These are incidents that happened less than 50 days back. Most companies take a one-dimensional, reactive and risk-averse approach to security rather than a preemptive and holistic one The information system ground to a screeching halt at one of India’s largest hotel chains. The system running on a centralized server with a total population of over a 1,000 desktops across more than five cities had been secured—the firewalls, security policies and anti-virus solutions were all in place. An attack by the MS BlasterWorm led to a denial of service (DoS) situation, which is virtually a network shutdown that leads to the online reservation system, MIS reporting and various other applications getting into a tri-state. A leading national ISP found it difficult to access its home-page; Internet access speeds had dropped by more than 60%. The ISP’s network traffic got congested with malicious code. Patches couldn’t clear up the congestion that already existed; they might have stemmed the rot but nothing beyond.

These are real incidents of ‘secure’ networks breaking down. The world of security is a ‘patch’ world, where patches are panacea to the ills of the moment until the next one arrives. Reportedly, last year alone, Microsoft had over 74 security bulletins (read patches), Sun had over 80 and Linux released nearly 87. Add to this the 100-odd patches released by every system vendor and anti-virus vendors. Apply this to every system, every application, every OS … the matter would veritably get out of hand.

As information security products are implemented in the organization - the security confidence increases. But security can go only so much- it does not give assurance for which tighter security policies are needed. Else security nosedives after lapses ( like cyber attacks) expose the holes. Then security is again revamped. The ‘ chasm’ determines the inflection point- whether the organization takes steps towards Information Assurance or makes it self vulnerable.

How aware is corporate India about security and what is the ground reality? Moot question. Lax IT security continues to remain the soft underbelly of most Indian corporates. Despite high-decibel seminars by security vendors, security deployment in Indian enterprises is still sporadic. In fact, India Inc. is yet to imbibe security as an inherent part of its corporate culture.

Budget crunch
Most analysts and industry experts generally concur on the three main issues responsible for the non-inculcation of the security culture amongst Indian enterprises. Broadly speaking, these are inadequate budgeting, shortage of trained security professionals and the confusion over outsourcing of security management. Insufficient budgets are touted to be the number one obstacle to the effective deployment of appropriate information security measures. According to Ernst & Young’s 2003 Global Information Security Survey, 24% of Indian enterprises cite budget constraints and limitations to be the primary bottleneck in implementing security measures.

However, a large section of CIOs, security consultants and even vendors feel that money is not the primary and only issue.

 The biggest hurdle, they feel, is the complete absence of anything close to a security policy in most companies. This is corroborated by E&Y’s survey findings that 40% of Indian corporates do not have any sort of formal information security management process or written policies. Anil Menon of SecureSynergy believes that these numbers could be higher, as many companies either have a half-baked policy or some ad-hoc management processes in place.

There are myriad reasons for this. Very few organizations are influenced by a broad spectrum of factors—which include opportunities, threats and benefits—when addressing information security and hence the subsequent lack of clarity in formulating a policy. Says Ernst & Young’s Terry Thomas: “Most companies take a one-dimensional, reactive and risk-averse approach rather than a proactive and holistic one.” Another crucial factor is that the return on investment (RoI) is not yet valued as a measure of information security spending effectiveness. This becomes evident when 57% of Indian corporates in the E&Y survey say that they rarely or never calculate RoI for information security spending.

However, S R Balasubramaniam, vice-president-IT at HDFC Bank, offers an interesting but slightly different point of view.

He feels that RoI as a measure of calculating success in security has failed and, therefore, one needs to strategize differently to work a way out. He cites the example of HDFC Bank, which has devised an ingenious way of calculating RoI—the bank measures what the amount of total loss incurred in case of a security failure. This approach can address a more fundamental problem—most CIOs/IS managers are unable to explain the relevance of information security to the broad overall business strategy. Finding credible alternatives to conventional RoI approaches will become increasingly necessary to obtain funding for the information security function. There is, in fact, a disconnect between the very high level of importance assigned to information security and the relatively low level of self-assessment among organizations. Barely half of Indian companies are aligning their spending well with their key business objectives.

“RoI as a measure of calculating success in security has failed. Instead, at HDFC Bank we measure that in case of a total security failure affecting our daily business, what will be the total losses incurred” S R Balasubramaniam, HDFC Bank

Swapan Johari of HCL Comnet believes that information security issues are no longer solely the domain of “computer gurus”.

There is an intense and immediate need for them to capture the attention of companies’ senior management and boards.

Therefore, it will be critical for CIOs to communicate the issues in terms that are meaningful to stakeholders. Says Johari: “In order to align information security with business objectives, organizations must eliminate the hierarchical layers between the C-suite and the functional managers, who have historically viewed information security as a technology issue and not a business issue. Having the active involvement of senior management in security-related decisions is crucial in establishing this alignment.”

Manpower problems
There is a dearth of trained security professionals in Indian corporates—in the majority of cases IT managers double up as IS managers. This, warns Naresh Desai, director at Ontrack Solutions, is a serious drawback for India Inc. “Unless we have dedicated security specialists, it would become increasingly difficult to address today’s security needs,” he says. As part of security governance, HR spending associated with information security does not seem to enjoy the high priority that would seem to be justified in light of what organizations identify as the chief obstacles they see to effective security. The urgency is felt, says Menon, but somehow not acted upon.

Thomas reveals that when asked what their organization’s top three areas of spending were, only 16% mentioned staff. On the security spending hierarchy, expenditures for staff were ranked fifth behind consultants, process improvement, business continuity planning and technology. Thomas, therefore, feels it is no surprise that 24% of the respondents in the E&Y survey ranked “a lack of availability of skilled staff” among their top three impediments to effective information security implementation. He adds: “Relegating HR concerns to a low priority may be seriously shortsighted in view of the growing number of vulnerabilities that are appearing on the horizon.”

Onsite/offsite debate
The third crucial missing link in the security chain is the debate over the choice of onsite/offshore security management. Balasubramaniam feels that though it might be economically beneficial in many cases to outsource security management to third-party service providers, not all corporates are comfortable in getting their security remotely managed. The resident engineer concept is still a preferred model for Indian corporates. Traditionally, customer data sensitive industries like banks, insurance companies and FIs have opted for the comfort feeling of onsite security control, and players in the retail industry—who typically have constraints on physical infrastructure like back-end space—usually prefer an offsite model. Except for HDFC Bank, none of the other major banks have outsourced security management to a third party.

Johari feels that large companies will outsource their information security requirements, primarily intrusion detection, monitoring and response, and 24x7 management. This is primarily because despite new training programs, the shortage of security personnel, especially certified intrusion analysts, will worsen as nearly three million new computers are added to the Internet every month. Even auditing is a common activity that is being increasingly outsourced. HCL Comnet is carrying out a full security lifecycle implementation (including auditing) for both Bharti and the Union Bank of India.

What will be the nature of this outsourcing, that is what are going to be the components that will be kept in-house and what will be outsourced? Organizations will begin to move from a single firewall to a network of distributed firewalls and substantially outsource firewall management to organizations (often ISPs) that can offer 24x7 management. Personal firewalls will gain prominence especially with mobile workers. Proactive intrusion detection systems (IDS) are going to get more proactive. New IDS systems will be smart enough to understand how an application should behave and also prevent hackers from manipulating the application remotely. The administrator will create rules for each application, describing how it should behave. Agents will monitor all logins and will intercept system calls and prevent unauthorized file or registry edits from taking place. All this will minimize false alarms and also intercept malicious code before it does any damage.

RAJNEESH DE in Mumbai