies across organisations. "For organisations where monetary aspects are most critical (such as BFSI), audits have to be done more frequently. On the other hand, verticals such as manufacturing may decide to do it once a year," explains Gharge. According to IS 2005, 38 percent perform audits once a year. 20 percent conduct audits once in six months and 25 percent every quarter.

As of now, only 26 percent of organisations believe in educating users about security. This figure has to go up if Indian corporate security is to improve. Comments Satish Mahajan, "Users have to be kept updated about the various threats that arise from time to time. Trusting users is also more important than just keeping restrictions on everything."

Policing security

The role of a CSO (Chief Security Officer) has been debated much over the past couple of years. However, the reality remains that only 21 percent of organisations have a CSO.

Among the organisations with a CSO, the majority are in telecom (33 percent) and BFSI (31 percent). Regulatory requirements dictate the need for a CSO in these companies, who usually reports to the CEO (in 34 percent of organisations) or to the CIO (33 percent).

NM recommends
  • Tracking and enforcing security policies is difficult without documentation. Draft and implement a documented security policy if your organisation does not have one.
  • A policy is only as good as the frequency of review.
  • Bring in external consultants for help with drafting a security policy if internal expertise is not available.
  • Security involves more than just a firewall and multiple levels of anti-virus software. Go in for an IDS and put some teeth in your set-up.
  • Good, open source, IDS solutions are available at a marginal cost.
  • Multiple levels of anti-virus (at the desktop, gateway, etc.) from different vendors is a good strategy for better protection.
  • Outsourcing security and audits to an external entity is worth considering if internal resources are not up to the task.

Anil Patrick R can be reached at

- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.