|
The CIO as a security strategist
While some pundits say that security should be the responsibility
of a separate individual, a chief security officer (CSO), corporate India still
relies on its CIOs to protect information from the barbarians at the gate, says
Rahul Neel Mani
Information and network security is one of the paramount concerns of the information
systems department of any corporate. In times when there are constant threats
of theft, attack and hacking of information and networks, anything that protects
information up to 70 percent of the time is considered remarkable. The ‘SecureSynergy
Security Strategist Awards 2003’ (a part of Technology Senate 2003) was
an important landmark in recognition of the relentless efforts made by information
security professionals to secure their networks and information residing on
those networks. Here we look at some insights from the winners on security strategies.
Keep security systems updated
Some companies do it themselves; others outsource it to a third party with SLAs
to keep things under control. We believe that security is an ongoing process
and it cannot be static. Vulnerabilities have to be assessed at regular intervals,”
says S B Patankar, director, IS Bombay Stock Exchange. The BSE has a clear-cut
policy that takes care of virus protection for the complete group’s operations.
The same policy also takes care of access control.
In the case of firewalls and intrusion detection systems, BSE believes in best-of-breed
solutions. The annual maintenance contract signed by equipment and software
suppliers is helpful in regularly updating these products.
“Whenever we buy a product there is an annual maintenance contract (AMC)
involved. Then there is a service level agreement in case we tie up with a service
provider. Our arrangement is such that the anti-virus is automatically downloaded
on the server and from there it is sent to clients. Godrej has deployed CheckPoint
firewall with assistance from Ramco. The Ramco team visits twice a month to
check all logs and give us an update and regular reports,” says Mani Mulki,
GM Technology, Godrej Industries.
Similarly, Zip Telecom has an agreement with Sify, according to which the ISP
is responsible for updating Zip’s firewall and IDS.
Physical security matters
“It is an essential part of overall information and IT security,”
says Patankar. The BSE had a problem of employees sitting at the same place
where critical servers were located. This was perceived as a serious threat
to its systems. The management decided to keep the servers at an alternate secure
location where access was given to only a few folks in IS.
A lot of company information is lying around in the physical environment in
the form of printouts, unmanned PCs and photocopies. These need to be protected
just as much as an organisation’s databases.
Policy—policing the enterprise
There should be a proper documented security policy derived from actual needs
being mentioned by key people in top management. Security policy should define
how it is to be implemented and administered. For instance, the BSE’s security
policy defines the mechanism for escalation of troubles, information of possible
intrusion and alert mechanisms. While pundits proclaim the need to frequently
update security policies, in the real world this takes place on a case-to-case
basis. “As and when there is a sign of intrusion or virus attack, we review
the policy and if it needs to be amended, we make the necessary changes to it,”
adds Patankar.
Some companies accept readymade policies. Godrej didn’t. Its security consultants
were told that it wanted an exclusive security policy. This took six months,
starting with detailed interviews of the top management and culminating in a
400-page document.
Build in security at the design stage
“It makes sense for security to be embedded at the design and deployment
level,” says Patankar.
“Although it is essential and should be the first step taken, not many
companies are really bothered with this,” says Mulki. Godrej realised that
it had to safeguard applications and to do that it had to go back to the basics.
CSO anyone?
While the role of a CSO clearly exists, it depends on the particular industry
and company whether or not it wants to have a chief security officer (CSO).
“Ideally there should be a CSO to guard information in any company and
the CSO should not be from the IT department. He should be a non-IT person reporting
directly to the CEO and having a dotted line relationship with the CIO,”
says Mulki. In the case of SMEs it doesn’t make sense to have a separate
individual for this role. “For us it is not possible to have a separate
CSO. We are a small organisation. In our kind of system we have a network manager
who also plays a role of a CSO,” says Nandu Bhat of Zip Telecom.
rahul@expresscomputeronline.com
|
|
| These awards recognise security strategists who have
demonstrated leadership in the field of information security. Awarded to
chief security officers, or executives in equivalent positions, the SecureSynergy
Security Strategist award was an award for those who understand that security
is more of a process than just a product. These technocrats are also tuned
in to the latest technology developments that can be perceived as threats
to their organisations.
The keynote speaker on the SecureSynergy Security
Strategist Awards night was Professor S Sadagopan, director, IIIT-Bangalore.
Professor Sadagopan spoke about the importance of information security
in today’s world and outlined prescriptions for senior IT managers
to make their organisations secure.
Capt. Felix Mohan, CEO of SecureSynergy, while
presenting the awards discussed the changing face of security from a fortress
to an airport model and the new paradigm of the point-to-point model and
the fresh challenges this would bring to the technology community. He
touched upon issues related to creating a Defence-in-Breadth strategy
in conjunction with the Defence-in-Depth model organisations have to grapple
with.
The jury
The jury panel for the awards was a mix of industry
experts and eminent academics. One of the important responsibilities of
the panel was to decide the parameters for the award. The jury panel included
Dr Deepak B Phatak (currently working with IIT Bombay as Subrao M Nilekani
Chair Professor at the Kanwal Rekhi School of Information Technology).
The second member of the jury was Lalit Sawhney, senior vice president
Technology, Reliance Infocomm. The third panellist was Capt. Felix Mohan,
CEO of SecureSynergy.
The winners:
Category: Banking, Financial Services and Insurance
(BFSI)
 S
B Patankar, director-IS, The Stock Exchange, Mumbai
Head of IT at the Stock Exchange, Mumbai since 1996. In BSE, he was instrumental
in implementing the BSE Online Trading (BOLT) system and successfully migrated
from an open outcry system to a fully automated trading system. The nationwide
BOLT system covers 400 cities, 2,500 VSATs and 9,000 trader workstations.
Category: Non-BFSI
 Mani
B Mulki, general manager-IS, Godrej Industries
Mani B Mulki has been a major driving force behind Godrej Industries’
ERP rollout. The next wave of IT initiatives that Mani spearheads is e-business
and data warehousing. This consists of putting e-business solutions in place
to connect customers, suppliers and distributors to the organisation. It
will also involve implementation of CRM initiatives and business intelligence
tools for Godrej Industries.
Category: Small and medium businesses (SMB) Nandu
Bhat, GM-IT, Zip Telecom
 Nandu
Bhat has over 23 years of IT experience, spanning six companies in
various industries. Nandu began his IT career in December, 1980 with Advance
Computer Services, a software consultancy, through which he was intimately
associated with various companies such as TOMCO, Contract Advertising
and B4U before joining Zip Telecom.
|
|
