Cybersecurity Maturity of Indian Startups Paints Grim Picture

FireCompass, a cybersecurity product company that specializes in security maturity assessment, has released the industry’s first vertical wise maturity report for India. Based on extensive research of over 200 organizations from across India, FireCompass unveils has compiled this report on cybersecurity maturity

Cybersecurity is now a persistent business risk, across organizations of all sizes, large or small. To secure businesses, an organization needs to have in place a variety of security technologies along with skilled personnel and mature processes. In this report, FireCompass has researched the current cybersecurity maturity of Indian enterprises based on the kind of technical security controls they have in place against modern day attacks.

Bikash Barai, cofounder of FireCompass and a serial IT security technology entrepreneur said, “Management teams are increasingly asking about the cybersecurity strategy and the relative benchmark against industry peers, but so far we were not able to measure cybersecurity performance based on objective, quantitative data. Organizations traditionally have been using informal approaches to communicate their security strategy to the management or board of directors, making it difficult to benchmark security across industry.”

He added, “FireCompass has standardized the approach and uses quantitative data to measure a security posture across organizations. Based on this, we’re pleased to launch the first report on cybersecurity performance of industry for India”. Barai had previously founded iViZ Security, an IT security product company funded by IDG Ventures, which was later acquired by Cigital/Synopsys.

FireCompass has assessed over 50 data point in over 200 organizations, both from internal and external perspectives, to provide a holistic view of security performance. NIST Cybersecurity Framework (promoted by the USA government) was leveraged to classify the technology controls capabilities across 5 dimensions: Identify, Protect, Detect, Respond, Recover. The score is based on data from actual security controls implemented as well as open source security intelligence.

Key insights from the report

Large Indian banks and telcos are the most mature in terms of cybersecurity with small banks and startups lagging far behind. Average industry scores are as follows: Large Banks (61%); Telco (61%); Financial Services (58%); IT/ITeS (52%); Manufacturing (51%); Insurance (45%); Small Banks (43%); Online Startups/FinTech (8%)

Security investments have primarily been done around prevention technologies like Firewalls and antivirus whereas investments in detection and response capabilities were largely neglected.

Indian organizations are primarily compliance driven and reactive, with average security scores hovering around 50/ 100. India ranks 23 out of 164 countries in ITU’s Global Cybersecurity Index (2017). Response capabilities are grossly neglected across sectors with very poor scores, ranging between 3% to 40% and an average of 30%. Preliminary research on online startups show that the security maturity is abysmally low at around 8%. One of the major reasons for this is that fintech and online startups are primarily focusing on application security, which covers only 5 out of the 25 capability areas, and have not focused on rest of the 20 capability areas.

FireCompass claims to be the world’s first AI-Assistant for cybersecurity strategy and buying. It helps organizations measure their cybersecurity maturity for reporting to management as well as creating their security strategy and roadmap. More than 1,200 enterprises across the globe uses FireCompass, which includes the 8 out top 10 Indian banks and 4 out of top 5 Indian Telcos.