Security equates with survival for today's organisations.
So how much are Indian enterprises spending upon this all-important aspect of
IT infrastructure? by Anil Patrick R
This year's IS survey shows that security has matured from being a marginal
investment to a necessary (and larger) element of the IT budget.
IS 2005 reveals increasing levels of existing security investments among organisations
over the years (47 percent in 2003, 55 percent in 2004 and 59 percent in 2005).
Among the issues to be addressed with these investments, viruses (85 percent
of organisations) and Internet security (58 percent) are the most critical for
On the planned investment front, 55 percent of Indian businesses plan to invest
in security during the present fiscal. This can be attributed to the fact that
most organisations have made their initial investments and they are taking care
of marginal maintenance.
Indian organisations are
taking security seriously and documenting security policies. Security
audits are also commonplace.
Your security investments
are as good as wasted if you don't have documented security policies and
audits to back up the technology. Enforcing policies combined with user
education is equally important to achieve
a complete security infrastructure.
Viruses and Internet security are top of the security agenda
for most Indian organisations. It is not surprising to see that most companies
focus primarily on anti-virus and firewalls for protection.
Of the respondents who have made security investments, 97 percent have already
invested in anti-virus solutions and 78 percent in firewalls during the previous
fiscal. This covers only the network perimeter. Advanced protection mechanisms
such as intrusion detection systems and access control mechanisms need to be
present for comprehensive security coverage. Presently, only 42 percent of organisations
have invested in these.
On the IDS front, BFSI (68 percent), BPO (65 percent) and
oil/power (60 percent) have reasonable adoption levels. 50 percent of the telecom
companies surveyed have invested in integrated security appliances and identity
management. Access control and biometric devices are favourites with BPO and
oil/power; 70 percent and 30 percent of companies in these verticals have adopted
these technologies respectively.
It is true that the majority of Indian organisations
do not have a documented security policy. This does not mean
that they do not have any
Indian organisations plan to invest in firewalls (52 percent)
and anti-virus (50 percent) during the present fiscal. IDS and access control
investments are on the anvil for 34 percent and 28 percent of organisations
A majority of telecom and oil/power organisations plan to
invest in IDS during the present fiscal (83 and 60 percent respectively). Apart
from this, 66 percent and 83 percent of companies in the telecommunications
vertical plan to invest in integrated security appliances and access control
Setting it in stone
Manager - IT, Hinduja Group
Corporates need to have documented security policies for effective
security practices. The IS 2005 results show that only 61 percent of Indian
organisations (which have already invested in security or are planning to invest)
have a documented security policy. Among these, data security and unauthorised
employee access top the list of priorities with 92 percent and 79 percent of
organisations respectively addressing it in their security policies.
According to Satish Mahajan, Manager - IT, Hinduja Group, "It is true that
the majority of Indian organisations do not have a documented security policy.
This does not mean that they do not have any IT security. Measures will be available
and practised, but they might just not be documented."
Documenting security policies is crucial for its effectiveness. This will be
useful if the company needs to connect with external networks or plans to go
in for certifications such as BS7799. It is also helpful for conducting security
audits to determine security effectiveness.
"Documenting security policies is a matter of how much the organisation
gives importance to security. Sadly, sometimes, this importance is not given
until an incident occurs," says Pratap Gharge, Senior GM and Head (IT),
Leading the pack
- A documented security policy is used by
61 percent of organisations that have invested in security or are planning
to do so.
- 63 percent of Indian organisations do
not conduct security audits.
- More than half (58 percent) of the organisations
perform security audits once in six months.
- Viruses and Internet security remain the
most critical concern areas (85 percent and 58 percent respectively).
- Integrated security appliance adoption
is highest (50 percent) in telecom.
Given the Indian business' present focus on scaling up to
global operations/standards, it is interesting to see that its forerunners have
already secured themselves. BPO leads the pack with 87 percent of companies
already having a documented security policy. Oil/power and BFSI verticals follow
with 80 percent and 62 percent respectively saying that they have a documented
security policy in place.
Security policies are of no use if they are not enforced. This is where the
involvement of business heads, policy reviews, security audits and user education
become important. Security is discussed at the board room level in 49 percent
of organisations, which is a positive sign.
When it comes to framing a security policy, CIOs (70 percent) and functional
heads (67 percent) are involved in most organisations. CEOs also play a role
in 44 percent of the organisations. 36 percent of organisations use external
security consultants for help with drafting the policy.
Security policies need to be reviewed at frequent intervals and modified if
required. 29 percent of organisations review their policies once in three months,
while 30 percent do it once in six months. Reviews once a year are the order
of the day for 28 percent of organisations. The telecom sector (67 percent)
and BPO (55 percent) lead with reviews once in three months.
The next stage of enforcement is through security audits. One of the best practices
used is to have separate audits conducted by the internal IT team as well as
by an external agency.
The frequency of security audits varies across organisations. "For organisations
where monetary aspects are most critical (such as BFSI), audits have to be done
more frequently. On the other hand, verticals such as manufacturing may decide
to do it once a year," explains Gharge. According to IS 2005, 38 percent
perform audits once a year. 20 percent conduct audits once in six months and
25 percent every quarter.
As of now, only 26 percent of organisations believe in educating
users about security. This figure has to go up if Indian corporate security
is to improve. Comments Satish Mahajan, "Users have to be kept updated
about the various threats that arise from time to time. Trusting users is also
more important than just keeping restrictions on everything."
The role of a CSO (Chief Security Officer) has been debated
much over the past couple of years. However, the reality remains that only 21
percent of organisations have a CSO.
Among the organisations with a CSO, the majority are in telecom
(33 percent) and BFSI (31 percent). Regulatory requirements dictate the need
for a CSO in these companies, who usually reports to the CEO (in 34 percent
of organisations) or to the CIO (33 percent).
- Tracking and enforcing security policies
is difficult without documentation. Draft and implement a documented
security policy if your organisation does not have one.
- A policy is only as good as the frequency
- Bring in external consultants for help
with drafting a security policy if internal expertise is not available.
- Security involves more than just a firewall
and multiple levels of anti-virus software. Go in for an IDS and put
some teeth in your set-up.
- Good, open source, IDS solutions are available
at a marginal cost.
- Multiple levels of anti-virus (at the
desktop, gateway, etc.) from different vendors is a good strategy for
- Outsourcing security and audits to an
external entity is worth considering if internal resources are not up
to the task.
Anil Patrick R can be reached at firstname.lastname@example.org