Secure in India

Secure in India
Leaders’ insights on GCC empowered

global cybersecurity delivery
June 2018
KPMG.com/in
© 2018 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved
Foreword
Global organisations recognise the inevitability of the smart practices and innovative methods employed
cyberattacks, and are enhancing their cybersecurity by Cyber GCCs to overcome these challenges.
strategies by bringing together skilled people,
The insights in this report are prepared in consultation
cutting-edge technologies and new age processes
with Cyber GCC leaders, cybersecurity SMEs and
to secure their organisations. Global Capability
industry bodies. It provides key recommendations for
Centres (GCCs)01, by design, allow organisations to
Cyber GCCs to sustain their competitive advantage;
insource key functions, retain control and hold on
transform into global ‘centres of expertise’; and enable
to expertise in-house. When combined with right
global organisations to ‘Secure in India’.
talent and commercial effectiveness, GCCs are apt
for cybersecurity. With over half of the global GCC
revenues, and growing at a CAGR of 11 per cent YoY02,
the growth of India based GCCs is already well known.
In this report, we explore a wide range of drivers,
capabilities, smart practices, innovation, challenges
and offer insights on how India based GCCs are
securing their global organisations. The intent of this
report is to enable leaders of global organisations Akhilesh Tuteja
make informed decisions on their India-based GCC Global Cybersecurity Co-Head
strategy for cybersecurity delivery. and Head of Risk Consulting
Talent pool availability emerged as the top most driver KPMG in India
(90 per cent respondents) for setting up cybersecurity
delivery from India based GCCs (Cyber GCCs03). Cost
arbitrage as a driver was a distant second (68 per cent).
Further, high value generating functions are surging
in Cyber GCCs. Over 57 per cent of the Cyber GCCs
surveyed had ‘cybersecurity strategy and governance’
function; and 59 per cent had ‘cybersecurity products Rama Vedashree
and new solutions development’. Further, 70 per cent CEO
of the organisations surveyed had representation of DSCI
India based GCC leaders in global committees. These
findings are indicative that Cyber GCCs are at the cusp
of transformation.
However, the positivity is tempered with realism.
Cyber GCC leaders face challenges in meeting ever
increasing demand for niche skills, addressing growth
path of key people, and are looking for more value Debjani Ghosh
creation through collaboration with GCC communities President
and industry bodies. In this report, we also touch upon NASSCOM
01. GCCs are captive units which include both MNC-owned units that undertake tasks for the parents’ global 03. Cyber GCC’ or ‘ India based Cyber GCC’ refers to teams focussed on global cybersecurity delivery
operations and the company-owned units of domestic firms. Source: NASSCOM Strategic Review, located within respective GCCs in India If these facts have been mentioned in the report and have been
NASSCOM, accessed on 12 June 2018 corroborated in the respective chapter, we do not need to mention sources here.
02. GICs In India: Getting Ready For The Digital Wave, NASSCOM, accessed on 19 June 2018
© 2018 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Key takeaways
1 2
Global organisations Talent pool is at the heart of

believe in India’s GCCs’01 Cyber GCCs’ success story
capability to address their –– Over 90 per cent say ‘talent pool
cybersecurity agenda availability’ drives their global

organisations to set-up Cyber GCCs in
India
–– Cyber GCC02 is an integral part of –– Cyber GCCs present a distinct opportunity
insourcing strategy. 61 per cent to their global organisations with
say ‘retention of cybersecurity expertise commercial, competitive and abundant
in-house’ is key talent pool. 68 per cent
–– Average budget allocated to global say ‘commercial effectiveness’ is one
cybersecurity delivery by India of the top three drivers
based cyber GCCs (at 18 per cent –– 62 per cent employ new-age techniques
CAGR in 2018)03 is increasing rapidly (e.g. hackathons) to upskill cybersecurity
when compared to average global teams
cybersecurity budget (at 8 per cent
CAGR in 2018)04 –– 83 per cent are at high maturity levels05
in dealing with cyberthreats (e.g.: denial
–– 35 per cent say ‘business feasibility’ of service (DoS)) and 71 per cent are at
(ease of cybersecurity delivery) is one of equally competent levels in dealing with
the top three drivers for setting up Cyber advance threats (e.g.: malware)
GCCs
–– 96 per cent have adopted pre-planned
strategies to combat cyber crisis for their
global organisations
3 4 5
Think innovation, Cyber GCCs Cyber GCC leaders

think Cyber GCC continuously adapt owning global
–– 32 per cent say to enhance value cyber functions06
innovation is one of the
top three drivers for
setting up Cyber GCCs
are on the rise
–– About 70 per cent create
value for their global
–– About 60 per cent organisations through –– 38 per cent are multi-
have ‘cyber product collaboration with external function centres with
and new solutions parties (e.g.: Industry peers, influential07 cybersecurity
development’ capabilities industry bodies, regulators, leadership
academia, start-ups, etc.)
–– Over 64 per cent leverage –– 70 per cent have at least
emerging technologies to –– Over 55 per cent have one GCC leader serve in
handle cyber issues targeted approaches to global committees
manage risks (such as
–– 52 per cent are distributed functions to –– 57 per cent have a ‘cyber
involved in incubation, reduce concentration risk) strategy and governance’
acceleration and co- function
creation with start-ups –– Cyber GCC leaders continue
to gain more experience
in dealing with global
regulators and auditors
01. ‘GCC’ refers to Global Capability Centres as defined in NASSCOM Strategic Review, NASSCOM, 04. Gartner Forecasts Worldwide Security Spending Will Reach $96 Billion in 2018, Up 8 Percent from 2017,
accessed on 12 June 2018 Gartner, 7 December 2017
02. ‘Cyber GCC’ or ‘India based Cyber GCC’ refers to teams focussed on global cybersecurity delivery 05. High maturity refers to comprehensive risk management policies, implemented across entire
located within respective GCCs in India organisation; and continuous improvement in cyber risk management as a part of corporate culture
03. Average of mean of approximate annual increase in cybersecurity budget of India based Cyber GCCs in 06. Refer to Annexure 1 for details about the cybersecurity functions considered for the survey
2018 as reported in the ‘Secure In India’ survey 2018 conducted by KPMG In India, DSCI and NASSCOM 07. Leadership with decision making capability or having ownership of global cybersecurity functions
Table of contents
01. Inevitability of cyberthreats 01
–– Cyber certainty
–– India based Global Capability Centres (GCCs)
02. India’s tryst with ‘Cyber GCCs’ 03

–– Cybersecurity delivery prevalence
–– GCC key for retention of cybersecurity expertise in-house
–– Talent pool topples cost arbitrage as the top driver
–– Wide spectrum of cybersecurity functions delivery capability
–– Innovation trending as a top driver
–– Strengthening capability up the value chain of cybersecurity functions
–– Budget allocated to global cybersecurity delivery by Cyber GCCs is
increasing rapidly
–– Advanced proficiency levels in responding to cyberthreats
–– Influential cybersecurity leadership is on the rise
03. Smart practices 09

–– Talent management
–– Collaboration to create value
–– Cohesive units of global organisations
–– Enhancement of efficiencies through location strategies
04. Innovation and value creation 17
–– Innovation across cybersecurity functions
–– Incubation, acceleration and co-creation with start ups
–– Emerging technologies to create value
05. Stepping towards the future 23

–– More volume, complexity and velocity of cyberthreats
–– Recommendations for future-ready Cyber GCCs
Additional Insights noted in the ‘Secure in India’ survey 27

Annexure 28
01.
Inevitability of
cyberthreats
01
Cyber certainty01
About 50 per cent of the
With exponential increase and inevitability of CEOs globally say that becoming
cyberthreats, cybersecurity remains a top priority for a victim of a cyberattack is a
organisations worldwide and continues to be on the
case of ‘when’, not ‘if’. 03,04
boards’ agenda. However, only 51 per cent CEOs
worldwide believe that they are well prepared to
handle cyberattacks.02 In this regard, organisations Cybersecurity spend is likely
are increasing their budgetary spend and are to rise to USD96 billion
bringing together advanced capabilities to secure in 2018.03,04
their organisations.03
India-based Global Capability Centres (GCCs)

With over 1,140 GCCs05, already established in India, the country’s GCC potential in global delivery is already
well-established07. In the following chapters, the current landscape has been explored to unearth smart
practices and innovation potential of India-based GCCs empowering global cybersecurity delivery.
USD25 billion India GCC India accounts for India accounts for over
revenues05 900,000 employees 06
about half of global 65 per cent of the global
GCCs08 captive headcount08
01. ‘Cyber certainty’ refers to the certainty of occurrence of cyber-attack. Source: 2018 Global CEO Outlook, 05. GCCs are captive units which include both MNC-owned units that undertake tasks for the parents’ global
KPMG International, accessed on 18 June 2018 operations and the company-owned units of domestic firms. Source: NASSCOM Strategic Review,
NASSCOM, accessed on 12 June 2018
02. 2018 Global CEO Outlook, KPMG International, accessed on 18 June 2018
06. Global in-house centres hire more highly-skilled tech professionals, The Economic Times, 13 December
03. Gartner Forecasts Worldwide Security Spending Will Reach $96 Billion in 2018, Up 8 Percent from 2017,
Gartner, 7 December 2017
2017
02
07. The Future of Me, KPMG, accessed on 11 June 2018
04. Global CEOs realistic about growth in the face of unprecedented headwinds, KPMG, Accessed on 23
May 2018 08. Why India is seeing a fresh wave of global innovation centres, and how it could be a lifesaver for IT
firms, The Economic Times, 29 August 2017
02.
India’s tryst
with ‘Cyber
GCCs’
03
Cybersecurity delivery prevalence Talent pool topples cost arbitrage
India-based GCCs empowering Global cybersecurity as the top driver
delivery (i.e., Cyber GCCs01) are widely prevalent. Talent pool tops all other factors by a significant
This trend is noted across twelve sectors studied, margin, with about 90 per cent of survey respondents
viz., banking, technology, energy, infrastructure, saying ‘talent pool availability’ is one of the top three
investment management, insurance, manufacturing, factors driving cybersecurity services. Traditionally,
telecom, consumer and retail, automotive, life cost arbitrage has been the top most driver for India-
science and healthcare and pharmaceuticals. based GCCs02.
GCC key to retaining cybersecurity Chart 2: Top drivers to set up Cyber GCCs
knowledge in-house in India
Inherent to the nature of cybersecurity is protection
of confidential data. Organisations are typically Talent pool availability 90%
wary of third parties managing a wide range of
cybersecurity services.
Commercial effectiveness 68%
More than 60 per cent of the respondents see
enhanced value from retention of knowledge in-
house’ as a top driver to leverage the GCC model. Round-the-clock delivery 52%
Business feasibility 35%
Chart 1: Top drivers for global organisations

to adopt the GCC model for cybersecurity
Innovation potential 32%
delivery
Enhanced value from retention

of cybersecurity delivery in-house 61%
Quicker turn around in
activities due to greater control 48%
Long-term cost saving 48%

Reduced complexities involved
in regulatory compliance 35%
Consolidation of responsibility 35%
01. ‘Cyber GCC’ or ‘ India based Cyber GCC’ refers to teams focussed on global cybersecurity delivery
04
located within respective GCCs in India
02. Cost Competitiveness of GICs 2014, NASSCOM, 13 June 2016
Wide spectrum of cybersecurity functions delivery capability
Chart 3: Cybersecurity functions delivered from GCCs in India
Strategy and Cyber strategy and governance 57%

governance
Research and Cyber product and new solutions development 59%

development
Engineering Cyber product implementation and maintenance 72%
SOx and other compliance 59%
Data privacy risk management 67%
Cyber threat, response and crisis management 71%
Third party cyber risk management 74%

Cyber risk and
control management
Cyber risk assessment 75%
Identity and access management 77%
Cyber risk and control operations 86%
Business continuity and disaster recovery 86%
0% 20% 40% 60% 80% 100%
The variety of cybersecurity functions03 being delivered from India can be attributed to its broad and
abundant talent pool.
The spectrum of cybersecurity services range from task-based functions such as security monitoring to
deep thought and research based ‘cyber product and new solutions development’, and ‘cyber strategy
and governance’.
Innovation trending as a top driver

Nearly one-third of the respondents say that
innovation potential is one of the top three drivers 32 per cent of the
for setting up Cyber GCCs in India. It is interesting respondents say that the
to note that for a traditional GCC set-up, this has not
country’s strong innovation
typically been a top driver in the past04.
potential is one of the top three
With a strong technical talent pool, Cyber GCCs drivers for setting up Cyber GCCs
are taking up more complex functions over simple
operational activities.
in India
05
03. Refer to Annexure 1 for details about the cybersecurity functions considered for the survey
04. GICs in India-Emerging Centres of Excellence, NASSCOM, 11 July 2017
Strengthening capability up Budget allocated to global
the value chain of cybersecurity cybersecurity delivery by Cyber
functions GCCs is increasing rapidly
There is a steady shift towards higher volume of
engineering, R&D and strategy functions in GCCs. Chart 6: Increase in budget allocation to
About 60 per cent of Indian Cyber GCCs employ global cybersecurity delivery by Cyber GCCs
teams developing ‘cyber products and new solutions’ in 2018
and ‘cyber strategy and governance’.
In fact, GCCs established post 2012 deliver 43%
Percentage of respondents
cybersecurity strategy and governance services from
35%
Cyber GCCs more than those set up earlier.
Chart 4: Cyber GCCs undertaking high value 9% 9%

cybersecurity activities, by function 4%
0% 0-10% 11-30% 31-60% >61%
Increase in annual budget (%)
Cybersecurity
product and 59%
new solutions While the global spend on cybersecurity is expected
to grow at 8 per cent05 in 2018, budget allocated by
Cyber GCCs has increased by an approximate 18 per
Cyber strategy cent06 in 2018.
and governance 57%
Chart 5: Cyber strategy and governance

function in Cyber GCCs, until and after 2012
67%
55%
GCCs
GCCs established
established post 2012
until 2012
Increase in share of ‘cyber strategy and

governance’ function in Cyber GCCs
05. Gartner Forecasts Worldwide Security Spending Will Reach $96 Billion in 2018, Up 8 Percent from 2017,
Gartner, 7 December 2017
06
06. Average of mean of approximate annual increase in cybersecurity budget of India based Cyber GCCs in
2018 as reported in the ‘Secure In India’ survey 2018 conducted by KPMG In India, DSCI and NASSCOM
Advanced proficiency levels of Cyber GCCs in responding to cyberthreats
Cyber GCCs have high maturity levels in dealing respondents feel that they are equally competent in
with a wide range of cyberthreats. While about 80 combating advanced threats (e.g.: malware). Less
per cent of respondents said that they are at an than 15 per cent respondents said that they do not
advanced state (tier-three and tier-four)07 in dealing have a formalised cyber risk management process to
with cyberthreats (e.g.; DoS), about 70 per cent of deal with cyberthreats
Chart 7: Readiness of Cyber GCCs, by cyberthreat
84%
78% 76% 74% 72% 71% 70%
25%
20% 17% 20% 17%
8% 8% 9% 13% 9% 8%
13%
4% 4%
Denial of service Man-in- Phishing Social Password Malware Rogue

(DoS) attacks the-middle engineering attacks software
Tier one (partial): Cyber risk management processes Tier two (risk informed):
not formalized and risk managed in ad hoc fashion Cyber risk management still managed
by IT and policies are in place
Tier three (repeatable) & Tier Four (adaptive):

Comprehensive risk management policies, implemented
across entire organisation and continuous improvement
in cyber risk management as a part of corporate culture
As part of this study, various examples of cyber crisis management were shared by Cyber GCC leaders:
Cyber crisis planning and preparedness case of Chennai rains08, certain events of unrest
in Bengaluru09 and Mumbai10) and contributed
• Participate in global, local and individual
significantly in managing global events (such as
simulation exercises of crisis events and their
hurricanes, earthquakes etc.) of similar nature
ability to respond.
(refer to Annexure II for more details).
• Collaborate across industry to prepare for such
• GCCs are able to respond to targeted attacks on
incidents (mock drills, table top reviews, etc.).
themselves as well.
Cyber crisis response
Regulatory examination
• Cyber GCCs house global red and blue teams
• Cyber GCCs are experienced in engaging both
(cyber-attack and defence experts of global
global and local regulators. Global regulators
organisation). Global cyber threats (such
have inspected and examined some of the GCCs
as ‘WannaCry’ ransomware attack of 2017) are
specifically around crisis management and
being managed from their centres.
response, business continuity and operational
• Cyber GCCs have already experienced local crisis resilience.
and business continuity events (as seen in the
07. Definition of Tier Three and Four – GCCs having comprehensive risk management policies, implemented 09. Cauvery dispute: Protests shuts down Bengaluru, Livemint, 14 September, 2016
07 across entire organisation and continuous improvement in cyber risk management as a part of corporate
culture
10. Heavy rains batter Mumbai yet again; air, rail traffic hit, Reuters, 20 September, 2017
08. IT companies invoke alternate plans as rain hits Chennai operations, Business Line, The Hindu, 2
December, 2015
Influential cybersecurity leadership* is on the rise
About 39 per cent of GCCs have multi-function centres
with influential cybersecurity leadership based in India. 70 per cent of all respondents have at
This trend is more prominent with GCCs that emerged least one GCC leader serve in one of the
after 2012, wherein nearly 43 per cent of GCCs have global committees.
influential cybersecurity leadership based in India.
*Influential leadership refers to Leaders with decision making capability in global cybersecurity strategy,
governance and operations
Chart 8: Reporting structure of Cyber GCCs to global organisation
32%
39%
68%
of GCCs are multi-function centres reporting to
business leaders and global heads
29%
Single function centre, mostly managerial Multi-function centre reporting to multiple

leadership with one local head, reporting to business leaders, with only operational
business leaders oversight by India head
Multi-function centre, with influential leadership

seated in GCC, and several of them reporting to
global heads
08
03.
Smart
practices
09
Cyber GCCs are using smart practices to address challenges and capitalise on opportunities in areas such as
talent management, collaboration, working with global organisations, spreading to value-based locations and
leveraging emerging technologies to enhance efficiencies.
Talent management
Challenges and opportunities
Cybersecurity requires continuous and rapidly in abundance in the country, there are certain
evolving skills, along with a large work force to meet areas where Cyber GCCs are facing challenges in
the increasing demand. While talent is available sustaining experienced hands.
Chart 9: Skill gap faced by Cyber GCCs, by

#1: Lack of niche skills in required volume:
function
Out of all cybersecurity functions, cyberthreat,
Cyber threat, response and crisis management
response and crisis management (32 per cent) 32%
followed by cyber product and new solutions Cyber product and new solutions development 21%
development (21 per cent) are experiencing
Third party (vendor/ supplier) cyber risk management 18%
challenges in addressing ever increasing
demand Cyber strategy and governance 18%
Chart 10: Key reasons for attrition in Cyber GCCs

#2: Talent retention:
Most survey respondents experienced attrition 62%
of about 10-15 per cent in their cybersecurity
teams. Unsatisfactory compensation (62 per 38%
cent), lack of growth opportunities (38 per 19%
cent) and stagnancy (19 per cent) are the top
reasons Unsatisfactory Lack of growth Lack of challenging
compensation opportunities roles/stagnancy
#3: Untapped cyber leadership potential:

Only 22 per cent say ‘senior management expertise’ available with
Cyber GCCs is one of the top drivers. While talent pool availability
and innovation potential offered by Cyber GCCs are tapped well,
confidence in cyber leadership potential is gaining momentum
10
01. Why India is seeing a fresh wave of global innovation centres, and how it could be a lifesaver for IT firms,
The Economic Times, 29 August 2017
Smart practices for effective talent management
#1: Tie-ups with academia for nurturing niche skills, retaining the ‘right’ talent, and develop cyber
leaders
Nearly 30 per cent of Cyber GCCs have tie-ups with
universities. The tie-ups are focussed on acquisition Examples of GCC - Academic collaboration
of talent, assistance with curriculum development
• A U.S. based communications giant having their
and learning programmes in cybersecurity. Several
GCC in India runs a network academy to train
GCCs have established learning centres01 with
and certify students in the areas of computer
colleges.
networks and network security.02
Nearly 50 per cent of GCCs leverage universities (and
start-up forums) for market research on cybersecurity. • GCC of a German automotive major signed a
MoU with the Indian Institute of Technology
These practices are focussed on nurturing niche Madras (IIT M) to set up a Data Science and
talent, motivating existing talent and developing Artificial Intelligence centre.03
cyber leaders.
• A number of global
organisations have
Nearly 30 per cent of cybersecurity GCCs collaboration with IIMs, for
are collaborating with academia for acquiring leadership programmes.
better talent and conduct research
#2: New-age techniques to upskill and cross-skill cybersecurity talent

While traditional methods of reward-driven certification, external training and enabling staff for technical
publications are still relevant, Cyber GCCs are also employing new-age techniques to upskill and cross-skill
their staff. ‘Hackathon’ is a case in point.
Chart 11: Techniques employed by Cyber

GCCs for up-skilling
Hackathons 62%
62 per cent of survey
External trainers on technical domains 55%
respondents said
Cross skilling / rotational assignments 48% that “hackathon” is their
Active participation in local technical committee 48% most preferred mode for
Reward-driven certification programmes 45% upskilling.
Enable technical publications 41%
Hackathons have dual
advantage – while enabling
employees to collaborate
and upskill, the outcome of
Other new-age techniques such as bug-bounties, war-rooms, and a typical hackathon session
gamification are gradually gathering steam. is a collaborative product
which otherwise takes
significantly more effort to
develop
11
01. Why India is seeing a fresh wave of global innovation centres, and how it could be a lifesaver for IT firms, 02. ‘Secure in India’ Survey, KPMG in India, June 2018
The Economic Times, 29 August 2017
03. Data science and AI lab set up at IIT Madras, The Times of India, 5 August 2017
# 3: Global mobility
Several GCCs have global mobility programmes to development, promote knowledge transfer across
provide their people with enriching opportunities borders and foster cultural orientation. Needless
to work in offices around the world. Generally, to say, many GCC heads say this provides their
the assignments vary from short-term (three- six people with challenging and growth enablement
months) to long-term (between one and three years). opportunities.
These programmes aim to develop global skills
Collaboration to create value

#1: Collaboration with external parties
Over 90 per cent of survey respondents see value These associations are promoting R&D and
from active participation in focussed and relevant technological developments in the cybersecurity
cybersecurity events and conferences and over 80 space. They are also implementing a workforce
per cent of them see enhanced value from being upskilling road map. In addition, Cyber GCCs are
members of relevant professional associations. collaborating with start-ups to provide for new
technology exploration.
Chart 12: Collaboration practices adopted by

Cyber GCCs
Participation in cybersecurity events and conferences 93%

Member of cybersecurity professional associations 81%
Collaboration with industry peers 59%
Collaboration with start-ups 52%
Tie-up with universities 30%
GCCs actively collaborate and engage

with their peers, academia, start-
ups, consultants, industry bodies
and regulators. Cyber GCCs share
key challenges, smart practices and
continually enable themselves to
provide significant value to their global
organisations.
Srinivas Potharaju
Partner and GCC Leader for
Risk Consulting
KPMG In India
12
#2: Working with governments and regulators
Several leaders surveyed say that the following initiatives have had or expected to have a positive impact on
their Cyber GCCs, viz. ‘Skill India’, SEZ polices, ‘Start-up India’ and ‘Make in India’.
Chart 13: Local laws and regulations impacting Cyber GCCs
Cyber laws 74%

Over 70 per cent leaders
Privacy laws 70%
say that local cyber and
Employment laws 57% privacy laws impact their
Labour laws 48% Cyber GCCs
0% 20% 40% 60% 80%
Industry body speak Examples of evolving policies05,06,07,08
IP laws: The government released the National

The ongoing changes in policies Intellectual Property Rights (IPR) Policy in 2016,
and regulatory environment in India which aims to create and exploit synergies
are conducive to global businesses. between all forms of intellectual property.
This optimism is also shared by
multiple GCC heads who believe Enforcement of contracts: On the back of
these changes will impact their government reforms, the country jumped 14
GCCs positively. As long as policies positions in the context of enforcing contracts
continue to favour moving business over the last three editions of the World Bank’s
to India, GCCs will continue to ease of doing business report.
expand cybersecurity delivery from
India Cyber security policy: India already has a
National Cyber Security Policy (2013) and efforts
Vinayak Godse are in place to update it as per latest business
needs.
Senior Director
DSCI States have also started coming out with
cybersecurity policies and specific ministry
departments have stepped up cyber focus in
their sectors.
India’s Supreme Court’s decision in favour
of privacy as a fundamental right, and
the governments focus on creating a
comprehensive privacy law in the country04,
is likely to contribute to an enforceable
privacy regime in the country. In which case,
movement of operation and data to India is
expected to be smoother.
13 04. Srikrishna committee report on data protection and privacy by May-end, Hindustan Times, 19 June 2018 07. All you need to know about the new IPR Policy, The Hindu, 12 September 2016
05. Centre working to reintroduce draft encryption policy, Sunday Guardian Live, 18 May 2018 08. Telangana government formulates cyber security policy, New Indian Express, 16 September 2016
06. Enforcement of contracts: Need to focus on ramping up court infrastructure, Business Standard, 5
November 2017
Cohesive units of global organisations
Chart 14: Response strategies adopted to 96 per cent of GCCs have pre-planned
tackle cyber incidents
strategies (in line with the global organisation
75% needs) for dealing with cyberattacks
As GCCs in India make the shift from being siloed

centres controlled through service level agreement
measures, to becoming centres of strategic
importance09, the need to work cohesively with their
21%
respective global organisations is pertinent. This
trend has assimilated into cybersecurity operations
4% smoothly.
A case in point is how smoothly Cyber GCCs have
Pre-planned Pre-planned No standard
adopted the advanced pre-planned strategies to deal
specific common response
strategy for strategy for all mechanism with attacks. This is indicative that Cyber GCCs are
different cyber cyber incidents transforming as a strategic centre working cohesively
incidents with the head office, rather than SLA driven back
office of parent organisations.
Chart 15: Response strategy adopted by GCCs Chart 16: Response strategy adopted by GCCs
with cybersecurity staff <=100 with cybersecurity staff >100
No standard Pre-planned Pre-planned

mechanism, common common strategy
6% strategy for all for all cyber
cyber incidents, incidents,
22% 20%
Pre-planned specific
Pre-planned specific strategy strategy for different
for different cyber incidents, cyber incidents,
72% 80%
Understandably, 100 per cent of larger Cyber strategies. Clearly, scale of operations brings in
GCCs (staff strength of over 100) have pre-planned standardisation to Cyber GCC operations and has its
strategies, while fewer (80 per cent) smaller GCCs advantages.
(staff strength of 100 or less) have pre-planned
14
09. ‘Secure in India’ Survey, KPMG in India, June 2018
Enhancement of efficiencies through location strategies
#1: Spread to value based locations to improve efficiencies
Amongst the GCCs that were surveyed and set locations like Ahmedabad, Vadodara, Coimbatore,
up in the last decade (since 2007) in India, cyber Trivandrum and Kolkata10.
delivery capabilities are spread across Indian cities
This is unlike the GCCs set up in the past (before
of Bengaluru, Pune, Hyderabad, Chennai, Gurugram,
2007), wherein Bengaluru was the top destination for
etc. Organisations are also considering emerging
cybersecurity global delivery.
Chart 17: Presence of Cyber GCCs established since 2007, by city
33%
27% 27%
20% 20%
13%
7%
Pune Bengaluru Mumbai Hyderabad Gurugram Chennai Delhi
#2: Tackle concentration risk through distributed functions

Concentration of critical cybersecurity functions in a
single GCC centre could result in increased systemic Over 55 per cent of cybersecurity GCCs
risk for the parent organisation. As a result, several in India have distributed presence to reduce
GCCs have distributed presence across Indian cities.
concentration risks
This also serves as a resilience measure.
15
10. GICs in India – Emerging Centres of Excellence, NASSCOM, accessed on 12 June 2018
16
04.
Innovation
and value
creation
17
Cyber GCCs are transforming themselves as
innovation hubs. Nearly 60 per cent say that ‘cyber
product and new solutions development’ function Cybersecurity centres at GCCs provide
(which fundamentally requires skilled workforce unique opportunity to support global
oriented towards innovation) is being delivered from organizations and also simultaneously act
Cyber GCCs, and 57 per cent say that ‘cyber strategy as innovation hubs.
and governance’ function is being delivered from
Cyber GCCs. Therefore, it comes as no surprise that India’s ability to provide talent with sharp
over 30 per cent say that innovation potential is one acumen and ability to experiment with
of the top three drivers for setting up Cyber GCCs. cutting edge technologies are truly acting
as catalysts
Atul Gupta
Innovation across cybersecurity
Partner and National Leader - IT Advisory
functions (Risk Consulting) and Cybersecurity
Nearly 50 per cent of Cyber GCCs see most KPMG in India
innovation happening in ‘identity and access
management’ function. Innovation across other
cybersecurity functions share almost equal attention.
Privacy regulations (such as GDPR) have led most
global organisations to focus on compliance and five
per cent of organisations have started innovating in
this space as well, within a year of privacy regulatory
developments01.
Chart 18: Cybersecurity functions which

experience most innovation in Cyber GCCs
Identity and access 46%

management
Cyber risk and control

42%
operations
Cyber threat, response 42%

and crisis management
Third party (vendor/
supplier) cyber risk 25%
management
Cyber risk
25%
assessment
18
01. ‘Secure in India’ Survey, KPMG in India, June 2018
As part of this study, various examples of cyber innovation and change initiatives were shared by Cyber
GCC leaders spread across cybersecurity life cycle:
Cyber GCCs present an opportunity to their global solutions, their ability to re-engineer processes,
majors in incremental and transformational cyber enhance or build solutions and help global
change delivery. As Cyber GCCs understand finer organisations adopt them, is naturally stronger.
aspects of cyber functions including associated
Def inition
• Catalogue creation
• Architecture definition
• Classification mechanism
• Policy framework codification
• Awareness level definition
• Assessment model creation
• Measurement model definition
• Reporting specification
• Quantification model definition
• Response mechanism definition
Im plementation
Res ponse
• Process design and
• Execution
modelling
(manual/automated)
1 • Process implementation
to impactful events
• Awareness execution
like incidents,
• Solution implementation
exceptions, findings Cyber risk
5 2 • Measurement engine
and deficiencies. and control implementation
management
• Reporting engine
lifecycle
implementation
4 3 • Response engine
implementation
Reporting Mea surement

• Events and Incidents • Classification mechanism
• Control deficiencies execution
• Issues and gaps • End user awareness
• Exception/dispensation/ measurement
deviation • Manual and automated self
• Findings assessment and testing
(audit/regulatory) • Automated risk assessment
• Improvement observations platform
• Internal and external reporting • Continuous control monitoring
to board, regulators, auditors, mechanism
management and risk • Surveillance mechanism
committees • Cyber risk quantification
Source: ‘Secure in India’ Survey, KPMG in India, June 2018
19
Incubation, acceleration and co-creation with startups
India strengthened its position as the third largest platform that enables start-ups to grow to the next
start-up ecosystem in the world02. The start-up level03.
ecosystem naturally supplements the growth of
Cyber GCCs towards innovation. In fact, 52 per cent More Cyber GCCs with capabilities in ‘cyber
of the Cyber GCCs have active collaboration with strategy and governance’ (64 per cent) see
start-ups. value from tie-ups with start-ups, than those
without (50 per cent). This is indicative of the
Further, industry bodies in India have programmes
contribution of start-ups towards cyber strategy
to assist with incubation and acceleration of
start-up programmes. For instance, the NASSCOM
development
Industry Partnership Program (NIPP) seeks to foster
sustained engagement between large corporations Expectedly, more GCCs with capabilities in ‘cyber
and innovative technology ventures in India. strategy and governance’ (34 per cent) are able
Similarly, ‘10,000 Start-ups’ is another NASSCOM to create innovation through start-up incubations,
initiative which aims to establish a cross-collaborative compared to those without (28 per cent).
Chart 19: Cyber GCCs collaborating

with start-ups
100
80
60
64%
40 50%
20
0
GCCs without GCCs with cyber
cyber strategy strategy and
and governance governance
Percentage of GCCs Collaborating with Start-ups
Chart 20: Cyber GCCs innovating with start

ups through sponsored incubation centres
50
40
34%
30 28%
20
10
0
GCCs without GCCs with cyber
cyber strategy strategy and
and governance governance
Percentage of GCCs Collaborating with Start-ups
20
02. Indian Start-Up Ecosystem – Traversing The Maturity Cycle - Edition 2017, NASSCOM, accessed on 19 03. NASSCOM Industry Partnership Program website, NASSCOM, accessed on 19 June 2018
June 2018
Emerging technologies to create value
Nearly 70 per cent of GCCs say that they leverage
robotic process automation (RPA) for global
cybersecurity delivery, while 64 per cent say they use
machine learning for global cybersecurity.
What is interesting to note is that 36 per cent are
experimenting with artificial intelligence, and 20 per
cent are experimenting with technologies like block
chain.
Some examples noted in the survey include bots
being used to pre-empt a cyberattack and take
necessary actions to prevent losses. This is reflective
of the clear movement towards innovation in Cyber
GCCs.
Also, as security software generates massive
amounts of data, organisations are using advanced
data analytics to gain a better picture of what is going
on in their IT environments.04
Chart 21: Emerging technologies explored

by Cyber GCCs for effective and efficient
cybersecurity global delivery
Robotic Process Automation 68%
Machine Learning 64%
Artificial Intelligence 36%
Block chain 20%
21
04. Cyber-security and the blockchain: evolving technology for our safety, The Next Web, accessed on 6
June 2018
22
05.
Stepping
towards
the future
23
More volume, complexity and velocity of cyberthreats
The sharp rise of cyberthreats is likely to experience
an upward trend, increasing at a pace, volume and Chart 22: Growth of global cybersecurity
complexity higher than before. market, across different verticals
Cybercrime damages are expected to cost the
world USD6 trillion annually by 2021.01The global t
200 r cen
cybersecurity market is expected to double to ~ 8 .2 pe
R nt
USD187 billion by 2025 from USD 94billion in 2016.02 CAG erce
8.2 p
150 80
R ~
CAG
68 per cent of data breaches in the past year 258,476 55
100 42
required several months to discover, while 87 per 38 98
cent had their data compromised within minutes of 50
62
the attack03. Further, with digital transformation and 41 46
emergence of new age-technologies (Industry 4.0), 0 5 6 7 10
threats are likely to be even more complex. 2015 2016 2020 2025
R&D Services Products
Source: Global Cyber Security market, DSCI, accessed on 7 June 2018
Recommendations for future-ready Cyber GCCs

In the wake of increasing volume, complexity
and velocity of cyberthreats, it is imperative for
organisations to stay abreast and manage cyber risk
in order to remain in business (‘business imperative’).
Therefore, it is important for Cyber GCCs to be
well-positioned to meet the business imperatives.
A mutually beneficial ecosystem of GCCs, policy
makers and industry bodies is key to continued
sustenance and transformation of Cyber GCCs.
Business imperatives to manage cyber risk

• Board and leadership require enhanced risk
visibility
• Regulators seek risk data aggregation, near
real-time risk analysis and faster breach
reporting
• Management requires to take informed and
data-driven risk decisions
• Risk leadership monitors ‘conduct risk’
(market, employee, insider, third party) more
closely
• Changing business requires business unit
leaders to manage emerging technology risks
• Automated business functions require
automation of risk and control functions
• Growing business and threats require better
and commercial risk management models
01. Cybercrime Damages $6 Trillion By 2021, Cyber Security Ventures, 16 October 2017 03. Ransomware reigns supreme in 2018, as phishing attacks continue to trick employees, Tech Republic,
24
9 April 2018
02. Global Cyber Security market, DSCI, accessed on 7 June 2018
Recommendations for GCCs
In our survey, we noted Cyber GCCs are employing to adopt these smart practices to sustain their
a number of smart practices and innovative methods competitive advantage and further enhance their
for smooth and secure operations of their global focus and investment on innovation to transform
organisations; ranging from talent management, into global centres of expertise. Below are a set of
collaborating with external entities for value creation, recommendations for Cyber GCCs, in order to ‘score’
to leveraging emerging technologies for smarter better and ‘Secure in India’.
cybersecurity delivery. Cyber GCCs should continue
Expand Comply with Enhance

Skill up Create CoEs
ownership regulations efficiency
• Upskill to niche • Create high • Own global • Proactively track • Develop a ‘Cobot’
and expert value generating functions. Move and manage environment,
skills, re-skill ‘centres of beyond SLA to regulatory for smooth
staff to stay expertise’ outcomes. change co-existence of
relevant at own • Explore virtual • Transform • Formulate human and robotic
organisation and captives to cost centres inter-entity environment
at an aggregate leverage vendor to the ones outsourcing • Expand Agile and
level expertise, yet that generate contracts DevSecOps04
• Cross-skill to be retain control revenue paradigm to fast-
• Simulate
agile and create • Experiment • Enhance brand cyberattacks track value creation
fungible talent further with proposition and stress test
pool new-age cyber of the Cyber in line with
Transform
solutions using GCC to make regulatory
emerging stakeholders requirements
technologies aware and (community
attract talent model with
peers, where
possible)
• Retain ‘right’ • Incubate, • Invest in • Collaborate with • Continue investing

skill by providing accelerate, and high quality regulators and in productivity
growth co-create with leadership with industry bodies enhancements
opportunities start-ups to deep domain to understand like automation
• Tie up with fortify innovation and technical industry wide and collaborative
academia hubs expertise issues and workspaces
to develop • Learn from • Create response • Engage with
niche cyber experiences, leadership strategy local government
programmes, experiments and accelerator • Invest in and regulatory
nurture talent innovation of programmes automation initiatives
and create peers to scale • Invest in for regulatory • Enhance
immersive up and better personal testing, analysis exploration of high
Sustain learning the value chain and reporting
coaching for top value locations
opportunities • Collaborate with leadership • Involve in policy
subject matter matters, that
experts in areas can potentially
of demand and impact
growth cybersecurity
and privacy
domains
25
04. DevOps and security: An important intersection, KPMG Advisory Institute (US), 12 September 2017
Industry body recommendations
GCC Community (Industry

Policy makers
bodies, GCC forums etc.)
• Enhance the focus on GCCs’ potential in

creating high value careers in cybersecurity • Track and communicate the Cyber GCC
and privacy, as part of the government’s capability within and outside the country
drive towards employment growth • Create a pitch for attracting global
Brand
• Promote ‘Secure in India’ branding, leverage companies to look at India for delivering
existing and new policy initiatives to their security capabilities
champion India as a global destination for
cybersecurity and privacy capabilities
• Enable and contribute to skill development

• Enhance the supply of skills for realising
Skill in abundance which is required for ‘Secure
the potential
in India’
• Continue to work towards enhancing

• Continue to work towards enhancing the policy environment that is more
policies for attracting more global conducive and incentivises delivery of
Collaboration organisations and GCCs to set up and cybersecurity from India
expand global cybersecurity delivery from • Put concerted efforts for realising
India cybersecurity and privacy potential and
scaling up deliveries from India
26
Additional Insights noted in the ‘Secure
in India’ survey
To get detailed insights, please reach out to our team.
Respondent profile Leading practices

1. Distribution of sectors served by survey 1. How Cyber GCCs provide visibility and
respondents assurance on their cybersecurity global
delivery to the global leadership
2. Establishment year of GCCs surveyed
2. Processes, leading practices and innovative
3. Location distribution of Cyber GCCs
approaches within Cyber GCCs to comply
with regulatory and auditing requirements
Importance of Cyber GCCs
1. Senior cybersecurity leadership, in India based External influences
Cyber GCCs, serving in global committees
1. Government initiatives which have had/are
2. Global leaderships’ view on investment in expected to have a positive impact on India
cybersecurity global delivery capability in GCCs based cyber GCCs
2. Local laws and regulations impacting Cyber
People and skill matters GCCs
1. India based Cyber GCCs’ staff strength 3. Global regulations impacting Cyber GCC
2. Years of professional experience of staff in
Cyber GCCs
3. Key diversity to Cyber GCCs
4. Innovative and new age methods adopted to

upskill employees in Cyber GCCs
5. Annual attrition percentage within Cyber GCCs
6. Primary reasons for attrition within Cyber

GCCs
7. Cybersecurity function with the most skill gap
Cyber threats and readiness

1. Top concerns as Cyber GCC global delivery
head
2. Obligations or requirements that the Cyber
GCCs are most concerned with
3. Readiness of Cyber GCCs to deal with cyber
threats
27
Annexure
28
Annexure I: Cybersecurity functions
In the context of this report, the scope of the term cybersecurity includes below functions
Cybersecurity Cybersecurity
# Description Individual description
area function
1 Strategy and Niche functions involved in cybersecurity Cybersecurity strategy Defining the approach to
Governance strategy and governance and governance cybersecurity which aligns with the
business objective, implementing
the plan and monitoring it.
2 Research and Functions involved in product and Cyber product Research and development of
Development solution development and research for and new solutions automation solutions, cyber and
cybersecurity management, for use development risk analytics, emerging tech risk
either both within the organisation and/ management solutions, etc.
or outside. At a functional level, team
employs highly skilled personnel with
core technical skills to develop IT enabled
products.
3 Engineering Function implements, and/or performs Cyber product This includes implementation
maintenance of already developed implementation and and maintenance of automation
cybersecurity products, for use either maintenance solutions, cyber and risk analytics,
both within the organisation and/ emerging tech risk management
or outside. At a functional level, team solutions, risk measurement
employs personnel with adequate solutions, etc.
technical skills to implement and maintain
cybersecurity products
4 Cyber risk assessment Cybersecurity and regulatory risk

assessment exercise (to identify and
validate new and current risks) on a
periodic basis
5 Cyberthreat, response Identify cyberthreats, plan

and crisis management responses in case of a cybersecurity
event, and perform investigations
(functions include crisis simulation,
awareness, etc.)
6 Cyber risk and control Cyber operations (vulnerability

operations assessments, management of
anti-virus and firewall, ISO27001
implementation, network health
monitoring, security operations
centre, etc.)
Cyber risk Function executes operations either on a
and control need basis, and/or an ongoing basis. At a
7 Identity and access Operations and management of
management functional level, team employs personnel
management identity and access work
with varied technical skills (from high
to low technical skills) to execute
cybersecurity operations.
8 Business continuity Business continuity and IT Disaster
and ITDR Recovery planning, testing, and
upkeep.
9 Third party (vendor/ Advisory, management and

supplier) Cyber risk operations of identity and access
management work
10 Data privacy risk Management and operations of

management privacy risk (including definition of
obligations)
11 SOx and other Regulatory compliance related

compliance/audit work such as control definition,
29 management assessment, reporting on gap
remediation
Annexure II: Leading practices of GCCs handling local crisis situations
# Challenge Leading practice
Early monitoring Organisations which monitor the situation closely are able to initiate evacuation
1
potential crisis situation efforts before the situation worsens
‘Run’ vs. ‘Change’ functions - focus of most business continuity plans is

typically to ensure timely recovery of ‘Run’ functions of an organisation.
Handle changed
2 However, given the duration of disaster and its timing (for e.g. right before year-
priorities
end freeze and holidays, organisations need to re-prioritize their recovery efforts
and ensure that projects go-live dates are not impacted.
Due to network disruption, most of the traditional call tree invocation methods
fail (30-40 per cent failure). This impacts communication and coordination
Leveraging social/
3 with the identified recovery teams. Social/ mobile app based connect work
mobile app for ‘call tree’
intermittently and has significantly higher results (60-70 per cent success)
compared to traditional call tree mechanisms.
Adherence to regulatory Ensure regulatory requirements are not compromised during and after crisis
4
requirements situation.
Work From Home

WFH strategy for resources working in affected areas may not work due to
5 (WFH) strategy may not
disruption in network services and extended power outage.
work all the time
Service providers supporting a particular organisation are able to leverage each

Planning for co-location
6 other’s premises to resume critical services to their clients. This can already be
agreements
worked out as part of the contract.
Strong commitment of the support staff (including administration, plumbing,

electricians, and logistic services providers) could be key to recover support
Importance to support infrastructure at affected locations.
7
services Logistics department in organisations should be able to leverage their
relationship with hotels to arrange for a large number of rooms at a short
notice.
Leveraging alternate
Based on the early warning, organisations should switch their international
8 site for network
traffic route to other locations.
services
9 Help desk services Ensure alternative arrangement for Help desk services.
Communication service providers relying on other internet service providers

Being aware of fourth
10 would not be able to meet the committed SLAs due to power outage for a
party continuity risks
sustained period.
Sentiment management
–unskilled volunteers ‘Let us do what we can do’ and ‘let us leave evacuation efforts to experts’
11
may do more harm than should be the leadership direction
good
Focusing on employee Along with critical team members, organisations also needs to evacuate their
12
and their families’ safety families from the impacted areas.
30
‘Secure in India’ Survey, KPMG in India, June 2018
Methodology
The premise of this report is based on several insurance, investment management, life sciences,
sources of information, meetings and brainstorming technology, telecom, manufacturing, consumer and
sessions undertaken by KPMG in India, DSCI and retail, healthcare and pharmaceuticals, and energy.
NASSCOM between April 2018 and June 2018. The survey was conducted between 26 April 2018
and 15 June 2018.
Survey
The insights published in this report are primarily Meetings with industry leaders
based on the responses received from the ‘Secure
Inputs were sought from industry leaders through
in India’ survey rolled out to executives across global
multiple meetings, discussions and brainstorming
organisations who have Global Capability Centres
sessions throughout the development of this report.
(GCCs) registered with NASSCOM in India.
The respondents of this survey were GCC Heads, Secondary research
Chief Information Security Officers, Chief Technology
The industry experts at KPMG in India conducted
Officers, their equivalent or their delegated
a detailed secondary research for each analysis.
designates involved in leadership and management
The team relied on the organisation’s proprietary
functions of global cybersecurity delivery.
databases and public websites to gain better
This survey has representation from twelve (12) key understanding into each insight.
sectors, namely, infrastructure, automotive, banking,
31
32
33
Acknowledgements
Our thanks goes to all the executives of India-based GCCs who
invested their valuable time to give inputs and contribute to this
report.
Our special thanks to the advisory panel led by Rishi Mehta, Director,
Information Security (Target), Vinayak Godse (DSCI) and Srinivas
Potharaju (KPMG) for their strategic direction from conceptualisation
to the launch of the report.
Our thanks to all the KPMG Partners, Directors and colleagues who
assisted in distributing the survey to GCC contacts.
We acknowledge the efforts put in by the below in preparing this
report.
KPMG in India DSCI

• Atul Gupta • Vinayak Godse
• Abhijit Varma • Mayank Lau
• Santhosh Mayanna • Aastha Dhamija
• Priyanka Saraf
• Divya Mishra
• Puneet Tandon
NASSCOM
• Reetam Sinha • Paresh Degaonkar
• Sharon D’Silva • Rakesh Kumar
• Rishabh Rane
• Shilpa Bhoir
34
About KPMG in India
KPMG in India, a professional services firm, is the Indian member firm
affiliated with KPMG International and was established in September 1993.
Our professionals leverage the global network of firms, providing detailed
knowledge of local laws, regulations, markets and competition.
KPMG in India offers services to national and international clients in India
across sectors. We strive to provide rapid, performance-based, industry-
focused and technology-enabled services, which reflect a shared knowledge
of global and local industries, and our experience of the Indian business
environment.
About DSCI
Data Security Council of India (DSCI) is a premier industry body on data
protection in India, setup by NASSCOM®, committed to making the
cyberspace safe, secure and trusted by establishing best practices,
standards and initiatives in cyber security and privacy. DSCI brings together
governments and their agencies, industry sectors including IT-BPM, BFSI,
Telecom, industry associations, data protection authorities and think tanks for
public advocacy, thought leadership, capacity building and outreach initiatives.
About NASSCOM
NASSCOM is the industry association for the IT-BPM sector in India. A
not-for-profit organization funded by the industry, its objective is to build a
growth led and sustainable technology and business services sector in the
country. Established in 1988, NASSCOM’s membership has grown over
the years and currently stands at over 2,500. These companies represent
95 percent of industry revenues and have enabled the association to
spearhead initiatives and programs to build the sector in the country and
globally. NASSCOM members are active participants in the new global
economy and are admired for their innovative business practices, social
initiatives, and thrust on emerging opportunities.
KPMG in India contacts: DSCI contacts:
Mritunjay Kapur Vinayak Godse
National Head Senior Director
Markets and Strategy T: +91- 9873083123
Head - Technology, Media and E: Vinayak.Godse@dsci.in
Telecom
T: +91 124 307 4797
Mayank Lau
E: mritunjay@kpmg.com
Senior Consultant
T: +91- 9717869745
Akhilesh Tuteja E: Mayank.Lau@dsci.in
Global Cybersecurity Co-Head
and Head of Risk Consulting dsci.in
T: +91 124 307 4800
E: atuteja@kpmg.com
Atul Gupta
Partner
National Leader - IT Advisory
(Risk Consulting) and Cybersecurity
T: +91 124 307 4134
NASSCOM contact:
E: atulgupta@kpmg.com Nasscom
Plot 7 to 10, Sector 126, Noida
Srinivas Potharaju 201303, India
Partner T: +91 120 499 0111
GCC Leader for Risk Consulting E: research@nasscom.in
T: +91 98459 19740
E: srinivasbp@kpmg.com nasscom.in
Follow us on:
kpmg.com/in/socialmedia
This report has been jointly developed by KPMG In India and DSCI.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate
and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such
information without appropriate professional advice after a thorough examination of the particular situation.
The views and opinions expressed herein are those of the survey respondents and do not necessarily represent the views and opinions of KPMG in India.
Although we have attempted to provide correct and timely information, there can be no guarantee that such information is correct as of the date it is received or that it will continue to be
correct in the future.
The report may make reference to ‘KPMG Analysis’; this merely indicates that we have (where specified) undertaken certain analytical activities on the underlying data to arrive at the
information presented; we do not accept responsibility for the veracity of the underlying data.
© 2018 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
This document is meant for e-communications only.

Secure in India

Uploaded by

Copyright:

Available Formats

Secure in India

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Secure in India

Uploaded by

Copyright:

Available Formats

Secure in India

Leaders’ insights on GCC empowered

Global organisations Talent pool is at the heart of

cybersecurity agenda availability’ drives their global

Think innovation, Cyber GCCs Cyber GCC leaders

02. India’s tryst with ‘Cyber GCCs’ 03

03. Smart practices 09

05. Stepping towards the future 23

Additional Insights noted in the ‘Secure in India’ survey 27

India-based Global Capability Centres (GCCs)

Business feasibility 35%

Chart 1: Top drivers for global organisations

Enhanced value from retention

Long-term cost saving 48%

Consolidation of responsibility 35%

Chart 3: Cybersecurity functions delivered from GCCs in India

Strategy and Cyber strategy and governance 57%

Research and Cyber product and new solutions development 59%

Engineering Cyber product implementation and maintenance 72%

SOx and other compliance 59%

Data privacy risk management 67%

Cyber threat, response and crisis management 71%

Third party cyber risk management 74%

Identity and access management 77%

Cyber risk and control operations 86%

Business continuity and disaster recovery 86%

0% 20% 40% 60% 80% 100%

Innovation trending as a top driver

Chart 4: Cyber GCCs undertaking high value 9% 9%

0% 0-10% 11-30% 31-60% >61%

Increase in annual budget (%)

Chart 5: Cyber strategy and governance

Increase in share of ‘cyber strategy and

Chart 7: Readiness of Cyber GCCs, by cyberthreat

Denial of service Man-in- Phishing Social Password Malware Rogue

Tier three (repeatable) & Tier Four (adaptive):

Chart 8: Reporting structure of Cyber GCCs to global organisation

Single function centre, mostly managerial Multi-function centre reporting to multiple

Multi-function centre, with influential leadership

Chart 9: Skill gap faced by Cyber GCCs, by

Chart 10: Key reasons for attrition in Cyber GCCs

#3: Untapped cyber leadership potential:

#2: New-age techniques to upskill and cross-skill cybersecurity talent

Chart 11: Techniques employed by Cyber

Collaboration to create value

Chart 12: Collaboration practices adopted by

Participation in cybersecurity events and conferences 93%

GCCs actively collaborate and engage

Chart 13: Local laws and regulations impacting Cyber GCCs

Cyber laws 74%

0% 20% 40% 60% 80%

Industry body speak Examples of evolving policies05,06,07,08

IP laws: The government released the National

As GCCs in India make the shift from being siloed

No standard Pre-planned Pre-planned

09. ‘Secure in India’ Survey, KPMG in India, June 2018

Chart 17: Presence of Cyber GCCs established since 2007, by city

Pune Bengaluru Mumbai Hyderabad Gurugram Chennai Delhi

#2: Tackle concentration risk through distributed functions