Cybersecurity In India: Reflections And Learnings From A Visitor
Last week, I had the immense pleasure of traveling to India for the first time. It quickly became one of my favorite trips of 2019. This is in spite of a punishing schedule during which I toured Bangalore, Pune, Delhi, and Mumbai and met with/presented to a couple of hundred of our clients, vendors, and extended ecosystem. The smells, colors, people, energy, and activity were very uniquely India, and I will always treasure them.
I will also treasure my learnings of the business and security landscape in the region. We’ve all heard the hype about India as a growth market and a tech hub. But nothing prepared me for what I saw and learned. This trip was a great reminder not only of our differences in practicing security around the world but also of how much we all have in common.
As always, I want to share with you what I learned and the opportunities and challenges we have in our vast APAC “region” (from a cybersecurity perspective). I say “region” in quotes because, of course, APAC is so vast and diverse from geographic, culture, business, economic, and regulatory standpoints. To do it justice, one really has to understand each of the various geographies within the region. Here are my observations and learnings from my brief yet intense India experience:
- Boards of directors in India are starting to prioritize cybersecurity, but not enough. There was a consensus among most security and tech leaders whom I spoke to that their boards take cybersecurity seriously, but it is not yet a top priority. Questions about security from the board are still occurring in a reactive manner, and there is still an unspoken feeling that organizations in India may be invincible from cyberattacks. This was of course different for more mature organizations (e.g., FS). For those of us in regions where cybersecurity is now at long last in the top three priorities for boards, we can all reflect back and remember the journey our own boards took (and are still taking) in truly understanding and prioritizing this topic.
- The importance of the human firewall and security culture change is not yet understood by senior executives. The importance of human-related controls and embedding security culture are not yet a priority for many boards and executives. At senior levels, security is still seen as the domain of technology. This is certainly different here in Australia, where many boards that I have spoken to are aware of the importance of the human firewall and are well and truly on their way to recognizing that security is not only a technology issue. It is worth noting that embedding a positive security culture is a priority for many of the CISOs and CIOs who we interacted with.
- The CISO in India (similar to global CISOs) still predominantly reports to IT, with dotted lines to the CEO/CRO. Some CISOs we met reported to CEOs and CROs, whereas many others still report to CIOs and CIOs’ direct reports. This is very much in line with global trends, in which we still see about 60% of security leaders reporting into IT. The debate as to where security should report raged (as it does in all geographies). Many security and tech leaders noted that reporting lines become less relevant with more mature and uplifted governance and reporting.
- Increasingly, security in India is transforming to a business-focused, risk-aligned discipline. We spent a lot of time discussing the importance of transforming security from a reactive, IT-focused issue to one that is business-aligned and has culture change at the heart of that transformation. This message was unanimously agreed upon by all participants in the discussion. There is a sense that security needs to be addressed holistically, considering all areas of people, process, technology, business, and customer trust. There was a general agreement that, to be taken seriously, security needs to be positioned as a business risk and embedded at all levels of the organization.
- A culture of pride may be contributing to organizations not seeking help. Most vendors I met with discussed a skill and talent shortage in India in security. The vendors unsurprisingly see themselves as helping organizations bridge that gap, yet they acknowledge that in India, anecdotally, only about 35% of organizations use security services (this is compared to a global average of about 55%). Many mentioned that to seek help could be admitting defeat, and therefore some are reluctant to do it. Some also mentioned that this same cultural nuance may be driving a slower journey for communicating with the board, as the full state of the gaps is not yet reported.
Overall, it was a great trip. I can’t wait to return and dive deeper into many of the above topics and more with our vendors and clients in the region. I want to acknowledge our India sales team for making this trip possible and so enjoyable and successful. I was in awe, yet not surprised, at the level of hospitality I received from them and our clients.
‘Til next time!