Budget, budget everywhere, but no cyber funds in sight!, IT Security News, ET CISO
By Krishna Mukherjee
Hollywood flicks such as The Revenant, Gravity, Mad Max: Fury Road, and The Martian have one thing in common: the protagonist is fighting a battle for survival with no resources in-hand. This scenario mirrors the situation faced by today’s cybersecurity heroes. CISOs are tasked to keep cyberattacks at bay but are given limited budgets and often lack the necessary skill sets.
The rise in cyberattacks and the constant pressure to keep systems operational are taking a toll on CISOs. “Corporate cybersecurity spending in India is much lower. Indian organizations spend an average of just $2.8 million annually on cybersecurity, which typically amounts to less than 10% of their IT budgets. This (Cybersecurity budget) is inadequate given the escalating cyber threat landscape,” says Senior IPS officer Brijesh Singh, Principal Secretary to Maharashtra Chief Minister.
According to the ETCISO Annual Survey, CISO Trend 2023-24, the average security budget allocation for Indian industries stands at 7.6% of the total IT budget. Despite being the most targeted sector, the BFSI industry allocates only around 9% of IT budgets to cybersecurity, the government allocates 9%, followed by manufacturing at 8.8%, ITES at 6.9%, and healthcare at 4%.
“The problem is that every organization wants superhero-level response and protection from CISO teams but is unwilling to spend even peanuts on cyber initiatives, R&D, team training, etc. Budget allocations should specifically address cyber losses and include a dedicated cyber budget to protect the new oil—data,” said one of the CISOs, who wished to remain anonymous.
In fact, our country’s defence budget stands at around 13% of overall spending, he added.
India faces sophisticated APT groups like Sidewinder and Transparent Tribe, which target critical infrastructure and government entities. These threats require advanced threat intelligence and response capabilities that are often underfunded. As per industry reports, India saw a significant surge in cyber attacks, with a 46% year-over-year increase. Indian organizations encountered an average of 3,201 attacks per week, the second-highest in the Asia-Pacific region, trailing only Taiwan.
“As the recent Microsoft outage demonstrated, a well-coordinated cyberattack can bring the country to its knees. It is critical that we build-in cybersecurity budgets during IT procurement, and the same needs to be done at a national level,” opined Dr. Jaijit Bhattacharya, President, Centre for Domestic Economy Policy Research.
Former National Cyber Security Coordinator of India Rajesh Pant mentioned that there’s a need to show cybersecurity expenditure separately by the government in the budget. The list should also include losses that occurred due to cyber attacks.
The current cybersecurity investment landscape in India is grossly inadequate given the sophisticated threat environment. Organizations must recognize that cybersecurity is not just an IT expense but a critical business investment. Failure to allocate sufficient resources to cybersecurity initiatives will inevitably lead to significant financial and reputational damages in the long run.
Although RBI’s mandate for banks to allocate 3% of their IT budgets to cybersecurity is a step in the right direction, it is still insufficient. “According to the WEF, cybersecurity is one of the top 10 global risks. Regulators should mandate organizations to spend a certain percentage of their budgets on cybersecurity, but this allocation gets diluted when it becomes part of the IT budget,” said Dr. Durga Prasad Dube, EVP & CISO, Reliance Industries.
Raman Pillai, Director of IT at Verse Innovation, indicated that the stumbling block is convincing the boards to allocate the right cybersecurity budget.
“Ideally, there should be a dedicated section on cybersecurity, but I believe this will happen in the next one to two years. There are still large industries that are not subject to any regulations and therefore do not prioritize data breaches. While the DPDPA might introduce some changes, the practicality of resolving cases and raising awareness among people remains uncertain,” said Kishen Kendre, Head-IT, Blue Star.
Cybersecurity is no longer a peripheral issue that organizations and governments can afford to neglect. The rapid increase in cyber attacks serves as a clarion call for everyone to take cybersecurity seriously. The DPDP is a step in the right direction, but corporations need to adopt a focused approach to cybersecurity and allocate sufficient budgets to stay ahead of perpetrators.