ET BureauNEW DELHI: A lack of information sharing about cyber attacks and adequate skills around cybersecurity are the biggest hurdles to effective prevention from cyber attacks in India, even as organisations around the world are working towards building a common vocabulary around cyber attacks.
“The two biggest problem facing cybersecurity today are skillset and information sharing,” KPMG's global head for cybersecurity Malcolm Marshall told ET.
India’s National Cyber Security Policy, approved in 2013, outlines the basic objectives and strategies “to build a secure and resilient cyberspace for citizens, businesses and government”. It also envisages building a workforce of 5 lakh professionals skilled in cybersecurity in five years.
While India is slowly moving towards that goal—about one fifth of that number has been reached, according to government sources—the big issue is that cybersecurity is still looked as a technology risk rather than a business oriented risk.
“The challenge we see in India is that technology assessment oriented skills get misread or interpreted as deep cybersecurity skills. There is a need to have very focused, deep skills within the country. You will get a lot of people who will do vulnerability assessment, and security assessments, which are very technology oriented. That’s the natural DNA of India... that’s where it needs to have a transformation (in cybersecurity),” said Marshall.
He said that in India, enterprises such as banks, telecom, insurance, e-commerce and retail work on designing good controls because they collect customer data, but implementation of these controls is not as effective. Enterprises that deal only in the business to business (B2B) category do not think as much about broader cybersecurity issues.
The other big issue that plagues Indian cybersecurity is a lack of information sharing, which according to Marshall is a complex issue because of the legal and cultural factors involved. “One of the problems around so many attacks happening is there is not yet a common language about attacks. For example: someone might say we have a malware attack, and somebody will say we had a social engineering attacks which actually does the same thing,” he explained.
A programme called Structured Threat Information eXpression (STIX), which aims to “develop a standardized, structured language to represent cyber threat information” and be “as expressive, flexible, extensible, automatable, and human-readable as possible” is one such initiative to develop a common language for cyber threats.
While the lack of disclosure norms in India in case of an information security attack has often been pointed out as a deterrent to effective information sharing, Marshall disagreed with making all IT breaches mandatory.
“Generalised breach disclosure is more damaging that useful,” he said, adding that a cyber breach should be disclosed only to an individual or a direct customer affected by the attack, and should also be disclosed if it relates to the broader business value erosion, after a fair degree of ascertaining what caused it.
“The two biggest problem facing cybersecurity today are skillset and information sharing,” KPMG's global head for cybersecurity Malcolm Marshall told ET.
Elevate Your Tech Prowess with High-Value Skill Courses
| Offering College | Course | Website |
|---|---|---|
| IIM Lucknow | IIML Executive Programme in FinTech, Banking & Applied Risk Management | Visit |
| IIM Kozhikode | IIMK Advanced Data Science For Managers | Visit |
| Indian School of Business | ISB Professional Certificate in Product Management | Visit |
While India is slowly moving towards that goal—about one fifth of that number has been reached, according to government sources—the big issue is that cybersecurity is still looked as a technology risk rather than a business oriented risk.
“The challenge we see in India is that technology assessment oriented skills get misread or interpreted as deep cybersecurity skills. There is a need to have very focused, deep skills within the country. You will get a lot of people who will do vulnerability assessment, and security assessments, which are very technology oriented. That’s the natural DNA of India... that’s where it needs to have a transformation (in cybersecurity),” said Marshall.
He said that in India, enterprises such as banks, telecom, insurance, e-commerce and retail work on designing good controls because they collect customer data, but implementation of these controls is not as effective. Enterprises that deal only in the business to business (B2B) category do not think as much about broader cybersecurity issues.
Discover the stories of your interest
The other big issue that plagues Indian cybersecurity is a lack of information sharing, which according to Marshall is a complex issue because of the legal and cultural factors involved. “One of the problems around so many attacks happening is there is not yet a common language about attacks. For example: someone might say we have a malware attack, and somebody will say we had a social engineering attacks which actually does the same thing,” he explained.
A programme called Structured Threat Information eXpression (STIX), which aims to “develop a standardized, structured language to represent cyber threat information” and be “as expressive, flexible, extensible, automatable, and human-readable as possible” is one such initiative to develop a common language for cyber threats.
While the lack of disclosure norms in India in case of an information security attack has often been pointed out as a deterrent to effective information sharing, Marshall disagreed with making all IT breaches mandatory.
“Generalised breach disclosure is more damaging that useful,” he said, adding that a cyber breach should be disclosed only to an individual or a direct customer affected by the attack, and should also be disclosed if it relates to the broader business value erosion, after a fair degree of ascertaining what caused it.
( Originally published on Apr 05, 2016 )
Get Unlimited Access to The Economic Times
