How do most Indian companies
define information security? As per Infrastructure Strategies
2002 (IS 2002), a nation-wide survey of IT decision
makers and decision influencers, more than 50 percent
of the respondents equate information security with
just anti-virus or firewalls. The only exception to
this is in the BFSI sector, where given the sensitive
nature of financial data, security is considered paramount.
Most companies tend to lay
too much emphasis on the technology aspect of security.
True, technology is important and anti-virus and firewalls
form a core component of information security, but there's
lot more to security than just these two. To define
a successful security strategy for your organization
one needs to consider people and processes as well.
Information security in any organization is as secure
as its weakest link. And people are the weakest link
in the security chain. How often do you come across
employees who write their login ID and password on piece
The solution is to create awareness
among employees about their security responsibilities.
They should be trained as and when there is a change
in business process or technology, since both are closely
Processes are critical to defining a successful security
strategy. In fact, security technology isn't worth much
unless the processes are properly defined or implemented.
Sadly, in many companies security processes are either
immature or non-existent. IT managers consider security
a one-off solutions-driven implementation.
Processes are a mix of security
policies, audits, best practices, and understanding
of regulatory and corporate issues. Companies should
have a clearly defined framework for periodic assessment
of security policy or audits.
Finally, the success of any change initiative is directly
related to the top management. Likewise, security change
should start at the very top. The CEO, board of directors
and executive management (including business heads)
should be committed to incorporate the changes required
to make the organization more secure. They should realize
that security is a business issue and not just a technology
one. The idea would be to make security an inseparable
part of corporate culture.
Sandeep Ajgaonkar, Associate Editor