Gartner: Security Spending to Grow 8.3%Is Technology Spending Increasing at a Pace to Keep up with Advanced Threats?
Gartner says that India's information security spending will grow by 8.3 percent this year, and investments will continue to grow in 2016. The consultancy says this growth is because large enterprises are now focused on risk-based approaches to security spending.
Many security leaders support Gartner's view and say that the investments are being made in technologies or services that enable enterprises to map business risks to cyber threats.
Mumbai-based Manikanth R Singh, CIO, Orbis Financials, says that the security spending is growing rapidly, but not across all sectors.
"Since budgeting of security is directly proportional to compliance and business needs, I see spending happening around cloud security, mobile, application security and protection of assets across BFSI," he says.
Mumbai-based N D Kundu, head of security at Bank of Baroda, expects an increase of around 18 to 20 percent in the security spending among enterprises, and believes that there are renewed investments being planned.
"From a banking perspective, I would see major spending addressing phishing, APT and mobile security at this point in time," Kundu says.
These discussions come in the wake of Gartner sharing its views on India's security market growth and its spending strategy at the recent Risk Management Summit in Mumbai.
Top Growth Areas
Gartner says security spending (hardware, software and services) in India is set to reach $1.11 billion in 2015, up 8.3 percent from $1.02 billion in 2014.
"Security spending will continue to grow in 2016 when revenue is projected to reach $1.23 billion," says Sid Deshpande, principal research analyst at Gartner. "Security services (that includes consulting, implementation, support and managed security services) revenue accounted for 57 percent of this total revenue in 2014, and this proportion will increase to 60 percent by 2019."
The strong growth in the security services market will be primarily because customers need external services to transform their security posture in the digital business era, Deshpande says. "Security services are typically categorized as implementation, consulting or security outsourcing services, and many providers are beginning to offer all three categories to address customer requirements."
According to Deshpande, larger and more mature organizations in India are focusing on risk-based approaches to security spending, while smaller organizations continue to ramp up their efforts to incrementally improve their security posture.
As per Gartner's observation, the key security initiatives for a majority of organizations in 2015 include: security monitoring; identity governance and administration; mobile and cloud security governance; advanced threat defense; application security; security policy; and program development. Governance, risk and compliance, or GRC, can also be added to this list.
Gurgoan-based Sriram Natarajan, chief risk officer, retail banking and cards, at Quattro, a knowledge processing firm, agrees that the Indian enterprise security spending is in line with the growth in e-commerce and mobile banking.
"Any security budget should be able to address all known, potential and unknown black swan risks, and most organizations are investing around payment card security, non-banking financial services, e-tailers and mobile app based services," Natarajan says.
Future Risk Investment Plan
Experts agree that a slow transition is underway among enterprise security buyers in India. The realisation is dawning that while preventive approaches to information security are important, they are not sufficient in themselves. Enterprises also need to focus on continuous monitoring and response as a central component of their security strategy.
One expert believes that Gartner has taken a conservative estimate on the spending. If the India Digital initiative is rolled out, there will be a need for more investments in information security, especially from the Indian government.
However, L S Subramanian, security advisor to large enterprises and founder of NISE, a security consulting firm, argues that while security awareness is growing, the urgency to invest is missing.
"What needs to change is the mindset: Most information security spending is driven by compliance pressures rather than a corporate security strategy," he says. "The budgeting should be based on business risks and vulnerabilities that are specific to the organization, along with an investment in compliance."
Gartner's Deshpande maintains that risk will take center stage with regard to future investments by enterprises.
"Risk and security leaders' ability to steer their organizations through the intersection of digital business and increasing IT risk and cybersecurity threats will create resilience, differentiate their organizations, define their legacies and shape the ways that future enterprises apply technology," he says.
Deshpande agrees that, in the context of the Digital India initiative, the importance of risk management is growing.
Kundu says, "The trend I see is that business leaders are making security investment plans and expecting CISOs to provide solutions and services that can enable all the systems to talk to each other (those working in silos) about developing a risk-based model to combat future threats."
According to Natarajan, any future investments should revolve around all nodes of a transaction that have a customer touchpoint. "Since customer information is the prime focus, one needs to be prepared with responses for disastrous situations and breaches," he says.
Subramanian believes that some areas that need to be focused on are licensed security solutions and tools, forensic analytics, biometrics, image analysis solutions, SIEM solutions and end-point security.
"Since risk is a priority area, security infrastructure, cloud, mobile or networks will be subsets of the risk strategy," he says.
Deshpande notes: "Since a majority of organizations are aiming to focus on enterprise agility, attention to risk management solutions and services is considered important to enable them to combat threats."