For the past decade, we’ve closely researched the Indian enterprise infosecurity landscape and it’s fascinating facts—an average of 2,800 attacks daily in 2014; 22 percent of breaches caused by organized crime groups; attacks on financial organizations doubling across the last year.
You’d think that the increase in the number of breaches and their financial impact would increasingly make security a boardroom topic. And, that organizations would have moved or be moving from a perimeter-obsessed security focus to one that is about managing cyber-risk holistically.
Nothing could be further from the truth.
If security were viewed strategically, then why have the numbers of CSOs in India shrunk year on year over the past decade, even as the number of CISOs has concurrently risen?
If awareness is on the increase and managements are more concerned then why has security spending actually declined by 17 percent across 2013 and 2014?
The latter clearly points to the struggles that organizations go through to determine optimal levels of security spend and the RoI of the outlay.
Which brings me to the former issue. The reason that security is seldom sold to management as a business enabler is about how much protection business really believes it requires.
If the considered belief is that Black Swan events are like acts of God, uncertain and unpredictable, which organization will pony up the funds? Explain that to the Gujarat and Haryana electricity boards which came across the weaponized Stuxnet worm, as did an offshore rig of ONGC.
Most organizations tend to look at security either tactically or reactively. So, only so much is put in place to tackle hygiene till a breach occurs, when all hell breaks lose till systems and processes are put in place to avoid a recurrence.
That’s what the rising CISO numbers reflect. A Tactical outlook. An outlook that doesn’t look to mitigate enterprise risk; just to paper over it.
Given how much your organizations have to lose, from a financial and reputational perspective, isn’t it time to change the internal conversation? Otherwise harnessing the technologies that promise digital differentiation can lead to digital doom.
What do you feel?