Talking about cybersecurity, Maninder Singh, Corporate Vice President - CyberSecurity Services, said it is 50 percent hygiene, 30 percent awareness and self-discipline, and 20 percent technology
HCL Technologies, the country’s fourth largest IT services provider, has been focusing on its cybersecurity business line for over two decades now. In an exclusive chat with Moneycontrol, Maninder Singh, Corporate Vice President - CyberSecurity Services at HCL Technologies, talks about the growth and vision for the business, and why he thinks consolidation in the cybersecurity industry is inevitable. Edited excerpts:
Q: Could you give us a little context on what HCL is doing in the cybersecurity space?
A: From a broad context the business is fairly old. 1996 is when Internet came to India, and we realised early on that it would require securitisation.
Our early foray was in India, so the roots of the practice are very much in India, and we pretty much continue to be dominant in that market - telecom, ISP, banks and then 2001-02, we took the business global. Today, we operate in all the five continents, with a large presence in North America and Europe, and in Asia Pacific. Our security operations centres, which are a hub for delivering services, are in India - Noida, Chennai and Bangalore, one in Gothenberg in Sweden and one in Dallas in US, and were planning to build one in Melbourne.
Q: What are the kind of issues you are hearing of from clients in terms of application security?
A: Because of digitisation and cloud, mobile and web applications are the most high priority because web applications are the gateway to the customer, and as mobile becomes the first screen of most people, it is a natural threat.
Security is 50 percent hygiene, 30 percent awareness and self-discipline, and 20 percent technology.
If you see the overall hacks that happen, it is not that they have happened because people don’t have the right security tools, they have happened because they have not applied network patches or software patches. So if you don't do the 50 percent hygiene, nothing is going to work.
Q: Would ID and access management also be connected to this? How do you see this in terms of employees and others following IT hygiene?
A: Phishing is the most common form of ID thefts. In government and private sectors, mostly senior executives are the most vulnerable. They tell the IT guys to not put certain controls on their desktop etc. In Indian context…the challenge is on user awareness. The password security sensitivity is very low in India. Outside (India), people are ahead in the maturity curve of password sensitivity and confidential information. In India, with Digital India etc. coming in, that maturity will take some time to come in.
Q: What merit do you see in the argument that consumer facing companies are at a greater risk compared to an enterprise focused business?
A: Worldwide, banking has been the biggest hit purely because of money motive. Second is pharmaceutical because there is IP theft- drug, molecule formula, user data, clinical trial data- all that is big. The third is retail, which may be bigger than pharma. Maximum amount of data that is stolen is credit card information in retail.
If you look at the retail sector in India, our purchases are still cash based. But I think wherever there is money information residing, it is big interest (for cyber criminals).
Q: How do you see the rise of cryptocurrency in the context of cybersecurity?
A: Honestly, we have not studied that in detail, but we do think that blockchain as a technology will impact cybersecurity dramatically, in a positive way. But for cryptocurrencies we have not seen a very highly prevalent use case.
Q: What about bitcoins in ransomware?
A: If you are purely looking at cybercrime, all cyber attackers actually ask for money in bitcoins, but I am talking in the business context- how do we protect our customers, defend our customers, help them improve their cybersecurity posture... from static to dynamic- that has no impact. We are not dealing with bitcoins, we're only looking at people being protected from the ransomware acts.
Underlying technology wise, the tech adoption of bitcoin will be interesting to watch.
Q: Where do you see the dominant trends in cybersecurity this year?
A: Ransomware and trojans will continue to be a principal weapon of attack, because with digital and cloud, the attack surface of a customer has dramatically increased.
The reason it has increased is more and more interconnected devices…and so many connected systems. Another reason is IoT (Internet of Things). With enterprise IT and internet banking, we're still at the tip of the iceberg. If you look at IoT and then you start talking of your home appliances and systems being controlled on the Internet, manufacturing systems, utility distribution systems- electricity meter, grid control instruments, you're talking of billions and billions of devices coming on the Internet.
So far we were limited to B2B and B2C applications. Now add the daily use stuff that we have- it is a 100X multiplier of the attack surface.
Most of the investment on security (this year) will happen on that area.
Q: How do you see the cybersecurity industry as a whole this year?
A: I think the industry will see a consolidation. Right now, in an industry which is USD 120 or 130 billion, going to about USD 200 billion in two to four years... according to analysts, we see there are far too many providers of tools and solutions. If you look at in the products market in cybersecurity, there are a total of 2,000-3,000 companies. It can't survive. It’s too large a number. It will go through a dramatic consolidation.Also, service providers will play a more strategic role for customers like us where they will provide customers a more holistic view of managing their security and providing the end to end of security.