Edging beyond compliance

IT Security Audits in India are going beyond compliance and creating fresh opportunities for security vendors. By Mehak Chawla

Half a decade back, the only place where you could hear a conversation about auditing your IT security set-up was on the premises of a bank. Thanks to RBI mandates, banks proved to be the thin end of the wedge for security audits in India. As these mandates evolved, banks started doing security audits at several levels, fueling the demand for third party auditors as in-house audits became increasingly complex.

Even as security audits kept evolving in the BFSI sector, other organizations, especially enterprises outsourcing their IT requirements, stepped up their security reviews. Today, the security audits industry has carved out a niche for itself. What’s lacking is a bit of policy push and awareness.

Though it all started with RBI and SEBI, the hottest emerging vertical for security audits is manufacturing. Large manufacturers, with networks across the country and in some cases across the globe, are increasingly revving up to detect leakages and deploy tools in order to prevent security breaches.

Healthcare is the other vertical that’s gearing up to review its security, as is the services industry, mostly due to contractual commitments with clients. Thanks to the rapid pace of growth, the security audits market is heating up in India and seems poised for action.

Trends in auditing
Although security auditing has traditionally been compliance driven and remains so to a great extent, it is slowly inching beyond mandates. Ashish Thapar, Principal Consultant, Professional Services, Verizon, said, “Though trends in security auditing are changing, it remains more or less from a compliance perspective, especially with new mandates emerging from RBI and DoT.”

However, the Advanced Threat Perception (ATP) and the growing number of breaches are prompting even those companies that are not governed by laws to initiate some sort of IT security review. As a result, the number of companies doing preliminary security audits, mostly in-house, has been rising steadily. Thapar observed, “One has to put a business context to third party auditing and that is not always possible. So people are jacking up their internal auditing.”

For BFSI as well, security audits have evolved and are no longer about vanilla audits. Banks are auditing their entire ecosystem, starting with infrastructure and going as far as security devices and applications.

Aniket Kate, Manager – Information Security, Corporate IT, Mahindra & Mahindra Ltd, said, “Audit requirements depend on the depth of the organization. Audits also help us to identify our security requirements and tools that should be a part of our standard image deployment. We also do certain technical audits such as network audits and vulnerability testing. Some of our audits are not a part of our compliance requirements.”

Macro trends including BYOD, enterprise mobility and the move to the Cloud are other factors that are prompting organizations take the plunge and start conducting audits.

Avinash Kadam, Advisor to Information Systems Audit and Control Association’s (ISACA) India Task Force, said, “We are past compliance being the root cause for security audits. CIOs do not want to be left to the mercy of attackers. They are becoming more diligent as a result. Today, every company is doing some sort of e-business and developing a lot of apps for the same. Though network and operations security is established, there are a lot of vulnerabilities in apps that interact with social media and, therefore, companies are opting for audits.”

With BYOD becoming rampant, a lot of enterprises are gearing up to detect leakages and authentication lapses in their security set up and seeking expert advice for the same.
According to Jayachandran B, Director -Technical, eSecurity Audit (P) Ltd, “Companies are feeling the need to go beyond compliance and conduct audits. BYOD is a key driver for audits as companies are feeling the need to keep tabs on the information that is traveling outside the organization.”

Security consultancy, in many cases, is leading to audits. Audits are also working from a consultancy point of view for the deployment of security tools. Companies are looking to audits to mitigate internal threats that are more rampant than external ones.

Carving out a niche
Even as verticals other than first-mover BFSI and large customer-facing companies are driving the security auditing market, security audits too have undergone a metamorphosis. Security audits are no longer just vanilla reviews of your IT infrastructure. They are digging deep and probing every layer of the security ecosystem. For instance, banks are running audits for their core banking systems, their ATM networks and their applications.

As a result, there are many niche audits available on the vendors’ shelves today including infrastructure, network and even biometric audits. As BYOD permeates further into the enterprise, device audits are also waiting in line.

Thapar of Verizon commented, “There are different facets of security audits such as infrastructure and application audits. The BYOD surge is leading to device audits becoming popular; PCI-DSS audits for payment apps are also gaining traction.”

On the device audit front, organizations are now beginning to get their security hardware including UTMs audited for network security and even their firewalls are being subjected to reviews for lapses. Also, as big players go full steam ahead with BYOD, end point employee device audits could become commonplace.

Although an organization can delve as deep as it wants and even get its databases audited for security, it is the application audits that seem to be trending in the Indian market right now. The app security front is getting heated especially with vulnerability and security testing.
A big reason for that happens to be the ongoing mobility and Cloud wave. As applications are being readied to be put on to the public Cloud, organizations want to be sure that they are tamperproof.

In addition, application security is a different ballgame when it comes to securing applications that interact with user devices and social media. As a result, auditors are finding a lot of mobile applications on their review plate.

According to Sivarama Krishnan, Executive Director, PwC India, auditing for Web and mobile applications is fast gathering momentum in India. Also, with most organizations now facilitating online payments, audits from the PCI-DSS perspective are also becoming popular. Aseem Jakhar, Founder, Nullcon-Information Security Conference, agreed, “The online industry, which is fast garnering numbers in India, is driving audits, especially on the PCI-DSS front.”

So far, it is mostly the customer-facing organizations that have both their reputation and security at stake, that are opting for application-level audits. Krishnana, however, was of the view that, as policies were further strengthened, both on the mobile and Internet front, application audits could become even more micro verticalized. Mobile application audits or CRM level audits are on the anvil.

KK Mookhey, Founder & Principal Consultant, Network Intelligence India, believed that application audits could provide a much needed impetus to the auditing vendors. “Application audits are catching up and, since it is an on going audit, rather than a periodic thing, it offers a substantial opportunity for vendors.”

Security keepers
When it comes to the vendor landscape in security audits, it is a fragmented terrain. There are, of course, the big four auditors (E&Y, PwC, Deloitte, KPMG), but there is a substantial vendor market beyond the big auditors as well.

A multitude of small and mid-sized security auditing vendors exist in the Indian market and, though some of the early entrants are still focusing on BFSI security audits, others are catering to targeted audits for other verticals as well.

As organizations are realizing that security audits need a lot of expertise that’s difficult to manage in-house, security reviews are being outsourced to third party vendors. Though the biggies hold a major chunk of the market, there is enough business to be had for the other vendors as well. Smaller players, especially certified ones, are doing well in a regional context where they are catering to smaller scale audits, mostly for the mid-sized companies.

According to Kadam of ISACA, mid-sized organizations often prefer smaller vendors for their security needs. “There is a realization that it is not necessary to go with a big name for security audits. Sometimes, smaller companies can provide you competitive auditing at competitive costs.” 

“Security audits are a skill-based function. Companies, especially the mid sized ones are feeling an attention deficit with large scale auditors. That is making them explore the smaller auditors,” added Kadam. The smaller vendors are gaining a footprint on the basis of their cost competitiveness. The other element that is working for them is the flexibility that they can offer to the enterprise. Mid-sized organizations often look for selective auditing and smaller, regional players can create such models with ease.

V Vijaykumar, Director, Qadit Systems, said that a large bank could end up spending as much as 2% of its overall IT budget on security audits. For smaller organizations, costs could range from Rs 3-5 lakhs for an initial infrastructure audit. Since returns are not yet clearly spelt out in this area, enterprises are taking up different approaches and, in many cases, even going with multiple vendors for different audits.

However, experts foresee some consolidation taking place in the market, with smaller players being acquired by bigger security vendors who are actively looking to expand into security consultancy and audits. “We do see consolidation happening though it is a nascent stage as of now. Global expertise can be brought in by bigger players while smaller players will get the footprint,” opined Thapar of Verizon.

Mookhey, on the other hand, was of the view that though the eventual consolidation might be inevitable, it might not come from security product vendors. “Security audits require a 360 degree view of security. Isolated product vendors may not have that capability and could look at building it through consolidation in the long run.”

Justifying RoI
ISO 27001 has been inculcated under the IT Act and experts felt that this was a step in the right direction, although no penalties have been attached to it as yet.  Kadam said, “Though introducing ISO 27001 under the IT Act is a positive step, there are no penalties if you don’t have the standard in place.”

Others concurred that policies need to be revved up if security audits were to become a mass phenomenon in India. “We need stronger policies for driving audits because, in India, everything is driven by mandates. Independent bodies like SEBI, CERT-IN and RBI have been doing work in pockets but there is no coordinated effort. Much like tax audits, there has to be a regulatory push for security audits as well, which should ideally emanate from the Ministry of Corporate Affairs,” remarked Vijaykumar of Qadit.

Other than the policy hiccups, justifying RoI remained the biggest challenge in the security auditing market, both for customers as well as auditors. Moreover, since quite a lot of companies are still doing audits only because it has been mandated, they don’t see any reason to loosen their pockets anymore than they have to for the exercise.

Daya Prakash, Head-IT, LG Electronics, gave the CIO’s view saying, “Though there is a fairly evolved landscape for security audits now, the vendors should try to state the RoI clearly, as it becomes difficult to justify returns on security audits. Also, some vendors try to over-sensitize the issue instead of working in sync with organizational policies.”

There are other potholes on the road to security auditing nirvana. The availability of relevant talent and keeping up with the rapidly evolving threat landscape remains one of the biggest worries for both vendors and organizations.

Vendors are also grappling with a slow decision making cycle. Vijaykumar said, “Last year, there was a huge rise in awareness levels because of the number of attacks reported. However, Indian companies have not been so forthcoming in terms of audits. They would rather spend on hardware or security devices such as UTM. Companies will only attain maturity for security audits once their security infrastructure is in place.”

Despite the roadblocks, there is sufficient enthusiasm around the IT security auditing segment. With manufacturing stepping into the audit scene, revenues are sure to get a shot in the arm. Also, this market is not going to remain untouched by the Cloud and mobility wave. These trends are expected to drive the demand for application level audits.