The CSO Forum’s Annual State of Cyber Security Survey 2013 seeks to assess the current state of cyber security in India as perceived by some of its leading Chief Security Officers/Chief Information Security Officers (CSOs/CISOs). It does this by highlighting issues and challenges in the current cyber ecosystem of the country, how that ecosystem impacts the business operating environment and explores a possible roadmap for improvement. 

Given the complexity of cyber attacks around the world and the evolving cyber ecosystem in the country, the survey revealed a strong preference among CSOs/CISOs for internal self-regulation to protect their organizations from cyber risks, as opposed to relying on government regulations and enforcement.

Among other things, CSOs/CISOs in India have resorted to internal self-regulatory measures like putting in place a formal or an informal information/cyber policy, training employees on matters relating to cyber security, formalizing a process on how to respond to security breaches and creating general awareness within the organization about which authority to contact in case of a security breach. 

In what seems to have become the new normal, all companies have had a ‘reported cyber security’ breach in the last 12 months. However, a majority of these breaches were small and only 30 percent of CSOs/CISOs could attribute any direct financial loss to these breaches. Interestingly, CSOs/CISOs were able to not only trace the root cause of all breaches 100 percent of the time, but they were also able to resolve them within a month or two.   

The survey revealed a confidence-split on the existing cyber security policies in the country. 41 percent of all CSOs surveyed were either ‘very confident’ or ‘extremely confident’ while 62 percent of them said they were ‘not confident’. CSOs were also asked to rate three areas where the government must take action with respect to cyber security. They rated enforcement as the most important area for government action.   

Similarly, opinion was equally split on vendors’ security practices. As a result, companies have begun to collaborate extensively with their vendors on cyber security. 

Methodology and the Survey Universe

The ‘Annual State of Cyber Security Survey’ polled over 50 of India’s leading CSOs/CISOs on information and cyber security practices and perceptions about the existing ecosystem in the country. 36 percent of the respondents were from large-sized companies (employees above 10,000), 40 percent from medium-sized enterprises (with employees between 1,000 and 10,000) and the remaining 24 percent had less than 1000 employees. All companies surveyed had a designated CSO/CISO or an officer in charge of information security.

Key findings

Chapters in the survey deal with issues related to cyber security safeguards and current practices, the frequency of cyber security breaches, responses to cyber attacks, government policies and the cyber ecosystem in India as well as third-party risks.

Some of the Survey’s key findings:

• Indian companies are catching up with their global counterparts
• Traditional sectors are falling behind
• Protection from cyber fraud and cyber crime was rated as top priority
• Disruptive IT innovations were rated to be the least important factor
• Strong preference was shown for internal self regulation
• 76 percent of the companies surveyed formally train their employees on matters relating to cyber security
• Cyber security breach is being accepted as the ‘new normal’
• All companies have had a ‘reported cyber security’ breach in the last 12 months
• All security breaches were resolved within a month or two
• 30 percent of the CSOs could attribute direct financial loss from these breaches, while 59 percent could not
• 68 percent of CSOs agree that security breaches go unnoticed while 36 percent have sought professional assistance for assessing cyber risks
• 80 percent of security breaches were reported to the relevant authorities
• 62 percent of CSOs who reported breaches to the relevant authorities were ‘happy’ or ‘somewhat happy’ with the actions taken while 52 percent of these CSOs said that they will go back to them again, if such incidents occur in the future
• 91 percent of the CSOs surveyed also agree that weaknesses in the physical security environment make attacks on information security easier and that physical and cyber security teams must integrate their plans and work in tandem
• A majority of respondents felt that government needs to do more to restore confidence about cyber security in India
• 41 percent of all CSOs surveyed were either ‘very confident’ or ‘extremely confident’ about the existing cyber security policy framework in the country
• 67 percent of CSOs trust the government to implement the proposed National Cyber Security Policy 2013
• While 40 percent could not estimate the timeline for the government to implement the National Cyber Security Policy, 54 percent of the CSOs surveyed believe that it will be implemented within the next 12 months
• Opinion is split on third- party risks—48 percent of respondents were confident about the information security practices of their vendors/partners, though 50 percent were ‘not very confident’ or only ‘somewhat confident’ 
• Collaboration with vendors and third parties on cyber security appears to be a common practice

The CSO Forum’s Annual State of Cyber Security Survey, 2013 was compiled by 9.9 Insights.