Please share your comments; critics make life meaningful!

Thursday, September 6, 2012

Security TCO

1. Enterprise security costs need to be budgeted under by one cost centre to enable an enterprise level understanding of security TCO. In the absence of a centralised and single security budget (just to clarify again - utilization is by multiple entities), there is no executive appraisal of security TCO and multiple stake holders continue to spend on security without the enterprise security objectives addressed on a risk based criteria.


2. While in reality it may be fragmented, there is a huge potential to group all security spends under following key heads:

(a) Core Security Platforms including all elements of security oversight such as SIEM, VA, PT, AppSec tools etc (preferably under operational control of the security team and managed through a SOC) and also few other core security platforms such as DLP, IPS, Web filter etc (which may be under operational control of network/IT operations)

(b) Supporting Security Platforms including all security platforms deployed in the enterprise for end point security, infrastructure security, platform security, application security, and physical security

(c) Security Processes, Projects and Initiatives including implementation/enhancements costs and consulting engagements involving both Core & Supporting security platforms, as also GRC, DR, audits/assessments, security awareness etc.

(d) Security People including salaries of all full/part time employees and contractors/consultants working within the security team

3. During the process of the challenging migration from current security budgeting practices to the one outlined above, it may be necessary to continue budgeting one or more of the above heads outside of the security budget. However, there should be an exercise to create an enterprise inventory of such items, consolidate the budget figures, and tabulate them at the security steering committee with a view to appraise executive management of security TCO and create support for the need to have centralised security budgeting.

Wednesday, February 8, 2012

Information Security & Privacy: Why should it make sense to Higher Defence Management?

Technology is at the core of modern business. In the last decade or so, Computer Security or Data Security has emerged from within the IT function as an important element with business critical and even strategic ramifications. The base element in this domain is the ubiquitous entity referred to as Data or Information, which can take all sorts of digital and physical forms; hence, the domain is standardised as Information Security (IS). This domain has become standardised over time and is guided by an broad international Standard ISO-27001. The direct business relevance of IS has emerged over the years as central to the viability or even existence of the very enterprise; hence it has created a leadership role which has come to be known as the Chief Information Security Officer (CISO). International standards, IT frameworks and several regulations have also sanctified the criticality of IS and thus made the role of CISO even more relevant and legitimate.

Privacy is a complementary domain to IS pertaining specifically to Sensitive Personal Data of individuals and other entities. The basic premise is to protect such personal data from inappropriate use with a view to limit it's exposure to mis-use as also protect the life and liberty of the entities concerned. Information is again at the heart of Privacy, but of more specific variety, i.e Personal and Sensitive. The executive who leads the Privacy function is usually referred to as a Privacy Officer or Chief Privacy Officer (CPO), but it is only so in very large enterprises. In most others, CISO looks at Privacy as well.

In India, IS & Privacy compliance had been almost non existent prior to 1990s. With opening of Indian markets and development of intimate global market connect, IS found it's place first in the BFSI sector and then in the IT/ITES sectors. Business and operational needs for security drove the next wave of IS-isation in India which saw home grown sectors like Telecom, Pharma, Manufacturing, Retail etc create IS teams, primarily to protect IP and safeguard operations. As regards Privacy, the very culture of India is not Privacy oriented. However, globalisation and emergence of India as a top technology (hence information) player, has led to India being force to play catch-up in this mostly European and American concept.

The current drive of IS and Privacy is mostly powered by regulations/laws as Indian Govt is carving out several laws/regulations with IS and Privacy intent and content in it's march to join the big league of powerful nations. However, all along IS and Privacy has not been treated as a core business need; rather as reactive measures to meet business realities (such as IT/ITES companies providing assurance to their international customers) or in response to high impact incidents (loss of business plan etc) or to comply with a law/regulation. While IS and Privacy think-tanks like ISACA, ISC2 and IAPPforecast the emergence of IS and Privacy as strategic functions and the move of CISO into the Corporate Boardroom, the scene in India is a little different with lack of clear management understanding of the business value of IS and it's strategic impact. There are also numerous other related/relevant functions (such as Risk Management, BCP, Privacy, Physical Security, Intellectual Property etc) some with different international standard for them which are vying for management attention and organisational acceptance. However, with landmark regulations in recent times, the domain has been highly energised and even transformed. Leading companies in almost all sectors (IT/ITES, BFSI, Telecom, Energy/Power/Infrastructure, Manufacturing etc) either already have a CISO or are in the process of getting one. And Indian subsidiaries of MNCs with international operations have started on-boarding Privacy Officers after the IT Act Privacy Rules were notified in April 2011.

Why is it important for higher defence management to know this? Security is a core competence of defence forces, However, they typically limit their connect with security to traditional domain of Physical Security which has reduced in relevance after the advent of the IT. The IT-isation of Govt sector has been sporadic and tangential due to several factors. And computer security (or data security or information security & privacy) which had initially not been a design prerogative even in the civilian technology world, was certainly not a high concern in the defence forces. In the last decade that has changed a great deal in the civilian world, security is a design criteria in manufacturing of IT platforms and a high priority item in technology operations. Defence forces can forgo the catch-up game in IT Security if higher defence management were to understand the strategic, operational and tactical benefits of designing security and privacy to defence IT plans, projects and operations.

Tuesday, February 7, 2012

Privacy & India

Privacy as a concept is far from being a part of the Indian culture. Our names reveal our state, our sect/caste, religion, and sometimes village and many times our father’s name:). We love to  boast about our salary, of course adding a 40% to the 20% bonus on our CTC. The list of examples is long, and sometimes not at all comprehensible. But that’s the way it is. Hence, in India, Regulation would have to drive cultural change as regards Privacy; and we have seen a first detailed and strong Regulation, with another more detailed and stronger one in the pipeline. But relying on regulation to change culture is too much to ask for, because Indian culture is very old, and consequently deep rooted. Govt. and corporation are primarily comprised of people, and in India, bulk of them being Indian and hence far from familiar with Privacy, we will not reach far in adoption of privacy practices in India, if we rely on regulation alone.
So who or what can help?

Most large international corporations see Privacy as a compliance burden, which is complied with just to be on the right side of law and as a regulatory risk mitigation exercise. With more and more of them having to do something or the other with new age business (cloud computing, social networking and mobility platforms), they are more and more inclined to give lip service to concepts like privacy which come in their way of exploiting and leveraging customer data, which is viewed as a pile of gold by marketers and sales folks.

Microsoft (MS) is uniquely placed in this regard. Having been one of the initial leaders of the computing industry and having been at the receiving end of security and privacy concerns of customers, corporates and regulators, MS decided very on to ingrain security, privacy and reliability as design pillars in all its products and platforms. In fact, 10 years ago in Jan 2002, Bill Gates himself wrote the now famous Trustworthy Computing (TwC) note, and focused MS’s developer community on building strong privacy and security protections into all of MS products and services as part of the TwC initiative. TwC still drives the ethos at MS today. There are numerous practical examples of how MS’s commitment to the concept of privacy by design protects consumers using several of MS products & platforms. Besides ensuring that Privacy principles are integral to all that it sells, MS also focuses on Privacy compliance in all its internal operations and that included its sales and marketing engines. There are more than 40 full time Privacy professional like me who are constantly maintaining strict vigil and oversight over all MS operations worldwide, and ensuring adherence to MS Privacy Policy and Standards which meet and better Privacy regulations in each and every country in the world. That’s why you will notice now that in the news when you find other big names being dragged into courtrooms around the world for Privacy violations, the only mention of Microsoft in the news is of how it contributed to spreading the message of Privacy during the DPD through awareness campaigns, primary research on consumer opinions around privacy and other such constructive activity.

I must mention that part of my role as the Privacy leader for MS in India is to be available as a subject matter expert and thought leader on data security & privacy, and make MS available as a partner committed to Privacy, in any venture that is undertaken on the domains connected to Privacy.