Building India's Cyber Security Framework

 

 

India is taking big and bold steps towards digital enablement with programmes like Digital India, Smart Cities and eGovernance, thereby augmenting the Government-toBusiness and Government-toPeople connect. With similar gusto, business enterprises are adopting new technologies like Internet of things (IoT), Cloud and Artificial Intelligence to recreate their customer’s experience and streamline their value chains. This technological march is practically integrating the physical world and cyber world and in effect opening up a new digital frontier.

 

Securing this space is critical for our national growth and we need to be constantly mindful of the myriad threats and challenges posed by complex disparate systems and sophisticated threat agents. This threat regime needs a whole new level of protection based on the caveats of robust security, intelligence-based monitoring and integrated resilience. Additionally, the response needs to be contextualized based on the users, industry and threat profiles. For global organizations, it is even more pronounced as they need to manage cybersecurity across regions or sectors with different standards, leading to conflict and inconsistencies. The response frameworks are outdated, incomplete and remain too focussed on IT as they have traditionally relied on “bolt-on” upgrades and a multitude of heterogeneous security software products. The lack of standard cybersecurity framework also leads to governance issues. A problem even more compounded in the case of an M&A (mergers and acquisitions) scenario.

 

Clearly, there is a definite need for a new cybersecurity framework in India to service the digital economy and secure business and national assets from attackers who are becoming increasingly well-funded, persistent and sophisticated.

 

This new cybersecurity framework should be based on the following principles.

 

• Modular and scalable to address a diverse set of businesses and government initiatives

 

• Focus on end-to-end security across the value chain, covering suppliers, third parties and customers, where applicable

 

• Ease of integration with the business operational model

 

• Advocates architectural safeguards, including the need for layered security

 

• Defined roles and responsibility for the security organization

 

• Reinforces the importance of security awareness and training initiatives

 

• Emphasizes the need to build security awareness amongst the developer population

 

• Ability to cover across the secure software development life cycle

 

• Calls for greater focus on nonfunctional requirements of a system

 

• Advocates implementation of security controls closer to the information asset being protected

 

• Calls for a mindset that treats internal users as part of the potential hostile population