CISO Platform officially launches the India’s maiden formal report on IT security maturity of the industry.
The report has been drafted in the backdrop of a comprehensive data study from 400+ organizations in terms of the technologies adopted for securing their organizations over the last 3 years.
Citing on the launch of the report, Priyanka Aash, MD, CISO Platform said, “We have an index for understanding the state of the stock market, but there is nothing to measure the state of IT Security of the industry. We need something simple and understandable to know where we stand in terms of security posture. So, we have created CISO Platform Security Maturity Model (CPSMM) to solve this problem.”
The facet platform CPSMM is built to benchmark an organization against the capability of peers; underlining the to and fro momentum of the company with rest of the industry. The model is particularly claimed to be fruitful for the Board and the senior management leveraging them to measure their security readiness, as well as create their strategic roadmap.
Key insights from the report
India vs. Globe
- Indian Enterprises are more than 80% at par with the USA in terms of adoption of Prevention or Detection technologies. However, they are less than 10% at par for Response and Predictive Technologies. In the field of IT security, it is impossible to secure everything, every time. So it is extremely critical to have effective measures to respond to a breach or predict a breach before it happens. India is far behind USA in terms of such readiness and capabilities like Incident response, Threat intelligence etc.
- India is far behind in hiring IT Security Staff when compared globally: Average IT Security team size as a percentage to overall IT staff is less than 1% for all verticals in India, whereas recommended figure globally is 3-5%.
- Maturity of India for one of the most trending security initiative i.e. Mobile Security is 35% whereas in US its almost 50%
- Indian companies are not prepared for large scale Distributed Denial of Service (DDOS) attacks. Adoption of DDOS technologies is less than 50% compared to USA.
Vertical Wise Maturity
- The security maturity Index for Large Scale Telecom emerged as the highest, with a score of 76.62 (out of 100). Major IT/ITES stood 2nd with 74.66, followed by Major BFSI (Banking and Financial Services) with score of 70.16.
- The score for other major industry verticals are as follows: Financial Services (56.06), healthcare (53.13), Manufacturing (52.43).
- Smaller BFSI emerged as the least secured vertical and has achieved a score of 44.95. Online and retails achieved a score of 51.52 is the second from the bottom.
- With 56% companies planning to implement Mobile Security this year, it tops the IT security initiative of the year; IT GRC Management Tools bagged second rank with 50% and DRM ranked 3rd position with 40%.
- Top 3 Mature Security Markets: Anti-spam/Anti-malware (98% implementation), Content Security (93% implementation) and Patch Management (87% implementation) are top 3 Mature IT Security market in 2015.
- More than half of the companies in the sample data set, tested their IT security infrastructure once in a quarter. However the Indian Industry is highly price sensitive and often compromises on quality.
- ISO 27001 tops the security compliance with 66% implementation by the companies in India across all verticals.
State of Online/E-commerce Security
- Online and E-commerce companies rank the second lowest, with a score of 51.52 compared to the Large Scale telecom companies with a maturity of 76.62.
- Online and E-commerce companies lack in terms of IT Security maturity and most of the companies do not have adequate protection against DDOS attacks or a well tested Incident Response Program. Most of the young e-commerce companies also lack in key security requirements like Secure SDLC, In Depth Penetration Testing during every release, Web Application Firewall (WAF), SIEM etc.
- More than 90% of the e-commerce companies do not have a dedicated Chief Information Security Officer and typically their engineering head doubles up as the IT Security Head.
Biggest Risks for the Indian Industry
- There is severe lack of awareness in terms of IT Security across all levels of the organization. The Board/CEO in a usual company does not consider Security as a top priority. The IT Security teams are generally not trained in emerging areas of security. India is at least 10 times behind USA in terms of adopting emerging IT Security technologies like CASB, Threat Intel and Containerization etc.
- There is a lack of indigenous IT Security technology companies from India. India has produced less than 25 indigenous IT security product companies compared to more than 500 in USA. As a nation, we need to allocate more resources towards building security technologies.