Natalia Kasperskaya, InfoWatch: The information security market should change radically, ideally - you need to divide spheres of influence between players
Until recently, the Russian IT market was overheated, its growth was due to significant purchases of expensive Western solutions and excessive development of not always high-quality digital products, said Natalya Kasperskaya, chairman of the board of the Domestic Software Association, president of the InfoWatch group of companies. In an interview with TAdviser editor-in-chief Alexander Levashov, she spoke about the ongoing structural changes in the market and the emergence of an "abyss" of new tasks in the field of information security, which, in turn, will lead to a radical revision of approaches to the business of information security funds providers.
"The increase in salaries of software developers in recent years has been simply monstrous, by 30-40% per year"
I would like to ask you the first question as the chairman of the board of one of the largest IT associations - ARPP "Domestic Software." Recently, TAdviser analysts predicted two scenarios for the development of the IT market for 2022. According to the optimistic, the fall in market volume will not exceed 10%, according to the pessimistic - it will be more than 20%. What scenario do you lean towards? What growth points and factors of decline do you consider the main ones?
Natalia Kasperskaya: It is generally accepted that market growth is good, and fall is bad. A drop in IT purchases will certainly happen, but is that good or bad in this case? Rather, well, because the IT market was largely overheated, and purchases consisted mostly of expensive Western products.
Three factors contributed to the overheating of the market. The first is macroeconomic. This is a constant increase in the dollar against the ruble. Accordingly, due to significant - and expensive - purchases of products from abroad, our wonderful market grew. The second factor is the state digitalization program, when everything that is needed and not very much was digitalized. And the third, directly related to the second, is the fashion for creating digital products. The state headed for digitalization and everyone else, including big business, also began to do something "digital." Each bank and mobile operator began to make its own voice speaker or messenger. And also build an "ecosystem."
As a result, for example, the growth in salaries of software developers in recent years has been simply monstrous, by 30-40% per year. With such dynamics, it is impossible to plan or keep people, because the income of IT companies does not grow at such a speed. When we planned 2022 at InfoWatch, as the biggest risk, we noted precisely the further increase in developer salaries.
The reason for this increase in wages was the fashion for digitalization by large corporations?
Natalia Kasperskaya: In particular. Often, large corporations hired IT employees without looking back. A striking example is our largest banks, which competed, which of them is more digital. One hired 10,000 people, the other 7,000. Then one bought one IT company, the other bought another, etc. Such digitalization was largely implemented with the money of the population and business, bank clients. Normal IT companies, of course, cannot compete with large banks, because they do not have access to customer bank accounts.
But at the same time, the level of services of the largest banks has really grown a lot over the past 10 years...
Natalya Kasperskaya: If banks digitize their banking services, this is good and even excellent. But when they do the tenth voice column, without the slightest chance of taking a noticeable share of this strange market, or buying market companies and killing them with their bureaucracy is wrong. Everyone should do their own thing. Although I must say that in the current situation, the same banks quickly revised their strategies and began to sharply reduce IT areas, which is also not very good. But this generally means that the "bubble" slowly began to deflate. As a result, structural changes will occur in the market.
What will they be?
Natalia Kasperskaya: Approximately two-thirds of the software purchased by Russian customers was foreign. According to the "iron," I think the share of foreign products was generally 90 percent. Now there should be a redistribution in favor of domestic producers. This is a change in the structure of the market. Therefore, when TAdviser says in its forecasts that a fall of 10% is an optimistic scenario, and by 20% is pessimistic, it turns out that if the "bubble" has deflated less, then this is optimism. In my opinion, it's not about interest, but about the structure of the market itself. The optimistic scenario is a significant redistribution of budgets in favor of domestic products.
I will explain that TAdviser understands optimism and pessimism. In any scenario, foreign vendors have curtailed or frozen sales, and this part of the market will definitely decrease. And then the question is how actively customers will invest in Russian solutions, replacing SAP, Oracle, Microsoft and others. If they do it slowly, then the market fall will be more severe. And this is a pessimistic scenario. If they do it faster, then the market will not sink so much, and this is an optimistic development option.
Natalia Kasperskaya: Such an interpretation is close to me. Although spending cuts, which you call "market falls," are far from always bad, as I said above.
Did I understand correctly that banks and other large corporations, according to your observations, began to reduce the development of IT products?
Natalia Kasperskaya: They are starting to reduce personnel that are not related to internal digitalization. We are talking about about IT, non-banking businesses. We have already heard this from several recruitment agencies.
Do you think this will lead to the deflation of the salary bubble?
Natalia Kasperskaya: We see that there has been a decrease in salaries in the specialties of the lower level - junior developers, interns. In secondary specialties - there is no such thing yet. Time must pass. According to the Senior category, I don't think there will be a decrease at all, because they are always missing.
Ministry of Digital Science Maksut Shadayev The chapter spoke about the need to limit investments state companies the development of its own products. Do you support this idea?
Natalia Kasperskaya: I believe the answer depends on what exactly the state corporations are doing. If they spend public money to which they have access on production, operating systems control systems databases () DBMS and other ON general purposes, then this leads to unnecessary competition with players on the market, and low quality non-core and excess development. If they need some specific system, for example, for their internal industrial calculations, and they did not find it on the market, this is another matter. Here you need to do yours. But Linux it is definitely not necessary to write the 44th operating system based on (this number is not fiction, but the real number of developments of "domestic OS" in). Register of domestic software
"Revoking Microsoft certificates from Russian developers is a pretty strong blow to everyone who creates Windows applications"
How do Russian software developers feel in the current period of time?
Natalia Kasperskaya: We conducted a survey of members of the Domestic Software Association (ARPP) in April 2022, and at that time the mood was mainly optimistic. More than 85% of respondents said they expected orders to rise. Especially serious growth was expected in those classes of products where there were a lot of imports. And, for example, in the main direction of our group of companies - protection against leaks - we do not expect a jump. In our segment, the share of imports was initially small, so import substitution should not affect us.
Now there is a lot of talk about the risks and difficulties of developers of microelectronics and computer technology - problems with logistics, with production sites, a general shortage, etc. And what are the key risks and difficulties in the current situation for software developers?
Natalia Kasperskaya: We also have problems with import substitution. We are not hanging out in the air. For example, feedback certificates Microsoft from Russian developers. This is a pretty strong blow to everyone who creates applications for, Windows since the release of new versions has become impossible. You will have to hastily switch to domestic operating systems. On the other hand, this is a strong blow to the reputation of Microsoft itself, showing the political engagement of the company.
Previously, it seemed that corporations such as Microsoft, in principle, could not leave the country.
Natalia Kasperskaya: Imagine, yes. But this is a good signal for import substitution. For example, we have already changed our development priorities and set import substitution projects, which were planned for next year, for the coming months. And a lot has already been implemented. Of the latest such projects - compatibility with RED OS.
Is this the first Linux your products support?
Natalia Kasperskaya: No, we previously provided compatibility with Astra Linux. We are no longer planning, since any transfer of our products to alternative operating systems means the need to support all these systems in the future, and this is quite expensive.
If you look at the products of members of the Domestic Software Development Association, how much does the share of Windows software exceed the share of products compatible with domestic operating systems?
Natalia Kasperskaya: She is orders of magnitude larger. I can say that the Windows software is dominant in the registry of domestic software. Percentage 90.
How effective do you consider the support measures - ITindustries that have been developed in the Ministry of Digital Science and? Government Something maybe missing?
Natalia Kasperskaya: I believe that we have already been very well supported. Of the most effective measures, I would note the exemption from income tax, because over the past year everyone has bought fat. And exemption from all checks. Deferral from the army is also a good measure.
That is, is it all relevant for you?
Natalya Kasperskaya: The postponement from the army was not even effective in the literal sense, not many people took advantage of it. Rather, it worked as a moral, psychological factor. It is no secret that most developers are young men of draft age, and they are nervous that they can be called upon. The introduction of the delay worked as a good sedative moment. Therefore, yes, it was an effective measure. And most importantly, very timely.
Preferential mortgages are also an excellent measure. I have always advocated for this, because this is a real measure of support, real. It is important not for companies, but directly for people.
"Now it became clear that the jokes are over, it can shake seriously"
In May 2022, President Putin proposed creating a state information protection system and asked members of the Security Council to work out relevant proposals. How, from your point of view, should this system be arranged? How should it function, what areas should it cover?
Natalia Kasperskaya: To be honest, I do not really understand what is meant. We already have State system of detection, prevention and elimination of consequences of computer attacks, the state system for detecting, preventing and eliminating the consequences of computer attacks. It, in principle, works normally. Companies that want to interact with it sign a contract, and begin to transmit information about their threats, and in response receive information from others. Coordination with State system of detection, prevention and elimination of consequences of computer attacks is carried out by the National Coordination Center for Computer Incidents (NCCCA).
Central Bank of Russia It has its own system - called, FinCERT which has developed very much in recent years. Something similar is now trying to build in. transport industries Probably, such centers should appear in every area. Perhaps combining them will become the same state system. information protection
On the other hand, if we look at the threat model from the point of view of the state, it will be very difficult, because we have a very large amount of infrastructure, software and hardware - and all this is foreign production. And no matter how we apply external, so-called "superimposed security tools" for other people's products, their effectiveness will be low. The simplest example is with Microsoft, which we discussed above. Certificates were revoked and that's it. And this is not solved in any way by the "imposed" security. Import substitution only.
Some leaders think that they will not buy domestic, but will continue to use foreign software, only now for free - such legal piracy. And the state "winks" at such tactics, they say, "we will not check." But this approach seems to me wrong, because even in such software there may be "bookmarks" that can still be used remotely.
Therefore, when they tell me the "state protection system," information I do not fully understand what this is about. Maybe the Security Council has some kind of model.
Interestingly, the information security industry is not involved in working on the system...
Natalia Kasperskaya: Maybe someone is involved, but not us. We are engaged in "content" security. There are companies that deal with virus threats, perhaps attracting them.
How much, from your point of view, should the state involve business in its security circuit?
Natalia Kasperskaya: On the one hand, it is right to attract business, since the best personnel on average still work in commercial companies, and not in the public sector. But, on the other hand, you also need to attract carefully... For many years I have been observing, for example, the interaction of the state and business in the working group on information security (information security) of the Digital Economy national program, of which I am the head. There are situations where people clearly push their interests, and it is not always useful to the state.
According to the president, on a third of critical infrastructure facilities there are no units responsible for information security, and the May decree says that the heads of organizations - owners of CII should be personally responsible for ensuring that CII facilities are protected from cyber threats. How do you assess the current level of CII protection against information threats? What are the weaknesses that require maximum executive attention?
Natalia Kasperskaya: The decree is very correct and timely. I will explain what is the problem with critical information infrastructure (CII). 187-FZ on the safety of CII facilities was adopted in 2017, and by 2021 enterprises had to assign a certain category to their critical infrastructure facilities, depending on the significance of the facility, the definition of which is spelled out in the law. But everyone tried to either postpone this task, or simply not recognize themselves as the object of KII. And now it became clear that the jokes are over, it can shake seriously. This decree, in fact, introduces personal responsibility for the safety of CII. That is, finally there will be someone to ask. Moreover, it will be impossible to hang responsibility on anyone. It's very correct.
We noticed that the information security community immediately revived, there were requests for products, consultations. Although there are situations when, for example, the head physician of the polyclinic, which, of course, belongs to the objects of the CII, grabs his head and says: "We don't really have IT-shnikov, what kind of security!" But if you want to store medical personal data in electronic form, then you will have to open this regular position. Well, or everything data to store is on paper.
Which is impossible, in general.
Natalia Kasperskaya: Why is it impossible? This has been done for the past hundreds of years. But this is a question of purpose. If the Ministry of Health pushes medical organizations to electronic document management, then let it give a regular unit for information security to each CII object, allocating funding for this. Before digitalizing, you must first ensure security.
Until recently, the approach was this - we are engaged in digitalization, and how to ensure security - then we will figure it out. And we are now reaping the benefits of this harmful approach. Safety principles shall be laid down immediately in the designed systems, and not vice versa. Otherwise, we get situations when an enterprise comes to us, whose entire infrastructure - of Western production - is actually already compromised, and to fix it, you need to remake all IT systems. And how to save such a client? In some situations, it is simply impossible or extremely difficult and expensive.
Where can medical institutions find so many information security specialists?
Natalia Kasperskaya: Look on the market or postpone digitalization.
Are you proposing to postpone digitalization until the security issue is resolved?
Natalya Kasperskaya: I believe that in the current conditions, a more correct decision will be to freeze digital development until it is possible to find information security specialists. Perhaps this will lead to a slowdown in the growth of some indicators (say, indicators of "digital transformation"), perhaps, will not allow to increase the effectiveness of some activity. But this is better than losing hypersensitive data or stopping critical information systems.
We have seen data leaks for many years. In most cases, enterprises do not recognize the leak. And the excuses there are always standard: "the leak did not happen with us," "the leak was insignificant," "data that leaked, old, incomplete, unusable, bad, will not affect anything." I especially like the fourth point - "the perpetrators are punished." That is, there was no leak, the data is irrelevant, and why then did you punish the perpetrators? In reality, as we understand it, no one is responsible for data leaks - have you heard about the trials of company executives under articles of negligence or data theft? So I did not hear.
Therefore, I believe that something needs to be done about this. And assigning personal responsibility is not all. This is the first step, but it is very important. At least there will be a chance that someone will begin to be punished.
"Ideally, you need to divide the spheres of influence between the players so that everyone takes 2-3 industries and can cover all their requirements for information security"
Do you expect a serious increase in demand for information security solutions in connection with the adoption of the presidential decree? How much will this all stimulate the more active introduction of information security systems?
Natalia Kasperskaya: I think that information security market players need to radically adjust their approaches. From the usual and standard "imposed" means, it is necessary to move to adaptation for specific industries, for specific threat models. At the junctions of industries, alliances should be born on the protection of information, on specific types of data. Alliances should be created with industry representatives who can explain the specifics of the industry to information security specialists so that they can develop products to protect these specific data from specific threats. Now we are discussing two such alliances, and I hope they will grow into something systemic.
Can you give an example of such industry specifics?
Natalia Kasperskaya: For example, protection of production management systems () APCS power in the sector. There are extremely specific controllers, network structure, data processing processes, and, accordingly, special threat models. ASU We specially "sharpened" our TP protection product for the energy sector. This means that we power engineering specialists can deploy it relatively quickly in any next enterprise. And for other sectors, major alterations will be required, or a new development at all.
Do you need specific solutions for medicine too?
Natalia Kasperskaya: Yes, of course. to medicine In is important, protection of personal medical data while power sustainability is important for objects. U transport have their own requirements. No single Russian information security company will be able to cover all the requirements of all industries. Ideally, it would be necessary to divide the spheres of influence between the players so that everyone takes 2-3 industries for themselves and can cover all their requirements for information security.
In 2021, an initiative was launched to create a new Ministry of Information Security. Maybe there is a similar structure and should regulate such industry specifics? How do you feel about this initiative?
Natalia Kasperskaya: I do not really understand what this new ministry should do. Now the regulation of information security is divided between the FSTEC and the FSB. And the use of information security systems for state-owned enterprises is already extremely regulated. But in my experience, tight regulation always makes it difficult to move in the market, not simplifying it. Here, apparently, the players themselves need to agree among themselves.
Prime Minister Mikhail Mishustin recently announced that it is planned to create industry consortia of customers who should just go to IT companies with their needs. Maybe this form of interaction will help solve the problem?
Natalya Kasperskaya: When I heard about this, I also thought that this would be a good opportunity in terms of providing contacts. It is no secret that interviewing a large customer is not an easy task. If such customers themselves can formulate their needs, and not even individually, but for entire industries, this will greatly simplify the task for developers.
Do you believe in this idea of customer consortia? Or will it turn out that they will gather, not agree and scatter?
Natalia Kasperskaya: I see that now large companies have a clear need for domestic protection solutions. They are a little confused, they do not know what to do in the current conditions, they do not understand how to quickly replace foreign solutions with domestic ones. Therefore, of course, it would be good for someone to come and give them turnkey solutions. And here, as developers, and in large enterprises, as customers, the interests coincide. Actually, ARPP "Domestic Software" is trying to do this. We have an integration committee that has begun to work through industry solutions.
Will it not turn out that consortia will support only a number of selected products with their orders, and the rest will be out of work and will be forced to leave the market?
Natalia Kasperskaya: You don't need to leave the market. There are enough tasks for everyone. Someone is better at catching viruses, someone is better at monitoring information, and someone, for example, creates security management centers that can collect data from both antivirus and monitoring systems. Previously, everyone tried to expand their product lines, sometimes sacrificing quality. Now, from duplication, we must move on to solving still unresolved problems. That's what I'm trying to get across.
Are you negotiating a similar division of spheres with other information security players?
Natalia Kasperskaya: Yes, we are conducting such negotiations, and I hope that we will succeed. Reasonable leaders of information security companies understand that it is necessary to unite, because the speed and onslaught of computer attacks have increased sharply, there are now much more tasks to protect than all market players can solve separately. And these tasks need to be dealt with. Maybe even in the order of "subbotnik."
Volunteering?
Natalia Kasperskaya: Yes, for example. Let's say that each strong player takes on several areas that are not yet interesting to anyone and therefore remain not protected. Perhaps in this direction it is precisely necessary to regulate from above.
What parts of the market would you attribute to the most "uninteresting"?
Natalia Kasperskaya: For example, medicine, which is very fragmented, while each individual institution has little money, but each individual institution is an object of KII. And all this in addition to the fact that this area is not centralized - medical institutions are subordinate to the regions, that is, you need to negotiate with each region separately. At the same time, each region has several of its own "self-described" systems. How they are protected and whether they are protected is a big question.
In theory, such issues should be regulated by the Ministry of Health.
Natalya Kasperskaya: The Ministry of Health should, but so far it is not very good. Medical institutions are rested because they are subordinate to the regional government. But due to such fragmentation, they turn out to be uninteresting for players in the information security market, and therefore unprotected. There are two possible solutions. Either the transition to centralized IT management of all medical institutions by the Ministry of Health (the best option), or the choice of responsible market players for several regions.
Have you already discussed this initiative with competitors? How much does this idea resonate?
Natalia Kasperskaya: We are now trying to come up with a design that is beneficial for everyone, and I hope that we will succeed. Perhaps industry alliances will help.
So far, alliances are also only assembled in the fattest parts of the market.
Natalia Kasperskaya: Yes, that's right. But you have to start somewhere.
Which industries other than medicine would you classify as the most unprotected?
Natalya Kasperskaya: Judging by the requests to the information security working group of the Digital Economy national program, the rapid digitalization of transport has created many new problems with information security in this industry. The same applies to agriculture - it has digitalized quite vigorously in recent years, but the security of these implemented systems is doubtful.
There is probably not much personal data.
Natalia Kasperskaya: Not much, yes. There is a completely different model of threats, but the consequences can be critical. Imagine if an external attack or remote exposure of a foreign producer leads to errors in the calculation of fertilizers or feed, and then because of this, the harvest will die or livestock will begin to die... This threat model must be separately worked out, and security systems must be adapted for it.
Digitalization of industries completely changes the landscape of the information security market. Previously, information security existed as a thing in itself. InfoWatch made leak protection tools, Kaspersky Lab - antivirus, Positive Technologies - source code analysis, etc. With mass digitalization, it became clear that these means are not enough. There were a huge number of devices, infrastructure nodes, the number of which is constantly growing. They are controlled by algorithms that often cannot be verified, and many of them have remote access that the user cannot control.
Previously, a new technology or digital product appeared, after some time their weaknesses were identified, and appropriate protective equipment was created. In recent years, the development of protection has not kept pace with the speed of digitalization. For example, only 20% of IoT devices have at least some kind of protection. Or automated production control systems PCS - they used to be autonomous. And now they are connected to the network, and it is possible that at one point the manufacturer (or someone else - a hacker, terrorist, military enemy) can simply turn them off and so on... Under these conditions, it is wrong to discuss the growth or fall of the market, because it must change radically at all.
I meant, will demand grow and, if so, what exactly?
Natalya Kasperskaya: Yes, the demand for information security funds will now grow very much, although so far we do not fully know the scale. A couple of months ago, a representative of one industry decided to create a security alliance. Invited all major players in the information security market. We were surprised because this kind of meeting happened for the first time. And when he told us about security issues in his industry, I was absolutely amazed. Firstly, we had no idea about these problems, and secondly, there are no solutions on the Russian market that could protect them. An unexplored abyss opened before us.
To what extent are these new open abyss susceptible to attacks?
Natalia Kasperskaya: They just thought about security after they began to attack them hard. Previously, they, apparently, were not interested in anyone.
How did the meeting end? What did you decide?
Natalia Kasperskaya: Everyone left very puzzled. I believe that each developer will deal with new problems, taking into account his key competence. And I understand that I will need to single out a separate team that will deal with this.
If something works out, then it will be a completely different approach to solving information security problems. Not just disparate security solutions - DLP, antiviruses, firewalls, but complex typical solutions for protecting a particular industry. It is not yet very clear how this should work.
That is, ultimately the described trend should lead to a serious restructuring of companies in the information security market?
Natalia Kasperskaya: Yes... It's an unshaken field. This is a new, so far even undiscovered segment of the market. And neither we, nor Kaspersky Lab, nor anyone else alone will be able to solve the problems of the entire industry. That depth has yet to be realised.
"In some countries, we have a slowdown in sales, but unexpectedly there were requests from countries that we had not even taken into account before"
InfoWatch has significantly increased turnover in 2021 - by more than 30%. What do you associate growth with?
Natalia Kasperskaya: Yes, the annual turnover of the InfoWatch group of companies exceeded 1.9 billion rubles. Some of the growth was due to organizational changes, in particular, the appointment of a new commercial director - Amir Dautov. He built correct and transparent business processes, more effective sales logic, focused on working with regions, and all this gave its effect. Of course, IT fashion also contributed to the growth.
What are your expectations for 2022?
Natalia Kasperskaya: We have planned 20% growth while we are slightly ahead of this forecast.
Have you faced the departure of employees abroad?
Natalya Kasperskaya: There were several cases of departure "on emotions," but now almost everyone has returned.
What is the situation with exports? Is it possible to sell something outside the borders of Russia?
Natalia Kasperskaya: In some countries we have a slowdown in sales, but unexpectedly there were requests from countries that we, in general, had not even taken into account before. I won't tell you details yet, I'm afraid to jinx it.
I.e. no serious collapse of the export business?
Natalia Kasperskaya: We did not trade with "unfriendly" countries. We left Europe 7 years ago - European legislation is bad for content control systems. There was no point knocking on the closed door. Therefore, we did not lose anything. But there are prospects in Asian markets. And we are working in this direction.
A number of foreign companies have left Russia. Were your direct competitors among them?
Natalia Kasperskaya: Practically not. We all defeated 7 years ago. We estimated the total share of foreigners in our DLP segment in 2021 at a maximum of 3%. It's obviously even smaller now.