Information security

Security at the top of the agenda

Security is priority number one for CIOs, many of whom will concentrate on developing strategies and policies in-house, and leave the deployment and management of the set-up to third-party specialists, predicts Soutiman Das Gupta

SR Mallela, CTO, AFL Private Limited

Most Indian organisations expect substantial growth of business in the year ahead. This translates into new business units, locations and personnel. Many of these companies have already deployed extensive IT infrastructure to run their businesses, and intend to introduce more automation with newer applications and hardware.

Because corporates are realising that their critical information nestles in their IT infrastructure, security is making its way to the top of their agenda. It will continue to be a boardroom issue, and CIOs will drive home the need for a security mindset among employees and other stakeholders of the organisation.

Highest priority

The Infrastructure Strategies (IS) 2004 survey of CIOs jointly conducted in India by Network Magazine and IMRB reported that information security is the highest priority for Indian companies.

So it's no surprise that most CIOs have high expectations from their security infrastructure, and have charted out extensive security-focussed strategies and action plans for 2005.

"Since enterprise-wide applications are being deployed in organisations, network security has become a critical concern area in recent years. We have to deal with both external as well as internal network security issues," says Subhojit Roy, head, information technology, SBI Funds Management. "Our aim is to protect our information and IT infrastructure from threats such as viruses, worms, spam, unauthorised access and intrusion so that all our systems are available at the optimum level all the time."

The security domain

Within the domain of information security, Indian CIOs have their respective focus areas.

S R Mallela, CTO of AFL, will emphasise operational security this year. "Business is growing, web-related activities have increased, and outsourcing is an important priority for the organisation. All users want their requests serviced as quickly as possible, so it's very important to provide operational information security to the business," he explains.

Great Eastern Shipping will build an infrastructure in 2005 which will, to some extent, extend its systems to its business partners. Says R P Dumasia, the company’s IT chief, "We will focus on internal security, and also look at options to help us consolidate reports from various logs captured by our security software and devices. We will also ensure that processes and policies are accepted and driven by the management, and enforced effectively throughout the company." And says Shirish Gariba, VP, IT of Elbee Express, "Awareness of security policies and processes within the organisation will be important. We will train and build an internal team of security trainers, who will train others in the company. An external team of experts will also be hired to train our personnel."

Business change

Bhavin G. Kadakia, Head-IT, Indian Merchants' Chamber

The emphasis on security arises from various aspects of change in the business environment. With business models evolving and competition ever-rising, there is a need for greater emphasis on the information and physical security of IT infrastructure.

Regulators and regulations are forcing organisations to implement information security solutions. Points out Roy, “RBI and SEBI, the regulators in the banking and financial sector, came out with lots of regulations and guidelines which resulted in information security initiatives being taken up in recent years."

Observes Harcharan Singh, information systems manager, Hyatt Services India, “In the case of on-demand businesses, information security is not an option, it is a requirement. We have seen security initiatives change over the last three years as business changes. Organisations have moved from closed user group leased line connectivity to VPNs and the Internet backbone. These demand a high level of security, which naturally had to be implemented."

G Radhakrishnan Pillai, head of information technology at SRL Ranbaxy, feels that regulations play a major role in an enterprise’s adoption of security. He provides a splendid example, "All of us are aware that the use of cell phones while driving can cause accidents, yet most people continue to talk while driving. But the moment it gets enforced by a regulatory body they will all follow the rule."

Integrated devices

A number of security solution providers have introduced a range of Integrated Security Devices (ISDs) in the market. These ISDs combine the functionalities of a firewall, IDS, network traffic analyser and anti-virus facility into a single box.

"Integrated devices are likely to be preferred for new installations, but they currently do not provide a significant cost-performance benefit for existing installations to switch over. These devices will definitely impact the performance and management of security in larger organisations, but they are proprietary, so one has to choose the vendor well," warns Dumasia.

Adds Roy, "Whether these devices will capture significant market share will depend on their success in tackling security threats as well as in introducing better manageability features. From the cost point of view, these integrated devices should fare better when compared to point solutions."

Mallela however feels that both ISDs and point solutions will prevail, and that companies may prefer to use a mix of both in their networks.

Policies and awareness

"Even if you have purchased a lot of security hardware and software, they are useless without creating a policy to drive the infrastructure," explains Bhavin Kadakia, head of IT at the Indian Merchants' Chamber. He has physically separated his organisation's web server from its database server as part of security policy. Awareness programmes and the training of internal users and are also planned for 2005.

Kadakia will focus equally on policies and training. He feels that awareness of the importance of security has grown, especially in the SME sector; this will continue to grow in 2005.

For his part, Harcharan Singh plans to do extensive planning followed by the creation of security policies. "I will carry out a business requirement analysis which will help create a project plan and fix a budget. This will be followed by a study of operations requirement and technology evaluation, which will bring us to a test plan. Then depending on the findings I may create a centralised group policy or a local one. With this I can create a model for security policy to manage customer expectations and functional specifications."

As for Nihar Rao, chief technology officer of OM Kotak Mahindra Life Insurance, the plan is to increase the focus on user policies.

Outsourcing security

Subhojit Roy, Head - Information Technology, SBI Funds Management Pvt. Ltd.

The managed service provider market in India has matured considerably over the last few years. ISPs and IDCs—the likes of VSNL-Tata Indicom, Sify, HCL Comnet, Comsat Max, NetMagic and Cyquator—provide world-class managed security services. Pure managed security service providers such as SecureSynergy provide an entire range of security-related services like patch management, anti-virus solutions, audits and monitoring.

Initially Indian organisations were cautious, but now they are comfortable with the idea of a third party taking care of their information security needs. This year, these outsourcing service providers will bring a number of benefits to organisations.

Mallela strikes a note of caution: "Other than large companies, SMEs cannot afford to purchase updated security hardware and software, and then hire people to run their security set-ups. Outsourcing these responsibilities will save costs and hassles for small organisations."

Dumasia feels that information security strategies and policies will be made in-house, but the physical infrastructure (hardware and software) and management responsibilities will be outsourced over the course of the year. "Security audits will be outsourced to competent external agencies, and this will help check the effectiveness of policies and processes."

Concludes Roy, "Like any other outsourcing activity, there will be a mixed response to security management outsourcing. Some companies may not like to outsource this function as it involves their critical business information."

On the other hand, it will be exceedingly difficult to manage the entire IT security domain in-house with limited resources. Which is why there is reason to believe that outsourcing security management will create new business opportunities this year.

soutimand@networkmagazineindia.com