Monday, September 15, 2008

Is information security important to your enterprise?

Arun Gupta, Customer Care Associate & CTO of Shoppers Stop Limited asks does the responsibility for protection of information remains relegated to the IT organization or the CIO at best

BANGALORE, INDIA: The question "Is information security important to your enterprise?" asked of any CEO, CFO or even a board member will evince open mouth responses akin to challenging their basic foundational beliefs, the way George Orwell classic raises a fundamental 2+2=4! Off course, it is. But ergo their inability to demonstrate their actions to support the response belies the response. In real life, the responsibility for protection of information remains relegated to the IT organization or the CIO at best. 

Through the ages, information has been equated with knowledge and power it bestows on the holder. In the current information age, it has become increasingly a challenge to protect it. The combination of distributed, fragmented storage and replication on multiple computing devices like the desktops/laptops, mobile devices and sharing by multitude of applications creates many points of potential breach. It's not always for gain that information leakage or destruction happens, but many times wilful destruction is attempted by disgruntled elements. Many a time, it is a demonstration of the power of knowledge that "You are insecure and at my mercy". In the last few years, this has been used for corporate blackmail too. 

Enterprises value information and many are paranoid about it. This is evident in the access control mechanisms implemented by almost every IT organization. Volumes have been written about information security and many companies have created business models around providing tools, technology and best practices that can be implemented to protect the valuable information assets. Their efficacy remains a topic of heated discussion depending on the frame of reference. 

Thus the challenge of information security has become a much debated topic in the IT fraternity and by virtue of that spawned service providers who use different tactics including the most elemental of all emotions "fear" to vend their products and services. Standards exist and are adopted to protect information (BS 7799, ISO 27001, etc); certification is expected to portray a secure organization. Formalized information asset classification and layers of protection offer some degree of comfort and protection. 

CIOs thus continue to face the challenge to create and enforce policies that are unpopular with the rest of the organization as they impose restrictions on information access. Complex set of rules enumerating do's and don'ts impede users of information, internal as well as external. Many technologies are deployed at the fringes to lock down all possible avenues of access to the external world. This is despite the fact that most breaches occur not always in electronic form and due to negligence, internal process failure or by people working within, as demonstrated by many surveys conducted by umpteen agencies. 

Industries that are governed by regulation around information security like Banking & Insurance, Pharmaceutical and Medical, undertake systemic programs spanning the enterprise to protect their information assets. A few FMCG and other consumer goods companies too have created framework to protect their formulae or designs that are their IP or that gives them a short to mid-term competitive advantage. 

There are many avenues through which information moves out of the company. Over the lifetime of an employee, she comes into contact with all types of information in physical and electronic form, which is used for conducting business activities and taking decisions. The information gets printed, stored, absorbed, replicated, and transmitted internally as well as externally. With no control on the instances of the information, it is virtually impossible to protect it in all its variants. With attrition, employees walk away with knowledge locked inside their minds with no feasible way to monitor or control the flow. 

At the same time, it is relatively easy to monitor and supervise access control. Many security vendors have however demonstrated that social engineering can overcome such policies and gain access at free will. Printed information lends itself to pilferage especially with organizations' inability to control the proliferation of printing devices. Every meeting that distributes printed sensitive information multiplies the risk. 

In its physical form, information ownership rested with the creators and users, the individual functions like Marketing, Finance, Executive offices and Human Resources. Each distinct part of the company worked towards keeping information secure, not the Administration function which provided the paper in which it was created or the photocopying machines using which it was replicated for distribution. So who should be the custodian of information? Technology facilitates storage in electronic form akin to what paper did in the past before IT became ubiquitous in every organization. Most Risk Committees discuss information security with a bias that it's an IT issue thereby missing the point completely. 

Thus, the question that haunts is, is the mantel of information protection rightly placed on the head of the CIO? Is the IT organization the only protector of the wealth created by information? Is electronic data the only way that information is created and stored in the enterprise? If information is a strategic asset, does the onus of protection make the CIO a strategic CXO or a convenient scapegoat under the guise that no one else understands the complexity of the technology required to protect the family jewels? 

If information is indeed one of the key assets of a company, why does information security remain unaddressed systemically by the Management? Why are not other CXOs responsible for the information they create and consume? IT can set the process, educate the employees, deploy the tools, but cannot enforce compliance, like the proverbial horse and the well story. Thus security budgets remain challenged and ROI remains elusive for most of the implementations because there is no ROI. You take insurance but no one wants to die! 

The perceived role of the CIO and the IT function here demands scrutiny. The security organization has evolved within IT and worked towards addressing the securing of information. The CISO role grew to cover hardware, networks, applications and operational data that manifested itself across the enterprise. Policies and processes addressed these issues, but business demanded exceptions to address market dynamics. Limitations thus placed on the CISO working under the CIO straightjacket the smooth functioning and implementation in the spirit with which the security was defined. This is similar to the pains faced by Internal Audit teams working under the aegis of Finance. 

It is time now to unshackle and for the CIO to involve the CEO, CFO and the CPO (Chief People Officer) to collectively create a movement towards a secure organization by addressing the people, process and technology, the three cornerstones of any successful initiative. The group needs to drive home the point that they individually and collectively, are responsible for the implicit and explicit security of the IP contained within the information. It should be on the agenda and KPIs of the management team and reviewed frequently. 

Information Security is too important a function and has implications that people talk about when it happens to others, while not believing that it could happen to them too. The ostrich approach will not will away the issue. Let the CISO be accountable to the Management team and they to him. This will also make the CIO focus on what matters and not operational issues relating to the basic security hygiene which everyone expects. 

No comments: