MeitY mulls India-specific benchmarks for homegrown cybersecurity companies

Earlier this month, India’s ministry of electronics and information technology (MeitY), in a bid to create a more enabling environment for homegrown cybersecurity software companies, issued a notification that gave preference to locally made cybersecurity products for public procurement. 

According to the December 6 notification, a local supplier was defined as a company incorporated and registered in India or a startup defined as one by the DPIIT (Department for Promotion of Industry and Internal Trade), an arm of the union ministry of commerce and industry. The products covered under the notification included anti-virus software, end-point security solutions, cloud and IoT (internet of things) security solutions, among several others.

However, the notification alone doesn’t solve the problems that such companies face. 

For one, it does not lay down guidelines on how public procurement in favour of made-in-India products will be executed or enforced. Second, it does not specify on what basis one product would be deemed better than the other.

In order to address the second issue, the Ministry of Electronics and Information Technology (MeitY) is now working on formulating India-specific guidelines to benchmark or certify cybersecurity products developed by homegrown software companies.

At present, most cyber security product companies rely on third-party benchmarking companies for the US and UK markets such as NSS Labs and AV-Comparatives. In India, Standardisation Testing and Quality Certification (STQC), which is a part of the Department of Information Technology, has the capability to test hardware and software products in the SME segment.

MeitY, in its December 6 notification, had done away with mandatory qualifying criteria and certifications and eligibility specifications issued by foreign testing agencies or analysts for Indian cybersecurity products with respect to procurement by public departments. While, this removed a major entry barrier for companies in the space, it also brought the need for India-specific certifications into focus.

“There is a push towards getting India specific guidelines and benchmarks so that Indian companies can get rated and we have also made submissions. There are US and European benchmarks which are out of reach of Indian companies. Secondly, these benchmarks are for fraud detection but there are a lot of other things which products have to offer,” said Pankit Desai, CEO of Mumbai based cybersecurity company Sequretek. 

The company had also submitted its comments to MeitY for the draft on preferential procurement of Indian cybersecurity software.

He further added that indigenous cybersecurity software had to be rated according to efficacy and could not be given preference just because they were made in India. “Featuring in reports by analysts was out of reach for Indian companies in the space. Hence the need for indigenous guidelines,” added Desai.

The proposed India specific benchmarks will include industry and analyst reports specific to the market as well as create infrastructure for testing the efficacy of those products. 

The benchmarks could also help resolve some of the issue with respect to the enforcement of the December 6 notification, i.e. preferential procurement of made-in-India products by public departments.

“Even after seven years of operation, the amount of business done by us with the government is less than 5% due to the hurdles around qualification criteria. Our company has grown 300% over last year and yet we wouldn’t make it due to the criteria of at least 10 years of incorporation,” said Saket Modi, CEO of cybersecurity firm, Lucideus  

According to a recent report by PwC India and Data Security Council of India (DSCI), the Indian cybersecurity market is set to grow to $3.05 billion by 2022 from $1.97 billion in 2019 with an annual growth rate of 15.6%. The report stated that the growth will be driven by key sectors including the banking and financial services industry, information technology (IT), IT-enabled services and the government.

DSCI also formed a Cyber Security Task Force (CSTF) in 2015 for promoting startups in the space. The government has also been working on framing National Cyber Security Strategy 2020.