Let's Build a Responsible Cyber Society




Industry gives a Thumbs Up to ITA 2008

Data Security Council of India (DSCI) has released the results of a study on the State of Data Security and Privacy in the Indian Industry, conducted in association with KPMG and CERT-In with about 150 organizations participating in the survey from both IT and non IT industry.

While a copy of the detailed report is available here, some of the notable observations are highlighted here.

It appears that at least for the purpose of the Survey, respondents do confirm providing "Top" or "Critical" priority to Information Security and data Privacy and providing an independent management structure for implementation of security.

It is notable that over 95% of the respondents suggest that a CXO level oversight is provided for approval and implementation of security initiatives. More than 89% report having conducted IS audits.

Amongst the concerns expressed, "Employee Non Seriousness" is listed as the highest concern with 64% of respondents highlighting the same. 50% express that "Business Exigencies" override security requirements.

Amongst the "Drivers", the Client/Customer's concerns about Data Privacy is listed as the most important with "Data Privacy being a differentiator", a close second.

In what could be an indicator of job prospects in the area, more than 37% of the large companies (turnover more than Rs 1000 crores) employ over 10 persons in the IS department. Even amongst smaller companies (Turnover less than 50 crores), 43% employ at least 5 or more persons in the IS department.

An important aspect of the survey is an effort to understand how the Legal Compliance environment has been perceived by the respondents.

According to the survey, 86% of the respondents consider that ITA 2008 will establish a strong data protection regime. This is a big thumbs up given to ITA 2008. This is a very positive reaction. 77% also consider that it provides assurance to its International partners. These perceptions support the two major drivers recognized by the industry namely the Customer Requirements and Business differentiation.

An interesting pointer of how the Industry perceives the role of CERT-In is the survey finding that only a third of the respondents plan to interact with CERT-In to report incidents that they may encounter.

In the light of the above findings,

we may expect more action in the industry towards ITA 2008 compliance in the coming year. Some key action points would be

1. Creating better employee seriousness through "Cyber Ethics" training

2. Conducting specific ITA 2008 compliance audits and initiating a compliance plan.

It may be noted that Naavi is already in the forefront of a "Techno Legal Information Security Movement" to address these two implementation requirements. During 2010, more thrust would be added  to address some of the concerns indicated in this report.


January 5, 2010

 Comments are Welcome at naavi@vsnl.com