ICS is a bigger threat than IoT in India: Sivarama Krishnan, PwC India

Enterprise security market in India is on the upswing.

“Indian market in last two years has been registering a growth of at least 20%. CAGR. We expect similar growth in 2016 for India market,” says Sivarama Krishnan, Partner & Leader Cyber Security, PwC India.

“The current scenario of more breaches leading to consumption of more security solutions will underground change. More than breach, security will be the business enabler for the company’s growth,” says Sivarama Krishnan at PwC India.

What does the new-year of 2016 hold for Indian enterprises in information security?

The year of 2016 will be an exciting time for Indian enterprises. The global security market is growing at 9 to 10 % CAGR while Indian market in last two years has been registering a growth of at least 20%. CAGR. We expect similar growth in 2016 for India market. 

The figures sound good from the growth perspective but from risks perspective the increase in number of threats is a huge element of worry for most CIOs. Any kind of a positive image in the economic growth of the market tends to attract higher incidents into the network. Perpetrators become more active and numbers grow for economic reasons or in the form of state actors. Though we envisage the increased attention around security, we will continue to see investments in security technologies going up.

Talking about new threats, do you see APT, DLP or cybercrime move out of hype cycle and become a reality in 2016?

PwC’s global survey in association with CIO magazine clearly shows that that the insider threats have started growing again in India. It is 1 to 1.5 times which means 1.5 times of insider threat to one external threat. Many Indian companies who believe that they trust their employees need to perhaps do a recheck or keep a strict eye on their activities. Hence there would be more investments on technologies like DLP or GRC based solution for ERP etcetera.

The second area which I believe is growing is the bigger external threat — which the companies earlier did not believe in. In recent past, BPOs and banks in India have been subjected to instances of black mailings. These are indicators for Indian companies to start focusing more on their internal security through APT solutions. If you look at RSA and McAfees of the world including IBM, they are selling software based products that clearly indicates the market transitioning to advanced security.

The third instance is the market evolution for countries like India. In the first wave, leading companies invested in basic security while many SMEs ignored the same. In the next wave; DLP, SIEM, APT are adopted by bigger corporate while the bottom end invest in AV, end point, firewall etcetera. It is parallel activity on both fronts. An area of larger interest in India is IAM (identity access and management). Indian companies in the past did not deliberate much on single sign on, managing identities and related parts of IAM. Now we see many CIOs warming up to it and it is the next wave of growth for the large companies.

How has the face of ‘insider threat’ changed in the security world?

Insider threat is not restricted to only company employees. That’s another big difference that has happened. Today the insiders include supply chain, service providers, contractors, customers and their partners of the ecosystem. Earlier the company never extended their internal systems to suppliers or customers but today the larger companies have completely integrated with their value chain partners including customer and suppliers. This expansion of the definition of insider is a new phenomenon.

How much headache would IoT be for CIOs and CSOs because everything connected potentially means the network prone to more threats?

Absolutely. In fact the largest threat I see today more than IoT is industrial control systems. ICS is the most neglected item even for CIO and CSO of larger companies and those who have invested in other technologies.

ICS is the most neglected item even for CIO and CSO of larger companies and those who have invested in other technologies.

There have been instances of industrial machines blocked and ransomware demanded by hackers. The industrial sector is facing this problem to a large extent. I see interest building up on industrial control systems. Once you have conceptual level security and established industrial control systems then comes IoT (which is expanded version of ICS).

Currently on a scale, Indian companies are at negative for IoT while they are at zero in ICS. The first thing companies have to move and establish some basic ICS security then move onto IoT.

Does that mean IoT will inflict newer challenges for India Inc.?

IoT will bring varied levels of challenges. Indian companies are struggling to manage individual identities and now with devices proliferation they have to manage the device identity.  The market is not mature for both contextual awareness as well as the solutions for the moment. That will the challenge for companies to first manage identity of devices.

Once the device authentication happens then it moves to what applications are needed to secure at what level. This is the fundamental challenge for Indian CIOs whenever IoT proliferates. At present IoT is largely limited to logistics and ecommerce firms and it has not moved beyond that.

Securing different and growing number of mobile devices is another nightmare for CISOs?

Thankfully as far as mobility is concerned, it is one way traffic. We don’t have transactional level application on mobile yet across most corporates. Indian enterprises have thus not faced as much as risk for enterprise users.

The companies that need to be worried in the mass space are in financial services. Retail and e-commerce retailers who use mobile App for sourcing their transactions. I personally don’t see other enterprises yet prepared because it has not been too much of two way traffic. But once transactional applications mature like in financial services, it will require a greater attention for companies. Today enterprises are only preparing to manage identities now. And MAM, MDM solutions do not work beyond a point as they are getting outdated.

As an application security strategy, the organizations are making the whole mobile as white label. The companies push Apps in secure mode and sign for App to potentially safeguard themselves. Most APP development in western world and also India companies is happening in that direction. More than authenticating mobile device, they are moving for authenticated apps. App security and identity of application user becomes more important.  Today Indian companies fortunately or unfortunately are not doing much transactional applications hence the mobile security requirement in minimal.

How vulnerable are smbs on the attack radar in the changed security landscape?

In fact SMBs are more infected than enterprises. The incidents that come out often are based on the value of the information being compromised. Today the value of smbs information is so limited not much and hence people are not bothered.

During a surveillance test in our labs, our assessment was that that 40% of Indian domains or IP have been compromised in some form.  This is in line with other security vendors like Symantec that puts the number at 30%. But it does not mean that SMBs are not compromised but their value is not high hence they do not see much of traction. The larger companies however see value as it is an economic loss for them.

The changing business landscape where the SMB’s need to integrate with market systems, will push them to focus more on security and hence I am optimistic that the SMB’s will start soon focusing on security as well.

Does the market tilting to IoT, Software based offerings means less number of security hardware appliances at enterprise environment?

Having a firewall for IPS/ IDS is a hygiene factor for most companies. It’s like having a PC and hence the companies will end up deploying it. 

I see the security moving to three different trends. The security of Apps and servers has moved towards analytics. It is not so much or anymore at log and a self-correction by IPS or IDS Collating the data and putting an analytics framework around it. APT does that in some form but it is beyond APT. APT will give technical compromise but it not business compromise, Analytics helps identify business compromise like fraud etcetera.

The second trend is securing users than just infrastructure and devices. Every PC does not need equal security. For example PC of CEO will be more important than maybe peon’s PC. It is era of value based security where securing every piece of information is not needed. Depending on data sensitivity, besides basic security hygiene CISOs should invest selectively where it matters the most. Earlier CIOs and CSOs created islands of apps which are now integrated to know more about the users’ profiles. They are driving security through users be it APP integration or consolidation or creating single sign on to manage multiple APPs.

The third change is that CISOs always sold security in negative connotation like that if you don’t do this this will happen. But things have changed now. It is sold to the board as ‘the value of this information is x and hence I need the money to protect it’.

Any suggestions for CSOs / CISOs to follow while working with technology OEMs.

CISO need to be worried about a clear product roadmap from technology OEMs. Unfortunately the’ product road maps of many of them change frequently due to M&As,exiting business lines etcetra. Any investment in security on long term has to be attached to the product strategy. You see the problem for example McAfee Softlayer got modified and they sell their SIEM or be it security analytics of RSA. These product vendors changing the product strategy rapidity impact the investments by end user organizations.

CISO need to be worried about a clear product roadmap from technology OEMs. Unfortunately the product road maps of many change frequently due to M&As,exiting business lines etcetra.

Companies buying security product often expect the product itself to give the solution. Unfortunately the product cost to services ratio in India is negligible. Whereas globally, it’s more on making the product to deliver what you want than the product itself. Unlike ERP with standalone functionality, security is completely driven by business and its requirement. The product has some capabilities but not all features and IT team needs to spend enough time. For example, Installing DLP on the system will throw thousands of alerts and you say that the product is not good. Security solutions require humongous alignment of the product to your business.

More breaches means more demand for security solutions.

The current scenario of more breaches leading to consumption of more security solutions will undergo change. More than breach, security will be the business enabler for the company’s growth. For example IAM is not only for breach or control but it enables better business through reduced cycle time, improved controls. That’s what we expect in the future. However for the next couple of years, we do not see the instances or breaches reducing in countries like India.

Yogesh Gupta is executive editor at IDG Media. You can reach him at yogesh_gupta@idgindia.com or follow @yogsyogi1