The Data Security Council of India (DSCI), a group set up by IT services lobby group NASSCOM, has appointed Vinayak Godse as its chief executive officer (CEO) from October 1. Godse, in an interview with Sourabh Lele, spoke about cybersecurity for small businesses, the data protection bill, and data localisation.
Here are edited excerpts from an interview.
What are the projects related to cybersecurity the DSCI is working on?
There are three key areas of work for the DSCI. One is cybersecurity, which includes preparedness of the industry. Another is to contribute to national security initiatives, and the third is looking at the opportunity side of cybersecurity both for products and services and more importantly, towards the technology side of it. We work with all of these three areas.
We work with the agencies, which create the national cybersecurity machinery of the country. They have been now looking at cyber as the fifth domain of national security. DSCI also engages in policy making efforts of the government of India, looking at the national strategy for cybersecurity, and we also look at some of the national projects.
Amid rising cybersecurity incidents and state-sponsored attacks, the issue of hardware cybersecurity has become crucial. What are the steps taken by the DSCI to improve hardware security?
We have worked on the National Centre of Excellence with the help of the government of India. They have supported us to set up this centre of excellence, focusing on research productization, development of the start-up ecosystem, and also new critical areas of technology like 5G, hardware, and quantum security. Now, hardware is becoming a vector of attack, increasingly the vulnerabilities are shifting from software to hardware. In collaboration with the government, the Indian Institute of Technology (IIT) Kharagpur, and IIT Madras, we have set up a hardware center for cybersecurity.
How are Indian start-ups helping in building original cybersecurity solutions?
We have come to a stage where we see a lot of technology research work happening in the country, although it's still at an early stage in terms of deep technology. But in cybersecurity, there are a lot of innovative ideas coming since 2013-14. Our cyber industry itself is now a $10 billion+ industry, as per a report that we published sometime back.
We see a lot of significant research happening on the cybersecurity product side, which is very original. This is supported by the academia and R&D solutions side, but there are almost 250+ startups in the cybersecurity space and some of them are definitely doing quite niche work, which leverages the work we do at DSCI.
Meeting the cybersecurity needs of the MSME sector has become a challenging, be it appointing a chief information security officer or compliance. How do you help small businesses achieve cybersecurity goals?
We can’t neglect MSMEs, as we are encouraging smaller players through initiatives like Make in India. But reaching out to those MSMEs is a little challenging, given that their number is huge. NASSCOM runs some MSME forums and we use those vehicles to reach out to them. We have been trying with some of the industry sectors through which we reach out to MSMEs.
There could also be some policy intervention like the one in the UK, where even if you invest in cybersecurity, it provides you some kind of a conducive policy benefit. The government a couple of weeks back hosted a session for helping MSMEs to understand cybersecurity better and prepare for it. We helped them with broad outreach for this program.
Media reports say the government is likely to relax the localisation mandate that was prescribed in the previous draft of the personal data protection bill. What is your view on the data localisation mandate?
Our views are clear since the time when the Srikrishna committee was set up. The CEO of DSCI at that time had put out a dissent note about the provision of data localisation. While there is some intent for which you may probably push the localization but that doesn't end up solving those objectives, because at the crux of it, ownership and control is very important. If that is being assured, then probably that as an instrument may not be required.
Now, being a global economy with all these products we have--we have our unicorns and digital products. There are some cases I'm seeing that one may even manage and operate street lights in global cities from India. Or you may operate or manage the factories and farms in some geography far away from India. So then, a tremendous amount of data will be flowing inward into the country. So these requirements will also create a lot of those challenges for our industry and even for the start-ups.