What Does PM's New 'Start-Up Action Plan' Mean for Cybersecurity?Experts Debate if Modi's Action Plan will Fuel New Security Companies
Recently, Prime Minister Narendra Modi announced major new initiatives, including a three-year tax holiday and self-certification-based compliance system under the "Start-Up India Action Plan."
See Also: 2016 Social Engineering Report
Security leaders say these programs will not only foster a conducive ecosystem for start-ups, accelerating their growth, but also make it easier to conduct business and encourage developing innovative products in India. Experts also argue whether Modi's plan will boost security start-ups and generate demand for their own products, which protect India's critical infrastructure.
"Modi's plan definitely aligns with making India a global hub to resolve cybersecurity issues through innovation," says Mumbai-based Vinayak Godse, senior director at Data Security Council of India says. "There's consistent effort to remove bottlenecks and make a comprehensive action plan for security start-ups."
Value to Indian Security Start-ups
Experts believe India's witnessing a mushrooming of security start-ups with big innovation plans to help India protect its critical infrastructure against growing cyber-threats.
In his plan, which is expected to be incorporated in the forthcoming budget, Modi announced a three-year exemption from inspections; an online portal and mobile app; 80 percent cut in the patent application fee; a single-point hub for handholding; exemption from capital gains tax on personal property sold to invest in start-ups; dedicated funds of Rs 10,000 crore to promote start-ups; mobile app for start-up registration in one day; 35 public-private incubators and 31 innovation centers at national institutes.
Quoting NASSCOM's recent report, Godse says India has 50-plus security start-ups involved in next-generation security product innovation; and this number will grow.
"India must understand that cybersecurity can bring tremendous economic growth and be an important asset in building the national security capacity," says Delhi-based Tarun Wig, co-founder Innefu Labs, a research oriented security group.
"Many initiatives are geared more towards starting smaller companies," says Delhi-based Sahir Hidayatullah, CEO of Smokecreen Technologies Pvt. Ltd., a security product company. "High-tech security product companies require greater capital than, say, services businesses, which are easier to start but scale linearly. However, incubators/innovation centers could provide tech companies good impetus."
Godse adds, "The R&D, capital gains and repository tax exemptions will provide impetus as companies can then focus on developing quality products."
Hiccups for Security Start-ups
But there are fundamental challenges, critics say. Unless bottlenecks are removed, it will be difficult for organizations to scale up or innovate.
"The biggest challenge is systematic and organized corruption in the IT space," says Wig. "Public sector units choose foreign products without giving home grown products a chance to compete - a major setback."
He continues: "Recently, a PSU - HPCL - did a limited tender for a multifactor authentication product, inviting only four foreign vendors. Following a protest, instead of correcting their mistake they asked how we'd known about the tender. This, though Indian vendors have a competitively priced better quality product."
Critics argue this approach exists in the system integrator industry also - big four consultants such as PwC, E&Y and others ensure the specifications are custom-tailored for products they have an interest in. Foreign vendors have an extremely strong lobby to create entry barriers for Indian security start-ups, despite enough demand for cybersecurity products.
Mumbai-based Sanjay Deshpande, CEO, chief innovation officer of Uniken, a security product company, says globally, the cybersecurity ecosystem is developed by the national defence structures and organizations. "Unless the Indian Defence takes an active role in funding and developing the ecosystem, the sector will remain weak," he says.
DSCI's Godse sees four major challenges for security companies:
- Building a market for themselves, as there are no success stories despite great efforts and products;
- So far, the government's not been an enabler for generating demand and encouraging action at the ground level;
- Innovations at the R&D at academic institutions don't translate into skill development or product innovation;
- The security ecosystem lacks strong testing labs, certification labs or an authorizing body to establish credibility.
Hidayatullah says the customer mind-set should change towards Indian products or technology as most often we find Indian start-ups do get acquired for technology by the big vendors, which means the technology developed by the Indian companies are state of art and proven. "Hence, enterprise customer should actually prefer something developed domestically. Many venture-backed start-ups use the brand of their VC to prove credibility to prospects which is sad," he says.
What do Security Start-ups Need?
The DSCI report says Indian security consumption is $1.6 billion; of this, Indian companies serve about $200 million. The rest is serviced by non-Indian firms.
Godse says existing companies claim they are growing at 50 percent annually, most catering to overseas requirements.
While tax exemptions are fine, security start-ups, says Hidayatullah, would benefit if the government rationalises its procurement process to allow companies to compete, as well as help with their credibility (vetting of technology by IITs, adoption by the armed forces, etc.).
'The government could consider policies where Indian companies must give weightage to an indigenous cybersecurity product / run one innovation initiative every year," he says. "Tax breaks are great; increasing market opportunities domestically is far better."
Wig suggests India should emulate the U.S. model.
"U.S. has established In-Q-Tel, a CIA-funded venture capital fund which identifies the latest technology which could be used by CIA's future intelligence gathering mechanisms. They identify and fund technologies to create a ready marketable product - used not only for CIA, but also sold to the entire world." But India's not offered any such initiative.
Deshpande recommends more tax exemptions on profits - exemptions on input costs such as employee salaries: "Customers buying from start-ups should be given tax incentives - they will then take more risks, passing on these benefits to start-ups through better price points."
Godse expects the government to roll out policies conducive to security companies and generate product demand.
"Relax entry barriers for Indian firms in the empanelment criteria for manufacturing products," says Godse.
"Aggressively involve government-owned research institutions and academia to collaborate and drive innovative products," he argues.