India’s cybersecurity firms struggle for a seat at the government tender table

India’s biggest nuclear power plant and apex space agency were hacked this past year. Malware was installed on computers at the Kudankulam Nuclear Power Plant (KKNPP) as well as the Indian Space Research Organisation (ISRO).

The breaches, only two of the millions reported last year, served to expose just how vulnerable personal and private data is. As is national security data. And as the Indian government has made a concerted digital push, the sheer wealth of data at risk has grown exponentially.

Initiatives like Aadhaar (the Indian equivalent of a social security card) or real time payments system the United Payments Interface have brought into focus the need for robust cybersecurity. And seeking to serve this need is India’s nascent but growing cybersecurity market.

This market for cybersecurity is estimated to grow from about $2 billion this year to about $3 billion in 2022, with a 15% compounded annual growth rate. This is about 1.5X the global rate. Public sector, or government spending, on cyber protection is expected to grow at 13.8% in the same time. In fact, the Ministry of Electronics & Information Technology (MeitY), has asked all ministries to allocate 10% of their IT budgets to cybersecurity and appoint chief information security officers as well.

Indian businesses, however, will most likely not be the beneficiaries of this public sector largesse. Instead, much of this spending will go into the pockets of global cybersecurity firms.

Cyber crime hub

India is ranked third after the US and China in terms of cyber crime incidents. Cyber attack incidents reported by the Indian Computer Emergency Response Team (CERT-In) jumped from about 53,000 in 2017 to over 2 million 2018.

 There are more than 175 cybersecurity product companies in India, according to a Data Security Council of India (DSCI) report in 2018. The instances of them winning a public sector cybersecurity contract, though, have been few and far between. These companies say that the current system is designed to exclude them in favour of multinational corporations such as IBM, and Indian system integrators like Wipro and Infosys who actually implement and maintain the technology. 

“As a result, many Indian cybersecurity companies lose out on lucrative contracts that they are technologically capable of fulfilling. This needs to change,” says Quick Heal managing director and chief technology officer Sanjay Katkar. Quick Heal, with $44 million in annual revenue for the year ended March 2019, is the largest Indian company in the space.

 Now, MeitY has begun taking baby steps towards levelling the playing field and giving Indian cybersecurity firms a fair shot. This has happened through “public procurement orders”, the latest of which was released in the first week of December. 

The 2019 order, a revised version of the 2017 order, aimed to address a few of the demands made by Indian companies. The first is to create categories—such as antivirus, cloud, and mobile security—under which businesses can list products on the government e-marketplace, or GEM, portal. The second is to remove ‘foreign certification’ as an eligibility criteria to participate in bids.

According to a few Indian companies The Ken spoke to, it takes them six months to a year to get their products listed on GeM, owing to lack of categories on the portal and red tapeism. But the bigger problem, say these companies in one voice, is using market research firm Gartner’s Magic Quadrant report as an eligibility criteria. 

The Magic Quadrant report, published each year, evaluates cybersecurity products. But only of companies with “global visibility” and with a specified annual revenue, which varies between categories. These criteria automatically exclude Indian companies from consideration. Many public sector organisations rely on this report, rather than carrying out their own technical evaluation, to narrow down bidders for a tender. Incidentally, a Gartner analyst told The Ken that its report should be used as a guideline rather than as evaluation criteria.

The latest MeitY order, in that case, should be a victory for Indian companies. But they are not celebrating. They argue that while the order has sought to address their concerns, it is conspicuously mute on enforcement or a redressal mechanism. Which means no one is likely to be held accountable if someone disregards these directives.

The gatekeepers 

To understand the uphill battle Indian cybersecurity companies face, one needs to understand the system they are fighting. 

When a public sector organisation decided to buy technology, it either hires consultants like KPMG to study the existing process, aggregate requirements and prepare an RFP, or does so itself. But product makers like IBM and Dell-owned RSA Security or Indian startups can’t bid on their own as the contract involves more than the procurement of software and hardware. It also requires this technology to be deployed, integrated with the existing system, employee training, etc. Which is why system integrators (SIs) bid for these contracts. The five major Indian SIs are TCS, Infosys, Wipro, HCL and Tech Mahindra. And it is with these SIs that technology companies form partnerships.

The SIs first submit their technical bid with details of the hardware and software (and manufacturer’s name), followed by a financial bid. These bids are then first evaluated to sort those that meet the technical requirements, with the lowest bidder among those awarded the contract. The alliances between companies play an important role as a result. Starting from the Request for Proposal (RFP) stage.

“Many system integrators play an important role in designing an RFP and specifying technical requirements which are mostly biased towards the technology partners they are in partnership with,” says Rajpreeti Kaur, principal analyst at Gartner.

And if the RFP is being drawn up by a consulting firm, the global product companies often influence the RFP process in order to put in extremely specific technical specifications that only their product can meet, alleges Sahir Hidayatullah, CEO of Smokescreen, a Mumbai-based security products company. 

“In one case, I recall that the RFP even accidentally included the trademark of the company,” Hidayatullah added.

On top of that, public enterprises have traditionally sourced from technology majors, and that gives them a sense of comfort, says C Kajwadkar. A senior technology consultant, Kajwadkar headed the IT and cybersecurity division at Clearing Corp of India (2011-18) and the National Stock Exchange (1997-2003).

“As a chief information officer or chief information security officer, if you are buying solutions from the Big Boys (global companies), and even if it fails, you will not get fired,” says Kajwadkar. Indian companies, however, do not get the same benefit of doubt.

Crucially, though, it comes down to cold hard financial incentives. Some global product companies offer SIs more than 15-20% margins to secure a contract, according to another industry executive. This is a marked increase from the margins product companies usually offer, which vary from 5 to 15%, the executive said. None of this, of course, is technically wrong. “All large SIs are doing is ensuring they do more business,” said one DNIF executive on condition of anonymity as they are not allowed to speak to the media. Indian startups, he added, need to invest in the partner ecosystem, not just build good products.

The fightback

In 2017, a public sector insurance corporation put out an RFP for setting up a SIEM platform. SIEM (security information and event management) is  a software to detect a threat and manage an attack. One clause in the RFP read:

“Bidder should have at least two years of experience in supplying, integrating and supporting the SIEM solution. Bidder must have supplied, integrated and supported or provided SIEM as a service to at least 3 clients globally/India for SIEM solution identified as leader in Gartner’s Magic Quadrant in any of the reports from 2013 onwards.”

DNIF does not qualify to be part of Gartner’s report as its annual revenue is well below the $15 million cut-off. US-based IBM and RSA Security, owned by Dell Technologies, are the leaders in this technology among the seven companies who qualify based on Gartner’s criteria.

DNIF urged the corporation to remove the Gartner clause, but it refused. DNIF then approached the DSCI, which pointed to the 2018 version of the public procurement order, released by the Ministry of Commerce and Industry. That order allowed a local supplier to bag 50% of a tender if they could match the lowest bid. 

“You evaluate me and then say that my product is rubbish. But here you are not even giving me a chance to get evaluated,” said the DNIF executive.

The corporation didn’t budge, arguing it found it “risky” to remove the clause as it could allow a smaller company to win and that could hurt the project, the executive said.

Ultimately, the 2018 public procurement order was rendered toothless.

Realising they needed to take matters into their own hands, Indian firms began taking a leaf out of the playbook of the bigger players. They started evangelising clients while they were still listing requirements and establishing better relationships with partners. These efforts have borne fruit.

In 2018, the Securities and Exchange Board of India (SEBI), the Indian regulator for the Securities market, floated an RFP for security and network operations centre. 

Weighing the 2018 public procurement order, SEBI’s technical committee evaluated all the Indian product companies for quality and efficacy and included a clause in the RFP that gave additional points to SIs who partnered with domestic firms. The SIs, which included Tata Communications Limited (TCL), Netmagic Solutions and Sify, partnered with Indian product companies, resulting in a rare instance where Indian cybersecurity firms won public sector contracts. 


This road ahead

The SEBI victory notwithstanding, it is still a lonely, uphill battle for Indian firms. They do not even have a lobbying group that can take their grievances to the government in a planned manner. 

As of now, the DCSI—which has been supportive of local firms—is the closest thing the domestic industry has to a cheerleader. However, DCSI’s influence is limited as it is a part of the larger industry lobby Nasscom, which also represents major global companies.

“The Indian companies and startups which offer different security applications can come together as a consortium and stitch solutions to offer to clients,”

—C Kajwadkar, former head of IT and cybersecurity divisions at Clearing Corporation of India and National Stock Exchange

 The recent public procurement order was certainly a shot in the arm, but with the two previous orders not resulting in tangible change, it remains to be seen whether this one will make a difference. And after years of being left out in the cold, cybersecurity firms believe the powers that be must do more. There is consensus that the government needs to devise a granular plan to engage with Indian product companies.

“There should be a framework, there should be data sharing with them—only when you give data to startups and companies will be able to finetune their solutions. We must have a data sharing policy and data governance policy with relation to cybersecurity,” says Gulshan Rai, the former national cybersecurity coordinator.

Bajaj, the former CEO of DSCI, agrees. He points to the example of how ISRO developed an indigenous cryogenic engine by taking the decision to involve the private industry in its plan from the beginning. After talks with foreign companies failed, ISRO worked with Godrej and MTAR Technologies to develop and produce cryogenic engines.

To achieve something similar in the cybersecurity space, regulatory authorities should make provisions to make Indian companies an essential part of any cybersecurity taskforce, says Katkar of Quick Heal. “This will allow Indian companies to demonstrate their strong technological capabilities and highlight how they can help the government define stronger cyber defence strategies,” he says. Not only will this create significant strategic value, it will also strengthen the entire digital ecosystem in the country.

Lip service

A national cybersecurity strategy is in the works and is expected to be released in the first quarter of 2020. The strategy will have provisions about incubation, support to startups and centres of excellence, said an official with National Cyber Security Coordinator’s office, at a Nasscom event in Gurugram. The cybersecurity coordinator’s office already manages a financial kitty of Rs 1,000 crore for incubation of startups. According to sources, the fund was barely spent.

 At the same time, a lot remains to be done on the RFP evaluation front as well.  Public enterprises must take more initiative to assess the quality and efficacy of cybersecurity solutions rather than blindly turning to filters like Gartner’s Magic Quadrant report. Even Gartner is in agreement with this.

“They must have their own labs where they can test the products instead of relying on international labs and standards,” says Gartner’s Kaur. One senior executive at a top SI took this idea even further. “If you want Indian product companies to come up—you need to create a Gartner-like organisation which will keep evaluating indigenous products.” This, the executive concedes, will require considerable expertise.

But even as the latest procurement order suggests the government is trending in the right direction, such radical overhaul of the current status quo remains a pipedream. In the meantime, small victories for local firms will have to come despite rather than because of the present system.

Leave a Comment