Security at the top of the agenda
Security is priority number one for CIOs, many of whom will
concentrate on developing strategies and policies in-house, and leave the deployment
and management of the set-up to third-party specialists, predicts Soutiman
|SR Mallela, CTO, AFL Private Limited
Most Indian organisations expect substantial growth of business
in the year ahead. This translates into new business units, locations and personnel.
Many of these companies have already deployed extensive IT infrastructure to
run their businesses, and intend to introduce more automation with newer applications
Because corporates are realising that their critical information nestles in
their IT infrastructure, security is making its way to the top of their agenda.
It will continue to be a boardroom issue, and CIOs will drive home the need
for a security mindset among employees and other stakeholders of the organisation.
The Infrastructure Strategies (IS) 2004 survey of CIOs jointly conducted in
India by Network Magazine and IMRB reported that information security is the
highest priority for Indian companies.
So it's no surprise that most CIOs have high expectations from their security
infrastructure, and have charted out extensive security-focussed strategies
and action plans for 2005.
"Since enterprise-wide applications are being deployed in organisations,
network security has become a critical concern area in recent years. We have
to deal with both external as well as internal network security issues,"
says Subhojit Roy, head, information technology, SBI Funds Management. "Our
aim is to protect our information and IT infrastructure from threats such as
viruses, worms, spam, unauthorised access and intrusion so that all our systems
are available at the optimum level all the time."
The security domain
Within the domain of information security, Indian CIOs have their respective
S R Mallela, CTO of AFL, will emphasise operational security this year. "Business
is growing, web-related activities have increased, and outsourcing is an important
priority for the organisation. All users want their requests serviced as quickly
as possible, so it's very important to provide operational information security
to the business," he explains.
Great Eastern Shipping will build an infrastructure in 2005 which will, to some
extent, extend its systems to its business partners. Says R P Dumasia, the companys
IT chief, "We will focus on internal security, and also look at options
to help us consolidate reports from various logs captured by our security software
and devices. We will also ensure that processes and policies are accepted and
driven by the management, and enforced effectively throughout the company."
And says Shirish Gariba, VP, IT of Elbee Express, "Awareness of security
policies and processes within the organisation will be important. We will train
and build an internal team of security trainers, who will train others in the
company. An external team of experts will also be hired to train our personnel."
Bhavin G. Kadakia,
Indian Merchants' Chamber
The emphasis on security arises from various aspects of change
in the business environment. With business models evolving and competition ever-rising,
there is a need for greater emphasis on the information and physical security
of IT infrastructure.
Regulators and regulations are forcing organisations to implement information
security solutions. Points out Roy, RBI and SEBI, the regulators in the
banking and financial sector, came out with lots of regulations and guidelines
which resulted in information security initiatives being taken up in recent
Observes Harcharan Singh, information systems manager, Hyatt Services India,
In the case of on-demand businesses, information security is not an option,
it is a requirement. We have seen security initiatives change over the last
three years as business changes. Organisations have moved from closed user group
leased line connectivity to VPNs and the Internet backbone. These demand a high
level of security, which naturally had to be implemented."
G Radhakrishnan Pillai, head of information technology at SRL Ranbaxy, feels
that regulations play a major role in an enterprises adoption of security.
He provides a splendid example, "All of us are aware that the use of cell
phones while driving can cause accidents, yet most people continue to talk while
driving. But the moment it gets enforced by a regulatory body they will all
follow the rule."
A number of security solution providers have introduced a range of Integrated
Security Devices (ISDs) in the market. These ISDs combine the functionalities
of a firewall, IDS, network traffic analyser and anti-virus facility into a
"Integrated devices are likely to be preferred for new installations, but
they currently do not provide a significant cost-performance benefit for existing
installations to switch over. These devices will definitely impact the performance
and management of security in larger organisations, but they are proprietary,
so one has to choose the vendor well," warns Dumasia.
Adds Roy, "Whether these devices will capture significant market share
will depend on their success in tackling security threats as well as in introducing
better manageability features. From the cost point of view, these integrated
devices should fare better when compared to point solutions."
Mallela however feels that both ISDs and point solutions will prevail, and that
companies may prefer to use a mix of both in their networks.
- Integrated devices are likely to be preferred
for new installations
- Regulatory bodies will have to put pressure
on organisations to implement essential security measures
- Security strategies and policies will be made
in-house, but the physical infrastructure and management responsibilities
will be outsourced
Policies and awareness
"Even if you have purchased a lot of security hardware and software, they
are useless without creating a policy to drive the infrastructure," explains
Bhavin Kadakia, head of IT at the Indian Merchants' Chamber. He has physically
separated his organisation's web server from its database server as part of
security policy. Awareness programmes and the training of internal users and
are also planned for 2005.
Kadakia will focus equally on policies and training. He feels that awareness
of the importance of security has grown, especially in the SME sector; this
will continue to grow in 2005.
For his part, Harcharan Singh plans to do extensive planning followed by the
creation of security policies. "I will carry out a business requirement
analysis which will help create a project plan and fix a budget. This will be
followed by a study of operations requirement and technology evaluation, which
will bring us to a test plan. Then depending on the findings I may create a
centralised group policy or a local one. With this I can create a model for
security policy to manage customer expectations and functional specifications."
As for Nihar Rao, chief technology officer of OM Kotak Mahindra Life Insurance,
the plan is to increase the focus on user policies.
Head - Information Technology,
SBI Funds Management Pvt. Ltd.
The managed service provider market in India has matured considerably
over the last few years. ISPs and IDCsthe likes of VSNL-Tata Indicom,
Sify, HCL Comnet, Comsat Max, NetMagic and Cyquatorprovide world-class
managed security services. Pure managed security service providers such as SecureSynergy
provide an entire range of security-related services like patch management,
anti-virus solutions, audits and monitoring.
Initially Indian organisations were cautious, but now they are comfortable with
the idea of a third party taking care of their information security needs. This
year, these outsourcing service providers will bring a number of benefits to
Mallela strikes a note of caution: "Other than large companies, SMEs cannot
afford to purchase updated security hardware and software, and then hire people
to run their security set-ups. Outsourcing these responsibilities will save
costs and hassles for small organisations."
Dumasia feels that information security strategies and policies will be made
in-house, but the physical infrastructure (hardware and software) and management
responsibilities will be outsourced over the course of the year. "Security
audits will be outsourced to competent external agencies, and this will help
check the effectiveness of policies and processes."
Concludes Roy, "Like any other outsourcing activity, there will be a mixed
response to security management outsourcing. Some companies may not like to
outsource this function as it involves their critical business information."
On the other hand, it will be exceedingly difficult to manage
the entire IT security domain in-house with limited resources. Which is why
there is reason to believe that outsourcing security management will create
new business opportunities this year.