Technology is at the core of modern business. In the last decade or so, Computer Security or Data Security has emerged from within the IT function as an important element with business critical and even strategic ramifications. The base element in this domain is the ubiquitous entity referred to as Data or Information, which can take all sorts of digital and physical forms; hence, the domain is standardised as Information Security (IS). This domain has become standardised over time and is guided by an broad international Standard ISO-27001. The direct business relevance of IS has emerged over the years as central to the viability or even existence of the very enterprise; hence it has created a leadership role which has come to be known as the Chief Information Security Officer (CISO). International standards, IT frameworks and several regulations have also sanctified the criticality of IS and thus made the role of CISO even more relevant and legitimate.
Privacy is a complementary domain to IS pertaining specifically to Sensitive Personal Data of individuals and other entities. The basic premise is to protect such personal data from inappropriate use with a view to limit it's exposure to mis-use as also protect the life and liberty of the entities concerned. Information is again at the heart of Privacy, but of more specific variety, i.e Personal and Sensitive. The executive who leads the Privacy function is usually referred to as a Privacy Officer or Chief Privacy Officer (CPO), but it is only so in very large enterprises. In most others, CISO looks at Privacy as well.
In India, IS & Privacy compliance had been almost non existent prior to 1990s. With opening of Indian markets and development of intimate global market connect, IS found it's place first in the BFSI sector and then in the IT/ITES sectors. Business and operational needs for security drove the next wave of IS-isation in India which saw home grown sectors like Telecom, Pharma, Manufacturing, Retail etc create IS teams, primarily to protect IP and safeguard operations. As regards Privacy, the very culture of India is not Privacy oriented. However, globalisation and emergence of India as a top technology (hence information) player, has led to India being force to play catch-up in this mostly European and American concept.
The current drive of IS and Privacy is mostly powered by regulations/laws as Indian Govt is carving out several laws/regulations with IS and Privacy intent and content in it's march to join the big league of powerful nations. However, all along IS and Privacy has not been treated as a core business need; rather as reactive measures to meet business realities (such as IT/ITES companies providing assurance to their international customers) or in response to high impact incidents (loss of business plan etc) or to comply with a law/regulation. While IS and Privacy think-tanks like ISACA, ISC2 and IAPPforecast the emergence of IS and Privacy as strategic functions and the move of CISO into the Corporate Boardroom, the scene in India is a little different with lack of clear management understanding of the business value of IS and it's strategic impact. There are also numerous other related/relevant functions (such as Risk Management, BCP, Privacy, Physical Security, Intellectual Property etc) some with different international standard for them which are vying for management attention and organisational acceptance. However, with landmark regulations in recent times, the domain has been highly energised and even transformed. Leading companies in almost all sectors (IT/ITES, BFSI, Telecom, Energy/Power/Infrastructure, Manufacturing etc) either already have a CISO or are in the process of getting one. And Indian subsidiaries of MNCs with international operations have started on-boarding Privacy Officers after the IT Act Privacy Rules were notified in April 2011.
Why is it important for higher defence management to know this? Security is a core competence of defence forces, However, they typically limit their connect with security to traditional domain of Physical Security which has reduced in relevance after the advent of the IT. The IT-isation of Govt sector has been sporadic and tangential due to several factors. And computer security (or data security or information security & privacy) which had initially not been a design prerogative even in the civilian technology world, was certainly not a high concern in the defence forces. In the last decade that has changed a great deal in the civilian world, security is a design criteria in manufacturing of IT platforms and a high priority item in technology operations. Defence forces can forgo the catch-up game in IT Security if higher defence management were to understand the strategic, operational and tactical benefits of designing security and privacy to defence IT plans, projects and operations.
Privacy is a complementary domain to IS pertaining specifically to Sensitive Personal Data of individuals and other entities. The basic premise is to protect such personal data from inappropriate use with a view to limit it's exposure to mis-use as also protect the life and liberty of the entities concerned. Information is again at the heart of Privacy, but of more specific variety, i.e Personal and Sensitive. The executive who leads the Privacy function is usually referred to as a Privacy Officer or Chief Privacy Officer (CPO), but it is only so in very large enterprises. In most others, CISO looks at Privacy as well.
In India, IS & Privacy compliance had been almost non existent prior to 1990s. With opening of Indian markets and development of intimate global market connect, IS found it's place first in the BFSI sector and then in the IT/ITES sectors. Business and operational needs for security drove the next wave of IS-isation in India which saw home grown sectors like Telecom, Pharma, Manufacturing, Retail etc create IS teams, primarily to protect IP and safeguard operations. As regards Privacy, the very culture of India is not Privacy oriented. However, globalisation and emergence of India as a top technology (hence information) player, has led to India being force to play catch-up in this mostly European and American concept.
The current drive of IS and Privacy is mostly powered by regulations/laws as Indian Govt is carving out several laws/regulations with IS and Privacy intent and content in it's march to join the big league of powerful nations. However, all along IS and Privacy has not been treated as a core business need; rather as reactive measures to meet business realities (such as IT/ITES companies providing assurance to their international customers) or in response to high impact incidents (loss of business plan etc) or to comply with a law/regulation. While IS and Privacy think-tanks like ISACA, ISC2 and IAPPforecast the emergence of IS and Privacy as strategic functions and the move of CISO into the Corporate Boardroom, the scene in India is a little different with lack of clear management understanding of the business value of IS and it's strategic impact. There are also numerous other related/relevant functions (such as Risk Management, BCP, Privacy, Physical Security, Intellectual Property etc) some with different international standard for them which are vying for management attention and organisational acceptance. However, with landmark regulations in recent times, the domain has been highly energised and even transformed. Leading companies in almost all sectors (IT/ITES, BFSI, Telecom, Energy/Power/Infrastructure, Manufacturing etc) either already have a CISO or are in the process of getting one. And Indian subsidiaries of MNCs with international operations have started on-boarding Privacy Officers after the IT Act Privacy Rules were notified in April 2011.
Why is it important for higher defence management to know this? Security is a core competence of defence forces, However, they typically limit their connect with security to traditional domain of Physical Security which has reduced in relevance after the advent of the IT. The IT-isation of Govt sector has been sporadic and tangential due to several factors. And computer security (or data security or information security & privacy) which had initially not been a design prerogative even in the civilian technology world, was certainly not a high concern in the defence forces. In the last decade that has changed a great deal in the civilian world, security is a design criteria in manufacturing of IT platforms and a high priority item in technology operations. Defence forces can forgo the catch-up game in IT Security if higher defence management were to understand the strategic, operational and tactical benefits of designing security and privacy to defence IT plans, projects and operations.
No comments:
Post a Comment