Security Breaches Reported Globally Manpower Demand for IT Security Services in India Information Security
	Global security breaches touched an all-time high in fiscal 2002-03
	Anti-virus and firewall solutions accounted for 88% of total revenues at Rs 145 cr
	There was a shift from SW-based firewalls to more-secure HW-based ones
	Information security professionals in India set to grow to 77,000 by Year 2008

Gone are the days when enterprises could secure their IT infrastructure by merely installing desktop firewalls and anti-virus solutions. Ever-increasing threats from viruses, worms, Trojans, mass-mailers, distributed denial of service and hackers has led enterprises to wake up to the need for protection, though awarenesss level are still discouragingly low.

Also, new security threats are smarter and faster than predecessors, spreading across the globe in a matter of hours. For instance, SQLSlammer—a worm that was propagated in January 2003—caused loss of about 20% of data in transit via the Internet in the US while at its peak, 10 times more than the average loss of other viruses. Then there was CodeRed, a virus that debuted in 2002, which caused business losses of an estimated $2.6 billion on a global scale.

According to CERT Coordination Center, a center of Internet security expertise operated by Carnegie Mellon University, the number of reported security breaches worldwide stood at an all-time high of about 83,000 in year 2002. This year seems no different—there’ve been 42,500 breaches in the first quarter alone.

Adding fuel to fire
Compounding the security challenge is the proliferation of wireless devices, the fastest-growing class of devices that need to be managed and secured, increasing the security burden substantially. These smart devices run IP services and offer access to corporate networks and the Web. They also have the ability to connect to remote devices and networks. Since they are free of network security safeguards, wireless devices as well as wireless-enabled personal digital assistants are less secure than their wired counterparts.

In recent times, wireless networks have become the preferred targets for hackers—as W-LAN devices come with all security features disabled. A frame encryption protocol called ‘Wired Equivalent Privacy’ (WEP), which forms the security base for 802.11b, can be cracked with tools that’re easily available on the Internet. And starting in 2004, the growing use of IP telephony—or integrated data/voice/video services—will significantly add to wireless device population. Once wireless devices and networks begin carrying more and more valuable corporate data, they’ll become an increasingly attractive target for the worms and viruses of the world.

The popularity of low-end PC servers also poses a risk. Since these run Windows and Linux OSs, they’re cheaper that UNIX servers. However, they pose a bigger security threat—as was revealed by SQLSlammer.

Beyond anti-virus and firewalls
Indian enterprises have not faced vicious attacks so far. The reason for that isn’t that they’ve been active in adopting security measures, but that networks have been in the evolution stage. At present, most enterprises use only anti-virus solutions and firewalls. However, once networks grow in capability, critical information will be transmitted electronically over an expanding array of networks, systems and platforms of an organization. This means there’ll be a heightened need for far more secure networks soon.

Also, anti-virus software becomes outdated quickly and firewalls can be penetrated using easily available peer-to-peer computing products—thanks to a technique called HTTP tunneling (simple symmetric transfer protocol over TCP/IP). This implies that enterprise security is an ongoing, stepwise procedure that involves policy decisions and regular upkeep.

Need for a security policy
Unfortunately, Indian enterprises are still reactive, and not proactive, in curtailing threats to IT infrastructure. Many companies do not bother to assess losses after a security breach; employees are not aware of the dos and don’ts when it comes to protecting desktops; and not many companies have made efforts toward security management in terms of educating employees on these. However, with increasing migration of operations on to the Internet and expanding networks, enterprises are realizing that there’s a need to assess vulnerabilities, identify threats and take measures to counter them. More are willing to opt for network and security audits only now. Plus, there’s also greater realization of the need for authentication of designated personnel to access critical data—a big lacuna at present.

The market in India
According to estimates by Voice&Data, the market for network security products in India grew from around Rs 150 crore in 2001-02 to Rs 165 crore in 2002-03. Of this, anti-virus and firewall solutions grew the maximum, accounting for 88% of sales at Rs 145 crore. The remaining share was accounted for by IDS, authentication, encryption and public key infrastructure (PKI) solutions, all of which only got a small share—owing to the failure of largescale e-commerce proliferation. Last year also saw a shift in deployment—from software-based firewalls to the more secure hardware-based ones.

V&D also estimates that the network security services market stood at Rs 33.5 crore in 2002-03, with Datacraft at the forefront with Rs 14 crore in revenues. In the area of managed security services, HCL Comnet and Bangalore Labs were the leaders. These security providers offer turnkey management services like vulnerability testing, security audits, intrusion detection, forensic analysis, security policy development and revisions, firewall log monitoring, and virtual private networks services. Though outsourcing specialized services to security companies is still low, analysts expect the trend to turn in the current fiscal. According to the CII-PwC Information Systems Security Survey 2002-03, Indian companies will focus on strengthening network security, which will include improving operating systems and applications security.

Upcoming areas
Banking and finance, government and service providers will be the key customer categories for information security. Not only are these sectors early adopters of security technologies, their purchases are also significantly higher than the other sectors. Besides, with companies using business applications such as ERP and CRM, and the burgeoning BPO segment in India, there will be capital inflows to secure the delivery of business across verticals.

Potential barriers
First, security solutions in India include proprietary or non-standard products and solutions. So, they have to be integrated to work with multiple platforms. Second, the budgetary allocation for security is usually insufficient. Though an allocation of 3% to 10% of the total IT spend for security is considered reasonable, average budgeting is meager. There’re only a handful of organizations that are willing to spend, say, Rs 5 crore to strengthen security systems—most big companies still want to spend less than Rs 25 lakh. Third, there is lack of trained manpower. On a positive note, Indian enterprises are now consciously including security in their IT budgets. Also, they now carry out risk analysis studies to ensure that funds are used to mitigate greater security threats.

Need for manpower
According to a report by IDC on manpower needs, the most popular service offerings will be consulting and integration services. The report—‘Information Security Services: Manpower Demand Estimation’—says the total number of IS professionals in the Indian security market in 2002 was 19,000, with this figure set to grow at a compounded annual growth rate of 26% to reach 77,000 in 2008. It adds that software security services, especially verticals like financial services and security management services will witness higher demand than other segments.

Another vertical that’ll generate demand for security professionals will be the communications sector—media and telecommunications companies—mostly in terms of protecting customer information. The expected growth in this sector is 21%. Technology areas that will need manpower include network security, PKI and intrusion detection, and technical security defense.

As for skills most in demand, understanding security architectural models, knowledge of OS security, application development, encryption and cryptology will be much sought after. However, IS as a training area is still largely unheard of. According to a JobsAhead-Nasscom report, the focus on IS in Indian colleges is low. "Even the best institutes, like the IITs in Delhi and Mumbai, do not offer IS courses, either at the basic or specialization levels," says the report. The only institute that offers some kind of training in security is IIT Chennai, which has an elective course in cryptography and system security for MTech students.

Future trends
The security market is dynamic—what worked yesterday may not work today. "While firewalls drove the growth of the network security market in the past, VPN and intrusion detection systems will drive future growth, especially in mature markets," says Nitin Acharekar, an industry analyst at Frost & Sullivan.

On the services front, the CII-PwC report predicts a changing trend—that of a sustained move towards outsourcing, enabling organizations to focus on core competencies while outsourcing areas like IT management to professionals. The driver for outsourcing—non-availability of in-house skills.

Neetu Katyal