7 minute read 13 Jan 2022
Cyber security survey

EY Global Information Security Survey India edition 2021

The EY Global Information Security Survey 2021: India Edition explores the most important cybersecurity issues organizations face today.

State of cybersecurity in India

India is aspiring and consciously moving towards becoming a digital economy. However, heightened cyber security attacks and challenges are posing a threat to India’s growing digital society. The cyber threat to organizations with extended supply chains and broad ecosystems is truly global but regulation is becoming more fragmented. The COVID—19 pandemic has further stretched the potential attack surface for bad actors, and the responsibilities of CISOs as well as the government have never been so critical and core. They must counter the global risk and manage local compliance whilst supporting their organizations’ efforts to focus on technology - enabled rebound and growth.

Many CISOs across India are feeling the strain. EY Global Information Security Survey (GISS) 2021 reveals the emerging and increasing stresses of the global-versus-local balancing act. As CISOs work to transform their organizations to create long-term value, the stakes are high. This year’s GISS also points to the mechanisms and solutions to create that long-term value and accelerated growth.

There is now a real opportunity to position cybersecurity at the heart of business transformation and innovation. This will require boards, senior management teams, CISOs and leaders throughout businesses and the government to work together to:

  1. Envision a paradigm shift in cybersecurity
  2. Strategically approach cyber funding
  3. Enhance communication and inclusion through the business value chain

The chapters below outline what cybersecurity leaders need to know now about their current operating environment and what they need to do to transform it.

.

CISO at the crossroads
(Chapter breaker)
1

Chapter 1

CISO at the crossroads

A time of stress, change and opportunity.

The COVID—19 pandemic has bulldozed every business to adapt to disruptions within timeframes that would have otherwise been considered as a herculean task just a short time ago. Organizations rolled out new customer-facing technologies and cloud-based tools that supported remote working and kept the channel to market open.

But the speed of change came with a heavy price. Many businesses did not involve cybersecurity in the decision-making process, whether through oversight or an urgency to move as quickly as possible. For instance, we saw cyber-attacks increasing in an exponential manner towards various Critical Information Infrastructure (CII) entities specifically across power and other utilities.

Tiffy Isaac, EY India Cybersecurity Partner says that “with the exponential increase in data usage, the new way of working has led to a whole new set of diverse risks that are associated with managing operational continuity, compliance and security”.

India reported 1.16 million cyber security cases in 2020 and that is a 3-fold more than 2019, as per government data presented in the parliament of India.

Today, no industry is safe or spared from attacks. Each sector such as manufacturing, energy, retail, professional services, government, healthcare, media, transport, education, etc. has been a victim of cyberattacks.

Over the last year, threat actors have increasingly adopted new strategies, whether by targeting businesses with phishing campaigns, by embedding backdoor codes that enable exploiting commercial software, targeting newer vulnerabilities in the areas of procurement or exploiting the ever—evolving supply chain which quickly moved from a physical supply chain to software supply chain and eventually to a digital supply chain. Attackers are targeting a growing attack surface area and their tactics are increasingly getting more and more unpredictable.

Yet, CISOs are struggling to make themselves heard. Most respondents (46%) admit that cybersecurity teams are not consulted, or are consulted too late, when leadership makes urgent strategic decisions. Whilst some maintain that this happens ‘not very often’, it only needs to happen once for a flaw in the defenses to be exploited by threat actors.

Cybersecurity threats in business

As CISOs work to transform their organizations to create long—term value, the stakes are high. As companies become more and more digital, cybersecurity plays an important role in their journeys. CISOs are struggling to turn these digital risks into any kind of competitive advantage to create long—term value. Businesses are witnessing a renewed focus of customers for a differentiated experience, responsive cybersecurity posture, digital, and sustainability.

CISO challenges
(Chapter breaker)
2

Chapter 2

Three challenges holding back the CISO

Turning the tide on cybersecurity.

1.  Today’s cybersecurity organization is overwhelmed and underfunded

Despite the need for agility, given the volatility of the pandemic era and the possibility of future disruptions, survey data indicate that budget allocation processes remain largely rigid. Most of the respondents throughout India believe that cybersecurity expenses are not factored adequately into the cost of strategic investments and most Indian respondents agree with this scenario. As a result, even though the amount of cybersecurity investment in India is higher, there is still a need for organizations to strategically invest in the cybersecurity function.

69% of respondents are of the opinion that their annual spend on cybersecurity is below US$500,000.

Nearly 7 out of 10 (67%) CISOs surveyed believe that their budget is lower than what they needed to manage the cyber—related challenges that have emerged in the last 12 months. According to market analysts, India's cybersecurity services industry is projected to grow from US$4.3 billion in 2020 to US$7.6 billion in 2022. It is estimated that the market size for data security in India will be US$13.6 billion by 2025, and it will grow at 21% per year[1].

Cybersecurity budget

The discipline of cybersecurity is under greater scrutiny today than it has been in the past. The Board has acknowledged the need to discuss security issues more frequently than ever before considering the sudden spike of cybersecurity incidents in India. To mitigate the challenges of a weak and undefined cybersecurity budget, focus has been on the following activities: 

14%

reviewed their legacy architecture for cost-reduction opportunities

13%

realigned cybersecurity requirements to better meet changing business needs

7%

reduced the employee headcount

16%

increased reliance on third — party providers

10%

scaled back innovation activity to focus on core, non—strategic tasks

Whilst organizations are realizing the importance of cybersecurity, their budgets need to be restructured to reinforce their cyber defense. Additionally, cybersecurity budgets should be factored adequately into the cost of strategic investment and should drive business objectives.

2.  Regulatory fragmentation: a challenge for CISOs?

Privacy and security regulations demand more from CISOs than ever before. Global businesses operating in multiple jurisdictions are under additional pressure due to fragmentation of regulation.

Compliance is one of the most stressful aspects of their jobs for approximately three out of five (60%) respondents, and approximately 61% expect regulations to become even more fragmented and time—consuming in the future.

“The Indian compliance environment is becoming more complex, with organizations operating National and International levels, with silos, overlaps and massive amount of being generated by Indian citizens. The regulatory and legal requirements are bound to get more explicit and stringent basis various industry/sector,” reflects Vidur Gupta, EY India Cybersecurity Partner.

3.  Deteriorating relationship between CISOs and other leaders

CISOs have always worried about weak relationships, but the GISS suggests the problem is becoming more pronounced. According to the study, business leaders are not considering cybersecurity during important conversations.

Cybersecurity oversight

“Cybersecurity has been evolving from a technical discipline to a strategic concept and it is imperative for businesses to have the Cybersecurity function as a strategic contributor starting at the Board,” says Burgess Cooper, EY India Cybersecurity Partner

77% of organizations sidestepped cyber processes and failed to consult security teams during the planning phase.

Compared to 2020, when more than a third of respondents (36%) believed that cybersecurity teams were consulted when planning new business initiatives, that number plunged to 23% in 2021. This could be due to the fact that the business and cybersecurity teams are finding it challenging to co-ordinate and communicate frequently in remote working model.

When cybersecurity is embedded in the business, CISOs will be in a strong position to help drive innovation and become better informed of threats faced by the organization.

Next steps for the organizations and CISOs
(Chapter breaker)
3

Chapter 3

Next steps for the organizations and CISOs

Building a bridge together.

How should CISOs respond to the core challenges outlined in this year’s GISS? CISOs must be available to different departments and remain ahead of the curve in an ever-changing threat landscape, across all areas of cybersecurity. Their relationship with the Board must shift from ‘informing the Board’ to ‘educating the Board’ and eventually ‘leading the Board‘ on cyber risk program, its maturity and way ahead.

“It is of paramount importance that the cybersecurity function is supported by the Board as a trusted enabler for transformation and growth,” says Kartik Shinde, EY India Cybersecurity Partner.

Beyond the storm: future of cybersecurity

Whilst CISOs have risen to the challenge and can today demonstrate the growing strategic importance of their role, the crisis has certainly provided an opportunity. CISOs can leverage this opportunity to accelerate their efforts to address new age constructs.

Although it is not a direct or straightforward initiative, it is an ambitious objective that can be reached within a year, and this is the time when cybersecurity has been given prominence like never before, especially in India. For strategies, investments, and priorities, CISOs must be involved with the business. It is the time for them to secure a seat at the table, whilst continuing to build stronger, trust-based relationships with their C-suite peers.

Summary

The cybersecurity function can become a vital enabler of growth. First it needs to address budget shortfalls, overcome regulatory complexity and improve relationships with the business.

About this article

By EY India

Multidisciplinary professional services organization