Cybersecurity Strategies for India with Vinayak Godse
How can businesses equip themselves against the growing threat of cyber attacks in India?
With the significant rise in cyber attacks, particularly ransomware, cybersecurity has now more than ever become a very important facet of the digital economy. So what role has the Data Security Coucil of India (DSCI) have in collaborating with Government and guiding industry sectors, including manufacturing, healthcare, and energy? How has AI and machine learning impacted cybersecurity? What is the current state of the cyber-insurance market? And how can we foster and support more innovation in this fast-evolving field? CEO of the Data Security Council of India, Vinayak Godse and Govindraj Ethiraj explore these questions and more in this episode.
TRANSCRIPT
NOTE: This transcript has been done by a machine. Human eyes have gone through it but there might still be errors in some of the text, so please refer to the audio in case you need to clarify any part. If you want to get in touch, do drop us a message on [email protected].
---
Govindraj Ethiraj: Welcome to Nasscom Conversations. I'm your host, Govindraj Ethiraj, and today we're diving deep into India's cybersecurity landscape with Vinayak Godse, the CEO of the Data Security Council of India. As India rapidly digitizes, the nation faces both unique challenges and immense opportunities in cybersecurity. India's cybersecurity infrastructure is evolving, and with it, so are the growing threats organizations face. As India positions itself as a global leader in cybersecurity, what role does an entity like the Data Security Council of India, or DSCI, play? With India's digital economy growing so quickly, how does DSCI contribute to shaping the nation's cybersecurity strategy?
Vinayak Godse: Data Security Council of India, started in 2008 as a think tank and industry body for cyber security in the country, but started as independent company. NASSCOM thought this has a specific effort, requires specific attention, and set up as independent company. So, on one hand, we work with government right. So under all the policy matter, national cyber security initiatives, all the effort that government of India put some part of that, they definitely involved India. When we contribute to national cyber security strategy, we engage with this National Cyber Security machinery, as we can say, different institutions, different bodies, different functions of government of India engage in a national cyber security effort. So we work closely with them, and we also contribute to the some of the effort that they put together. On the other side, we work with industry. So DSCI, and Nasscom, has also membership ecosystem. So we engage largely through nasscom, we work with technology company, but directly we engage with the user industry of a country, all the sectors, manufacturing companies, oil energy, power sector, airplane protectors, health sector organization. So those who are users of technology, largely until now, we have been talking about them, so we engage with them, and we guide them on their strategy for security and privacy, and that also exposes us to understand how security works in those and we also engage with the startup ecosystem.
GE: It’s clear that DSCI has a dual role: collaborating with the government and guiding industries across sectors—from manufacturing to healthcare. This is crucial, especially given the significant rise in cyber threats. In 2020, a ransomware attack targeted the Maharashtra State Electricity Distribution Company leading to disruptions in their operations. In 2022 alone, over 1.39 million cybersecurity incidents were reported in India. With such a surge in cyber attacks, organizations have had to adapt and boardrooms are now focussed on this.
VG: Some of the breaches and some of the attacks which happen in the recent past has really elevated the discussion of security to the level where now most of the regulators ask board members to be very responsible and accountable for cyber security. So that's the one significant thing. But on the other side, I look at the digitization and technology adoption that we all have been doing, and the acceleration that we are seeing, So now suddenly, the affairs of managing and governing security is becoming very intense affairs in the organization, basically. And we always look at advanced made, value, velocity, complexity, diversity and heterogeneity in terms of managing and governing cyber security,
GE: With digitalization accelerating, managing cybersecurity has become increasingly complex. India’s digital economy is projected to reach $1 trillion by 2028, bringing both growth and risks. What challenges do organizations face in adapting their cybersecurity strategies to keep pace with this rapid digital transformation? Vinayak says the ecosystem is putting up its guard.
VG: We usually believe energy company, power sector, organization, manufacturing. So they are largely the they create value ecosystem, right? They may not be reprocessing transaction, but they create a economic value, right? So transaction processing industry, because inherently they had, they have regulator, right? RBI, sab, for that matter, or IRDA, so the regulatory ecosystem, the RBI has really taken cyber security and the agenda. That's why we see lot of maturity in those sectors. And other financial sector, like capital sector or insurance sector, is also catching up because of the regulatory ecosystem. But the critical sector, government of India put a lot of paper, and that's why we see the economic value creating organization, especially the energy power sector, are getting definitely much better. But nowadays we see manufacturing companies, we say other sectors of industry, because they have been digitizing quite aggressively. And recently we have seen manufacturing company targeted by ransomware. So we see lot of now awakening to cyber security in these sectors as well.
GE: As these sectors continued to digitize and faced targeted attacks like ransomware, there is a growing awareness of the importance of cybersecurity. The recent spike in ransomware attacks, where India ranked among the top 10 countries globally affected, underscored the need for robust defenses. . However, with increasing digitization and targeted attacks like ransomware, there seems to be a growing 'awakening' to cybersecurity. Vinayak says the tactics of cybercriminals have evolved, especially in the ransomware ecosystem, where attackers are more organized and strategic in targeting companies with strong market positions and financial resources.
VG: Ransomware ecosystem is now so advanced and so organised, and they target those companies which has probably better market valuation, good cash flow, so they also do those kind of analysis, and based on that, they will set a target, and that is leading to such kind of issues and problems.
GE: With the rise of sophisticated cyber attacks, companies are adopting various strategies to defend themselves, including investing in cyber insurance and specialized recovery services. This marks a significant shift in how organizations prepare for and respond to cyber incidents. The Indian cyber insurance market, currently worth around $200 million, is expected to grow at a compound annual growth rate (CAGR) of 27% in the next 3-5 years. A prominent example of this trend is Bajaj Allianz, which recently launched a specialized cyber insurance product to help businesses recover from cyber attacks. How is DSCI helping organizations prepare for such incidents?
VG: this boot camp that we organize is to throw situation and collectively try to find different ways and paths. And can you find systematic way of either recovery, basically, right? So, preparing like this, and creating kind of playbook for people to run and play so that they are prepared well for such kind of eventuality, is the basic idea of this training program. This is a enterprise level dilemma at aggregate level, if you look at there is certainly some of the area where we are seeing the discussion that keep, if all of the SEC companies in a sector is on such one platform, then if something happened, then every the sector will come till again. So there is a at aggregate level, cross organizational, cross sector, at a national level, there will be some resiliency discussions as well. So there is a resiliency we are revisiting discussion of resiliency in response at enterprise level, but it is also happening at aggregate, at a national level as well.
GE: These training programs are not just about immediate response; they're also about building resilience at both the enterprise and national levels. The National Cyber Security Policy of India, first introduced in 2013 and currently undergoing an update, emphasizes the need for a resilient and robust cyber infrastructure. Recent incidents, like the coordinated ransomware attacks on healthcare facilities and the banking sector in 2023, have highlighted the urgency for improved cybersecurity measures across all sectors. The Indian government's 2024 budget reflects this urgency, with significant increases in funding for cybersecurity and AI initiatives aimed at enhancing national cyber defenses. 2024 budget significantly increased funding for cybersecurity and AI projects, allocating Rs 1,550 crore for strengthening cybersecurity infrastructure and Rs 551 crore specifically for the IndiaAI Mission.
VG: Because of the AI capability, doing recon is easy. Knowing your footprint, how you are exposed, is easy. That's an anybody can do it second because of the AI basic they test, they check against is against each other, that how they how good they are to develop to code, right? Coding is developing payload in our language, right? So you can quickly set up some malware. You can code it and so. So developing payload is an important thing. Execution is also one of the important thing. So execute that parameters come down cyber crime perspective finding, so they would know now they can find these contexts, and they can mix it together, and they can find what is, what is opportunity I should target a particular user, basically, right? And that's why we we see criminals using AI quite extensively, right? And in this big problem is they are not constrained to use it. Whereas enterprise, if you come to we have so many ifs and buts to use AI, right? And we are still figuring out how to adopt AI better in the organization ecosystem, right? But if you are, the positive side is in security paradigm, we struggle to to to explain the security better. We struggle to summarize it better, to help board and executive management understand. We struggle to immediately deep down and decompose understanding. So now AI is making that possible. So it makes this security more accessible. You can ask question for that matter. You can give insert it. Can summarize it you better. It can help you understand your security exposure better, basically, right? It can do reason why a particular things. Because that reasoning is a big, big possibility of LLM ecosystem, right? And eventually that they say that, because security operations are very complex, job very complex and operationally heavy, right? And so many things, we say orchestration, and that's what we teach in our ransomware responder Koski, how do we think about. All this possibility to recover from things, right? So then all of these possible things you need to do, you have to do in a shortest possible time, and AI can really help you in that. And that's why automation, AI can significantly lay down its capabilities to automating lot of tasks that you need to do in cyber security, in fact, complex. One of the key thing that people talk about henceforth AI will be helping you to achieve the complex goal, and security management and governance is very complex goal. So we believe the upcoming AI that we are talking about would help us manage and govern security much better,
GE: India has seen a rise in cyberattacks that leverage AI technologies to bypass traditional cybersecurity measures. For example, AI has been used to automate phishing attacks, making them more personalized and harder to detect. Recent trends show that more than 50% of malicious files in India are delivered through web-based channels, where AI algorithms are used to optimize the delivery methods, making them more stealthy and efficient. As India continues to invest in AI and machine learning, these technologies are expected to play a central role in the future of cybersecurity.
VG: Lot of global companies are moving their security operations, services engineering to India because of the skill that we have and because of our people work on those technology companies, so many of them came and they started this technology company. So we almost 400 plus security technology companies and 1000s of services company as well. One certainly we have the dental team of the ACI. So they continuously watch what is happening. They also talk to all these members. They learn from them, and we try to CG, which is, what is what kind of vulnerabilities daily, almost 62 vulnerabilities, so many new threats comes in. So that's certainly one area of my attention. I need to give my attention to that second is what kind of capabilities are existing. Sectoral, understanding and development also is definitely one of the my key attention area every day, uh, policy, because sometimes some policy reactions could be knee jerk, could take us back then forward. Another part is the skill, because there are lot of support that we have for the global organization which are moving their operation here. So our one of the worries we need to create, keep producing those skill, not only for domestic requirement for global, one of the key ask is the budget available to the companies to invest in cyber security, right? And this is for all the private sector organizations so they empower security. From the government sector. We also believe that government needs to invest a lot in preparing better, responding better, and government department needs to be spending on cyber security. So because government in other geography, especially in us, we see that government is a big contributor to the development of the ecosystem, cyber security ecosystem. One of the critical ask that I would like to have see the many of the research turning into good enterprise product. If I see the deep tech security startup ecosystem investment, both early stage and national stages, still a challenge in India, deep tech is problem. In deep tech cybersecurity is more challenging, so creating that investment ecosystem is important thing.
GE: It’s clear that while India is making great strides in cybersecurity, there are still hurdles to overcome, particularly in fostering innovation and turning research into practical solutions. But with continued investment and a strong talent pool, India is well-positioned to become a global leader in cybersecurity.
How can businesses equip themselves against the growing threat of cyber attacks in India?
How can businesses equip themselves against the growing threat of cyber attacks in India?