India’s cybersecurity attitude is nothing to be proud of. The country is ranked 17 out of 20 on MIT’s CyberDefense Index, and is often considered the capital of cyberattacks. However, with a renewed focus towards data regulation, privacy, and cybersecurity from lawmakers in the country, we are seeing a rapid shift in the cybersecurity attitude from companies and service providers alike.
To gain a deeper insight into how the landscape is evolving in India, AIM got in touch with Fernando Serto, the Chief Technologist and Evangelist, APJC, at Cloudflare. Over the course of this interaction, Serto not only delved deeper into the unique problems faced by Indian companies, but also how they are adapting to the change in cybersecurity regulation.
A better cybersecurity attitude
The Indian government has been hard at work creating regulations to keep up with the rest of the world. Building on the legislation established the Information Technology Act 2000, the IT rules 2021 law has made Indian regulation stronger when dealing with matters of cybersecurity. Serto remarked on this,
“It’s been quite interesting to see from a policy perspective how much India is maturing on that as well. India now requires that organisations report a breach within six hours. To give you an idea, in Australia, the requirement is 72 hours.”
Regulators aren’t the only ones staying ahead of the cybersecurity code. According to Serto, even companies are becoming more aware of the importance of cybersecurity. He said, “We were talking about the level of cybersecurity awareness, how much that’s increased in India over the last 12 to 18 months. People are much more aware of the threat, and they’re much more aware of the need to do something.”
Due to the large amount of population density in the country, Indian companies face very unique problems when deploying cybersecurity solutions. This also extends into tools deployed for internal use. Companies face a challenge when dealing with the sheer volume of people, says Serto, especially when considering the number of assets, networks, and employees that need to be secured.
Serto explains, “The problem isn’t connectivity into tier 1 cities, but what we are doing for tier 2 and tier 3 cities. If you go a little bit outside of Mumbai you’re going to start having challenges. It becomes really challenging from a user experience perspective.”
Notably, Serto picked up on a relationship between user experience and eagerness to adopt cybersecurity solutions. He drew on the example of remote working during COVID, which forced a lot of companies to rethink their security in favour of allowing people to connect from their homes.
He mentioned a scenario where a company deployed a split tunnelling service for their internal VPN, wherein sensitive company data was shared through the VPN, and other, less sensitive applications were funnelled out of the VPN to favour user experience.
This then resulted in companies sacrificing visibility and security for user experience. However, Serto hit upon the solution, stating, “If you don’t break the user experience, users are not tempted to try and bypass security controls. If you combine a better user experience with better security controls, your users will adopt all the tools you put in front of them. “
Advice for enterprises and startups
Indian tech giants have been the silent backbone of many companies all over the world. The enterprise landscape in India also provides contrast to the vibrant startup ecosystem in the country, with Serto stating
“India is a really interesting market because we have very large and very old organisations, and we have very large organisations from a market cap perspective, but they’ve only been around for a couple of years.”
He also mentioned how big organisations need to break the mindset that security solutions must be procured in the same manner that they have been procuring IT. Serto urged companies to break away from multimillion dollar purchases and tenders, instead moving towards making small purchases in hundreds of thousands of dollars while keeping up with the latest security advancements.
India is also well-known for its burgeoning startup ecosystem. Many have even resorted to calling Bengaluru the Silicon Valley of India. When we asked him about what his cybersecurity advice to Indian startups would be, Serto elaborated,
“The advantage to the startups is that it’s not as difficult for them to adopt better security controls. My biggest recommendation for them is, they should be looking into how they can do the orchestration of [security] tools in the same way they do software development, because then it becomes very natural for them.”