How do different verticals compare internationally in terms of adoption of security practices? For instance, in India you have a clear layering wherein the banking financial services, BPO and software sector are pretty high on security practices and then there is quite a bit of gap with the manufacturing industry and other industries following in.
I think this is fairly global, though the gap may vary. The banks and the financial industry, apart from the military, of course, and the government departments have always been at the forefront simply because of the nature of what they deal with, and invariably they have the money also to address information security to a very high degree compared to more traditional industries. Although it is catching up with them now because reliance on information systems, no matter what you are doing, is increasing.

People need to know if the forum says something, although we are very careful about making statements because you are talking for 300 different organizations

How do you plan to expand your member base from the current 300 to the 500 mark?
Our current strategy is a sort of three-year horizon. So, I hope that at the end of three years, not necessarily in a linear fashion, we will have these members in place. There are some sectors that are not as strongly represented as they should be compared to their importance in the global economic activity. Therefore, there are still plenty of places and it is not that we have exhausted the top layer.

£16,000 is a lot of money. At Alcatel, I have four different departments to pay-the CIO, the chief security officer, the head of the Internal Audit Department and the head of the Risk and Insurance Department. This way, psychologically, nobody signs £16,000 and this is what I recommend to others to do. Also in terms of sharing, I make sure that other departments are involved in these various work groups in Chapter meetings.

A quick look at the ISF membership profile suggests that there are more financial services sector participants than others. Does that mean the sector is more actively engaged in the information security front?
Yes, precisely. The banking and financial services have been the mainstay and in a wider sense were really the founding element. Around 90 member companies out of the 300 are purely in the banking and financial sector. Just think of those in India who are not included in that but who in my opinion ought to be-both state owned as well as private sector companies.

So, what do you have in store for India?
We still don't have any members from India and this is the reason why I am dedicating two weeks of my private time here. As a volunteer chairman of this association my job is to get a critical mass in India and have future Chapter meetings here. We already have existing member companies with operations in India who could also participate in this, but they do not necessarily always have information security specialists on site. I think we could do just with this companies like I have mentioned but that still, for me, is missing the point. The actual point is to have the Indian insurance companies, software companies, manufacturing companies, and government departments.

If you were talking to an Indian technology or BPO or services company, what would you tell them on the gains of becoming a member?
They would gain the existing library and get a full set of deliverables. Also, they would be able to participate in the ongoing process of creating new deliverables. But, above all, they would have, instantly, a networking relationship with other 300 companies around the world. It's like a circle of trust where literally you can pick up the phone, look in a directory and see somebody who is in the same sector as you in Australia. You may not have met this person but you can make a call to this person or, ideally, have an introduction through a third party that is commonly known to them. In the forum, people will happily share information and views without any sense of monetary gain or goal in their mind. It is really like 'I help you today, you help me tomorrow'. So, they would benefit greatly from sitting at the table albeit in a virtual sense, except at congress when we all get together once a year.

It is really like 'I help you today, you help me tomorrow'. So, they would benefit greatly from sitting at the table albeit in a virtual sense

Do you think the law has not changed as per technology needs?
The law by its inherent nature lags behind. I feel very much that there is a dangerous route that we can take. Whilst on one hand we may criticize the law for not being able to cope with the cyber age, on the other it should not be the norm that we try and formulate laws in every single thing that has to do with cyber activities. There are plenty of existing statutes. But somehow we seem to think that for information security, we cannot pursue somebody because there is nothing on the statute that actually mentions the word PC or whatever the terminology is. Surely, some things need to be changed but we really don't have to go as far.

The younger generation has this attitude that the cyber world is a sort of free for all zone and that is, I think, where we get into the legal aspect. The attitude amongst the younger generation is that if technically something is possible then it is probably all right. I think this is leading us down in creating laws for the cyber space, which, in my view, is not needed. If you have done something that has injured somebody else, who cares what the weapon was, but we certainly need to be mindful of the fact that there are some things that might need to be notified. But, I don't think we need to go and set up like a parallel legal system for the cyber world.

Page(s)   1  2