Security must be a business enabler, not an inhibitor
David Zimmerman, Global Solutions Executive, IBM,
talks to Sneha Khanna on the measures companies need to take to keep
data safe and meet compliance requirements
Is a compliant organisation secure as well?
In most cases, compliance increases security enforcement and deployment. The
complexity arises only in cases where compliance efforts and security policies
are different. This results in a change in policy and takes some time to be
As organisations weigh how to improve their security practices, it is important
to recall that retrofitting security is notoriously difficult. Ideally, security
should be a part of every IT project from the start. Risk enginescentrally-controlled
measurement and monitoring systems integrated across discrete lines of businesscan
give financial institutions the ability to rapidly anticipate and adjust to
shifting market dynamics in line with predetermined risk tolerances.
Most compliance in India is related to regulatory accounting or financial information,
which means that security product deployment is not a major issue. With Basel
II catering to data encryption and storage-related issues, this is probably
one of the few regulations that requires increased security deployments. When
the Reserve Bank of India comes up with privacy-related guidelines that need
to be complied with, financial institutions will beef up their security deployments.
Many organisations are opting for outsourced security management
services. What are the security challenges that have come about due to this?
From the perspective of IT infrastructure, it is relatively
high. However, from a security policy enforcement view, and phishing, pharming
and user exploitation, its low.
Are Service Level Agreements (SLAs) important in security
SLAs are required if there is an IT-business split in an organisation. The other
reason for SLAs is IT outsourcing. From a security standard perspective (if
we follow ISO 27001 controls), SLAs are mandatory. For other regulatory compliances,
this is never an issue. Nevertheless, I believe that a good SLA should embrace
the following: the services to be delivered, performance, tracking and reporting
mechanisms, problem management and dispute resolution procedures, the recipients
duties and responsibilities, security, legislative compliance, intellectual
property, and confidential information issues and agreement termination.
What measures should a CIO take when it comes to security
compliance? Do external audits help?
Security lapses occur due to lack
of education, adequate security policies and procedures, adequate employee
induction and exit procedures, proper business continuity, risk management
and clean desk policy frameworks
No organisation can be compliant with regard to security. It can only comply
with standards or guidelines. Governments can introduce regulatory compliance
standards like two-factor authentication for banks, and a security policy deployment
for BPOs. Organisations could be categorised as low-risk (where awareness of
security norms would suffice), medium risk (where awareness and action is required)
and high-risk (where awareness, action and assurance is mandated).
To be compliant with security certifications or standards, there are numerous
activities such as creation of a risk management framework, creation of a detailed
information security policy or framework, deployment of a good business continuity
framework, deployment of a good disaster recovery plan, and establishment of
a security organisation. External audits help, but only if a strong internal
security organisation does not exist. A possible way out of this complexity
is to create a centralised, integrated IT infrastructure that serves everyones
purpose. Users can get a single sign-on to all the applications they need to
access, and the enterprise can get a flexible, low-cost way to keep user authorisations
fully updated while ensuring maximum business control.
Which areas in an organisation are more prone to security
All departments involving IT and non-IT infrastructure and information are affected.
However, marketing teams are prone to IT and social engineering attacks, while
the IT infrastructure and information leakage itself is prone to virus, phishing
and other forms of attacks due to lack of information sharing, education and
Employee turnover rates are rising. What many companies dont realise is
that when employees leave the business, they sometimes take with them the firms
most precious assetsthe data that runs the business. They also take everything
from customer account data to sales and inventory data to confidential business
intelligence and much else stored in the companys internal systems.
While departing employees routinely return things like laptops and security
badges, they hold on to the security IDs and passwords that provide access to
the companys internal databases. In fact, over 20 percent of accounts
on many company systemsfor example, mail systems and mainframesare
of employees who have left the organisation, often even five years earlier.
Disgruntled employees go a step further by causing damage to company systems.
What are the reasons for security lapses?
The usual gaps are inadequate education, faulty security policies and procedures,
poor employee induction and exit procedures, improper business continuity plans,
little or no risk management, and inadequate clean-desk policy frameworks. Depending
on the sector in which a company operates, security policies and framework components
carry varied importance and priority levels.
A downside to all e-business progress is that companies have not bothered to
integrate the applications they have been building, which has added greatly
to the complexity and cost of administering IT. Since applications are neither
centrally managed nor integrated, end-users such as employees have multiple
sign-ons to enterprise applications, which accounts for all those IDs and passwords
we carry around in our headsand keep forgetting. Help desks now spend
much of their time giving out passwords instead of adding real value to the
Add to this situation more complexity: companies have to keep track of all new
users entering the enterprise and the applications they have access rights to.
These applications often run on different computing platforms with their own
security requirementsplus users keep changing. The end result is a situation
in which companies are hard pressed to know who is accessing applications for
However, IT security is not about setting up unnecessary roadblocks to business
activity. Its about enabling people to do the things they need to do to
be successful. Security must become a business enabler, not an inhibitor. The
Internet and e-business have changed the way we do business forever. Its
now time to complete the transformation by reducing the complexity and cost
of running an e-business.