7/6/2022

Will India be tomorrow’s cybersecurity leader?

Siddarth Jain
Investment Analyst, Accel

Even if you don’t understand cybersecurity, you need to read this. 

Twenty years ago, you wouldn’t need to be worried about a cyber threat more than the spam email asking for money or making you click on wrong links. Today, it’s a different world. Your entire financial history is digital, OTPs and passwords run your life. You’re using more digital products in a day today than you probably did in a year, two decades back. From zoom calls to credit cards, every company needs to manage their security well so that consumers aren’t affected.

If you are afraid of data breaches & hackers, companies are scared 10x more about them

Companies are always on their toes when it comes to data leakages or security breaches. The amount that companies are spending on security is more than you think - this IBM report shows that companies on average are spending record-high $4.24M on every breach. Adding to that, moving remote (even partially), has increased the risk and frequency of threats multifold: most prominently visible already across the global financial industry where the attacks shot up 13x in 2021.

To get into a little more detail, it has a catastrophic impact on businesses in three major ways:

  • Companies are required to comply with regulatory policies for data privacy & security laid out by the govt/authorities, else risk losing the clients and in some cases, paying hefty penalties
  • Companies have to resolve the breach as soon as possible - given the time sensitivity, the cost of resolving it increases and could sometimes include paying a hefty ransom to the breacher.
  • Even a small data breach can cause huge reputational damage to a business. As consumers lose trust, the company loses both current and future customers to competitors. 

The cybersecurity opportunity

While most consumers might not be very well aware of the value creation in cybersecurity, they are one of the largest public market creators.

The coming decade is going to be a highlight for cybersecurity, with spends in cybersecurity estimated to be upwards of $450B by 2025.

Before delving into the challenges leading to the growth of the security market and the opportunities, here’s a brief about why we believe India has a deep potential in cybersecurity.

What’s driving the growth of cybersecurity? A diminishing technology half-life.

The standard for building tech products a few years back, is probably obsolete or old school if you’re to build something new today. 

The explosion of technology adoption has led to more efficient and faster systems. Newer programming languages are being adopted, the way backend architectures are designed are altering. Even the monitoring process (DevOps / Observability) is completely changing.

Each of these changes require security products to evolve or sometimes, new ones.

Increasing attack parameter:

While remote working is our new reality, the flexibility means that software might be built on unsecure/private networks or using personal devices.

Additionally, systems are not “closed” anymore. Every application has integration with numerous 3rd party applications (eg. you logging in via gmail) - potentially causing attacks because another company’s security posture might be poor.

To tackle the increasing attack perimeter, a two fold solution: (a) smarter security systems that solve for this open network without becoming painful for the users or having a bad user experience. (b) better employee awareness on security

Evolving attack techniques:

One of the most primitive internet attacking techniques was using brute force to identify passwords or credentials to access your confidential information. Today, for instance, the attack techniques have evolved enough for someone to hack into your account without really needing your credentials (here’s an interesting read for the geeks).

It has become an unending race between hackers and security teams to fight - and a lot of armor (read security tools) to let the blue team win this one!

Expanding talent gap:

Architecture has moved from Monolith structures to micro-services, what used to run on “VMs” a few years back, are now all Dockers/Kubernetes containers. The most popular programming language has been changing; web3 is now moving from nascent and rising up the growth curve. This has created massive pressure on security departments to upgrade and evolve existing team members or hire new members - both of which are equally hard. Thus, creating an opportunity for products to come in and fill this widening gap.

Changing user expectations:

Users or businesses today are asking more questions on what apps and platforms do with their data. Unlike the common “allow all '' permission notification, apps today, ask for access permission at every step - be it location, call data, messages etc. Whether a company is B2C, or B2B, it doesn’t matter. With every passing day, existing as well as prospective customers hesitate to associate with a company with a weak security system. 

Tackling the challenges to a cyber-resilient future

Each of the aforementioned problems can be solved using different approaches - it is a many-to-many mapping. After talking to several experts within the industry, here are some of the opportunities that we think are going to define the future:

Enabling the shift-left trend in security: SevSecOps

Security is no more the job of CISOs or security engineers. With more frequent deployments and releases, backend engineers and DevOps teams are expected to keep security in mind while writing code or setting up infrastructure. This reduces the turnaround time for QC and security clearances, enabling teams to build faster. Hence, products enabling implementation of security codes and policies in the early stages of the development is critical. 

Security is everyone’s responsibility

About 90% of breaches are associated with employee negligence or error. As hackers innovate and find new ways to attack, there is an increasing need to enable organisations to educate and protect employees from being victims to any such security breaches.

Continuous Monitoring 

Monthly audits and security tests do not enable companies to prepare for security breaches and vulnerabilities. Continuous security testing and monitoring requires automation that most organisations currently lack. Building automation tools could significantly improve the reliability of the product.

Signal vs Noise: The fatigue problem

Speed and efficiency are key while working in security operations. With the alarming rate of breaches popping up on security radars, engineers are almost always burdened with threat alerts. While some of them are false positives, the chaos is such that there are times when critical alerts get overlooked.  

Building SOAR tools (Security Orchestration, Automation and Response) to standardize the procedure of threat detection, investigation, and remediation, with or without human involvement, is of utmost priority at the moment. This can ensure that all of a company’s system works in harmony by improving efficiency. 

Why is India set to be the next hub of Cybersecurity businesses?

We believe that India’s cybersecurity ecosystem is now at a crucial juncture and has immense potential to expand in the coming decade. Let’s look at the top 3 reasons fuelling this upsurge:

1. Expansion of remote economy

The key challenge in developing security products or services is the ability to build trust with prospective clients. It wasn’t long ago that security consultants had to spend hours at a client’s office to help protect their systems. However, the 2019 pandemic has propelled a sudden shift from on-site to remote working environments which is increasingly expanding the remote economy. Similarly, this change to cloud-based environments is also accelerating the expansion of the SaaS ecosystem in the country.

Consequently, more companies worldwide today are now ready to modernize their infrastructure and take security decisions remotely.

2. Upcoming security talent

The world is facing a dearth of security talent, and the number of cybersecurity job vacancies in India is also huge. 

On the other hand, India ranked second among the top 5 bounty-earning countries in the last year, accounting for 10% of the total earnings. About 12% of hackers in the HackerOne Security community (600K+ hackers) belong to India. This is a clear indication that cybersecurity enthusiasts in India are rapidly growing in number.

LinkedIn estimates suggest that there are about 50,000 security services professionals within just 10 large Indian organizations and an overall of 120,000+ people working in cybersecurity within India.

This pool of skilled talent will become primary contributors for the cybersecurity startup ecosystem in India!

3. A promising cybersecurity community in India

Over the last few years, India’s overall startup ecosystem has expanded multifold. With this, as the tech community in India is deepening, we are also seeing a rise in the number of product startups within India’s cybersecurity ecosystem.

We are also seeing multiple cross-border startups with team mates remote or distributed across India and the other global markets. Null.Community is one of the most popular of these communities, as is a joint collaboration between the Data Security Council of India and the Ministry of Electronics and Information Technology.

Final Thoughts

With an ever escalating global cybersecurity demand, as a nation, we are at the turning point of the industry. Drawing from the statistics and the industry-wide gaps, there is limitless opportunity for the entrepreneurs in India to double down on. However, we’ve only mentioned a few among them, just to give you a taste of what’s in store for the future of cybersecurity startups in India. 

If you are building something in cybersecurity, send us your pitch at [email protected]!