Government Takes Steps to Leverage Home-Grown Security ProductsMove Is Seen As a Signal to Private Sector to Follow Suit
Earlier this year, the government of India announced that it wants to leverage indigenously developed security solutions to protect telecom networks. Now, that effort is broadening.
India's Union Ministry of Electronics and Information Technology, or MeitY, has announced it will give preferential treatment to security solutions developed locally for use throughout the government at the center and state levels.
The Make in India effort is seen as a way to increase reliance on home-grown products, which will give local manufacturers a boost in business. Plus, government officials argue that relying more on local products will eliminate the risk involved in using products from other nations, which, in some cases, might surreptitiously monitor activities.
MeitY will monitor the ongoing effort to implement locally developed security products, says Arvind Kumar, MeitY's senior director.
While some security practitioners welcome the move in the government sector, many say carrying out a similar initiative in the private sector could prove difficult because most large enterprises use products made by multinational companies that have long, successful track records.
"What's the incentive for me to go with a local company?" asks a CISO of major IT company, who asked not to be named. "Our projects are big, and survival of these [local security] companies, who often are new in the business, is an issue. I had an experience before when a startup faded out within a couple of years of starting a project with us. Having said that, there are a few promising local companies, and we have engaged with them before for GRC."
A Boost for Business?
MeitY's move is seen as a way to help India build the size of its cybersecurity industry. NASSCOM in 2016 estimated that total revenue in the sector could grow to $35 billion (U.S.) by 2025 and that this could lead to employment opportunities for about 1 million professionals.
But the leaders of some local IT security companies argue that it's difficult to launch and sustain a business.
For instance, Ashish Tandon, founder and CEO at Indusface, an application security provider, argues that organizations are unable to leverage income tax breaks.
"Most companies don't make a profit for the first few years, hence income tax sops have little impact," he says. "The government's current tax concession measures, such as TDS [tax deducted at source], are not helping us in improved cash flow or justifying the investments made."
Sahir Hidayatullah, CEO at Smokescreen, notes: "I spend millions in R&D of security products. I should be eligible for some tax breaks. But I don't get any."
The government hasn't done enough to help local cybersecurity firms, argues C.N. Shashidhar, founder and CEO at SecurIT Consultancy. "They have always considered the foreign players better and have deployed their products in their departments," he says of government agencies. "... But unless we give local firms the opportunity, without impractical regulatory hurdles, the intended measures will continue to remain just on paper. Government should lead by example by buying local products."
Another factor that is proving challenging for local companies is that to qualify to sell products to the government, a company must have annual revenue of nearly $2 million.
The CEO of a Noida-based cybersecurity firm describes other difficulties local companies in the sector face: "I have faced multiple instances when despite delivering the services, my payments have been delayed - both by private firms and government departments," he says. "Approaching concerned ministry with my complaint isn't easy."
Leap of Faith?
Meanwhile, some CISOs in the private sector remain reluctant to do business with local, relatively inexperienced, security startups.
"As a CISO, I have certain responsibility towards the organization I work for. Yes, I would tend to trust companies who've been in this space for a few years more, albeit I would definitely be willing to consider newly launched companies in the cyber space, but maybe not for very sensitive products such as a firewall - unless I have a primary firewall from another known vendor, as an example," says Berjes Shroff, CEO at Berj InfoSec, an information security consulting firm.
A big challenge for many CISOs is to become familiar with new security product offerings from local companies.
"With CISOs shifting towards a business role and cybersecurity a boardroom discussion, there is limited time to offer for evaluating any new unknown product," says Sapan Talwar, CEO at Aristi Ninja and former IT security leader at Adobe. Plus, for some categories of security products, such as sandboxing, no local offering exists, say practitioners.
Some security practitioners argue that the government should create stronger financial incentives for using locally developed security products.
"Right now, there isn't any benefit I get for undertaking the services of a local firm," says a security practitioner at one Indian company, who asked not to be named. "If government announces that they will provide some kind of a tax sop or share the risk with me in case the company isn't able to meet my requirements, things will get lot easier for me as a CISO."
Hidayatullah says that some CISOs at larger organizations actively seek out local solution providers who better understand regional specific use-cases and compliances. A case in point is the recent RBI cybersecurity guidelines - you would be hard pressed to find foreign companies who understand and help banks comply with these central bank regulations, whereas Indian firms will."
For now, Indian security companies are primarily focusing on deception technology, big-data analytics, machine learning, threat intelligence and orchestration platforms, he adds.
"One would like to see Indian companies focus on networking products, threat intelligence, machine learning, AI, digital forensics and offensive cybersecurity products and services," Shashidar says. "For a long time, Indian companies have purely focused on creating products from a defensive standpoint. We need to shift focus to creating offensive cybersecurity products and services."
Shroff adds: "I would like to see new companies concentrate more on products such as DLP, for example, but there must be value-add in these products. If priced correctly, these products, which companies are hesitant to invest in, may stand a better chance of making it big. But the value-add above existing popular products must exist."