Security for most Indian companies - even conglomerates is a joke.
Look at the websites - most look like they've not been upgraded since the 90s, with endless popups
Security for most Indian companies - even conglomerates is a joke.
Look at the websites - most look like they've not been upgraded since the 90s, with endless popups
The customer portal of India's largest insurer with a marketcap of $63B has literally not changed even once in the 14 years that I've been using it to pay my policy premiums
It's a side effect of pay. Like every other company, you get what you pay for, and for organizations that view web security as a [edit:] Cost Center (eg. Tata Motors) there's no incentive to pay market rate for a Security Engineer - who in India can now demand $60k-100k TCs.
Heck, firms that provide offensive security capabilities to Indian PDs can pay $40k-50k after poaching a junior pentester or exploit developer from a PD.
I understand why someone might this this is a pay issue, but it's goes beyond that.
Culturually, doing something "well"(quality oriented, mindful of end-users) vs. "got it done" (transaction, pragmatic way of looking at things) is the heart of why outsourcing to many different geographical areas (India included) often results in something different than expected.
Also condemning every one in one part of the world as thinking one way is certainly not fair or true, but there are definitely unmistakable trends.
Becuase it is about pay.
For example, most of the security portfolio that GCP provides is developed and product managed out of the Google Hyderabad office, as is a fairly major Israeli CNAPP product that starts with "A", a large CNAPP from a public Israeli-American security company that is directly positioned against Wiz, and a major security vuln mgmt and redteaming tool used by the DoD, GitHub, and Google. But all these employers pay $60k-130k TC for mid-career security professionals in India.
We scoop up anyone who is remotely competent at transnational firms or startups because we can afford to pay Western salaries, and traditional conglomerates in India largely do not care about web exploits unless they are a web platform first and foremost.
Tata Motors - being an automotive company - does not care about web development for the same reason GM doesn't as well: it isn't tangibly connected to revenue generation. As such, they will just contract it out to TCS (a Tata Group company, but both are independent of each other) at the lowest contract rate possible.
I dont think there's much culture when the population is just overloaded with work and traffic and stress
It's absolutely the culture, "Chalta Hai" attitude is the culture. (Take it easy, let it go)
Cyber insurance or the threat of litigation after facing a severe breach will be the biggest driver for better security outcomes organizationally.
For example, both Zerodha and Razorpay have cyber insurance and PhonePe and Paytm both cleaned house after major incidents years ago.
It's also the same reason CapitalOne revamped security after the 2019 breach due to a misconfigured WAF.
Essentially, only the risk of either litigation or inability to secure cyber liability insurance will motivate Tata Motors to better manage security. And based on the JLR incident and their inability to secure sufficient cyber insurance, I think Tata Motors will clean house internally.
Everyone is saying it’s about pay, but India is a low trust country (so far as large datasets saying as much can be trusted). Anecdotally I have heard the same from my expat friends as well.
I’m not saying pay has no influence, but saying culture has no influence makes no sense. Even if it was all about pay, wealthy Indians choosing to horde their wealth instead of distribute it (caste system, etc) is a cultural root for the pay problem. The two are so intertwined that it’s impossible to claim it’s black and white.
The current western trend of outsourcing and/or importing labor is the real source of this issue. Western businesses care only for profit, so they employ cheap labor. Western culture is currently much more low trust than it was 50 years ago, and trending worse. If anything, I think culture is the more defining factor - pay is downstream of it.
Don't want to get into low quality generalizations in your post except to note tahta casual Google search will show you that Tata group is one of the most philantropically oriented groups. Which of course, doesn't excuse this issue.
It is about pay. If you don’t have someone working on 5 different items continuously straining their bandwidth they tend to do better work.
Pay should reward doing something well vs merely doing something. Of course, this would generally mean you need to pay more than the competitor which will happily pay for merely doing something. So yes it is about pay.
Also, Indian companies are competing with American and Israeli founded or funded companies and startups for the same talent.
If you are competent, instead of earning $15k TC working for an automotive company, you could demand $40k-70k in TC from an MNC or a well funded startup (assuming you have the skills to back it up) - and those are the numbers my portfolio companies use to target hiring in India, as well as what I used previously before I became a VC.
Western companies have the exact same problem though; I've dealt with plenty of incompetent people there too because the organization does not reward technical excellence and quality, so it is completely pragmatic for employees to focus their time on the things that are rewarded (engaging in politics, etc) instead.
During the startup/ZIRP era there might have been people doing the "right" thing because they had skin in the game thanks to stock options or they were paid just so fucking much that they didn't care about putting in the extra work. But as total comps go downward (coupled with inflation) the output's quality tends to regress to the minimum acceptable.
> I've dealt with plenty of incompetent people there too because the organization does not reward technical excellence and quality
Organizational dysfunction transcends all boundaries, but to a certain extent the kind of issues that lead to the kind of incident such as the one above happen because the affected product (e-Dukaan) is viewed as a cost center by Tata Motors.
Sadly, in most cases, a lot of security will always be viewed as a cost center and never prioritized unless forced to due to insurance, audit, or regulatory pressure.
That said, a thesis I've had for a couple years now is that if we can successfully shift-left by turning security into a DevTool problem as well as an organizational problem, we can both reduce remediation time as well as build stickiness for security products. The AppSec category has definetly adopted this kind of mindset.
That culture at WITCH and WITCh adjacent companies is itself a result of the pay.
Sorry to be pedantic but I think you mean 'cost center', not loss leader (something sold at a loss to attract customers into your ecosystem/store). You are entirely right otherwise.
Doh! You are correct! Crossed wires during a meeting
> $60k-100k TC
Really? I think your numbers for the local marker are overestimated.
For our portfolio companies, we are fine paying for quality instead of quantity.
Giving a Rs 60-80 lakh TC offer in BLR or HYD makes it easier to identify and hire good talent, and ik peer security firms (private and public) that are product first are offering similar TC offers in BLR, HYD, and NCR.
On top of that, there has been a reverse brain drain going on since the COVID layoffs in early 2020, so if we want to poach good talent that returned to India from the US, we need to be able to offer Western salaries, otherwise they'd either decide to help their former employer open a GCC or they'd start their own startup.
Realistically, I'd say a $35k-60k TC offer gets you the 50 to 75th percentile in talent in much of India for security, but most product-first companies tend to hire for quality not quantity, and depending on size of FDI and the state, a company can get a $10k-20k per head subsidy which makes it easier to offer higher salaries without impacting our bottom line.
That said, if you are being hired to be a SOC, a generic pentester, or a "detection engineer" you'd be lucky to break the $20k TC mark tbh, but the SOC-to-SWE or Pentester-to-SWE conversions have been our most successful ones because it's easier to build a product for security teams when your engineers were former security practitioners.
That said, the salary pressures for getting good talent in India is high simply because we're competing with Google, Microsoft, Citadel, Nvidia, etc for similar kind of talent within India.
Earning $70k-90k TC in Hyderabad or Bangalore is doable with 10 YoE if you have the right profile (the right jobs, work experience, track record, and luck). Heck, this is why companies like Zscaler have been hiring in Tier 1.5/2 cities like Pune or Chandigarh instead because you can get away with paying $35k-50k TCs for the kind of talent that would demand a $70k-90k TC in BLR or HYD.
> endless popups
Ypu get popups? What are you using to browse? IE5?
I sometimes get 'this site is trying to open another window -allow/ block?': answer is always 'No'.
Not ad popups, site UI popups.
Another example, financial services publicly traded company with a recent 99% profit decline:
https://www.emkayglobal.com/
In site modals.