Enterprise Security Strategies

PCQ Bureau
New Update
  • More than half of the CIOs we spoke to, had a Compliance policy in

    place. And half of those spent most of their time ensuring Compliance.
  • Only 10% had fully outsourced their security management.
  • More than half admitted to a 'little difficulty' in convincing top

    management to invest in security solutions.
  • About half had low satisfaction levels with security vendors.

Security is a key area of concern for just about everyone nowadays, because

it's not just about combating viruses and worms anymore. It's also about

establishing and enforcing a set of policies in the organization on how and what

can the employees access. It's also about ensuring that all critical company

data is safe from prying eyes. A good security setup will always ensure that it's

based on the right set of technologies backed by strong policies. There has to

be a proper balance between technologies and security policies. Even if you use

the latest security technologies, but don't have strong policies to control

its usage, your setup will suffer. Likewise, you may have strong policies, but

unless there are technologies that will help you enforce them, all effort goes

to waste.

The importance of security

By and large, security was the most important concern for slightly more than 50%
of the CIOs we surveyed. While that may sound reassuring, the interesting point

to note is that there are still areas that are more significant than security.

One of course is the organization's core business and the systems that support

it. Business supporting systems, ERP, legal requirements, business continuity

are all areas that get higher priority over security. Add to that system uptime,

maintaining low cost for data transfers and connectivity as a few others you may

want to place at a higher peg than security. These last two are also linked to

the previous ones, because what good is security if the systems themselves are

not up? We've had discussions with many CIOs in the past, where the most

important concern had been ensuring that all the systems were up. In fact, this

was one of the areas that gave most of them nightmares. 

How important a concern is security in your organization, vis-à-vis other areas of IT? 

What if they were sleeping and in the middle of the night, a critical server

or storage device went down? What if they were travelling on an important trip

or were out of office and received an urgent call from office to return

immediately because the ERP server had gone down? Speaking of nightmares, there

are quite a few that security can also give to an IT manager or CIO, and God

forbid if any of these outages are caused due to a security breach. Malicious

software and viruses aside, what about threats from within like illegal access

and system abuse? Or how about employees turning hostile and passing strategic

business information to competition? These are all spine chilling thoughts. Many

of our respondents put these possibilities and more before us on threats from


Which security issues are CIOs spending most of their time on?

While the Internet has been a boon for everyone, it's also brought in lots

of concerns. Hacks during data transfer, or bank account kidnapping through

phishing are nothing new. They have been happening and will continue to happen.

Most organizations just wish that it doesn't happen to them. That's enough

material to keep everyone on their toes. The first point to consider while

framing a security strategy is to analyze its relevance with respect to other

areas. One way is to do a direct correlation between various areas and the

resulting financial and productivity losses if they were to go down.


Prioritize areas that need attention

So what is it that keeps CIOs and security specialists on their toes? Where do
they spend most of their time? All the 'nightmares' we just highlighted won't

go away through technology alone. Nor would they go away by merely establishing

a set of policies. They'll at best be minimized only if policies are enforced

and complied with. So ensuring compliance and adherence to security policies was

what kept a majority of our respondents the busiest. The next task that kept

them very busy was combating external threats, followed by enforcing measures to

prevent data theft and training employees on security. Surprisingly, combating

phishing, spam, and zero day attacks were not priority for the respondents.

Possibly, the first two would automatically be minimized through proper


A set of rules that can help employees identify spam or phishing mail from a

genuine mail is not very difficult to create. If a mail asks you to provide any

personal information such as your bank account's user id or password, should

obviously be ignored. Likewise, instead of trying to unsubscribe to spam mail,

if a user just deletes it and informs the IT department, it's good enough.

Responding to a spam mail only confirms to the spammer that your email id is

valid, which opens the gates for more spam to come in. Incidentally, social

engineering attacks, for all their hype didn't seem to worry our respondents

much. Guess that's also taken care of through proper training. Once you've

identified the areas that are important to your business, you need to identify

the key things that need to be done in them. In security for instance, identify

the area that needs the maximum attention and similarly work out your priorities

for the remaining tasks. Is combating virus and worm attacks a priority


Most anti-virus software are able to handle it, and your own IT staff would

be adept at handling it. But ensuring that all anti-virus packages are up to

date with the latest definitions would be something you have to ensure.

Likewise, you need to create a priority list of all tasks.

Has your organization ever suffered financial losses due to a security attack? 

Learning from downtime

Security was taken pretty seriously by our respondents, because there was hardly
anybody whose organization had suffered any financial losses due to a security

breach. However, we did get a few reports of productivity losses due to security

threats. Most of these had to do with downtime, which went from a few hours to a

few hundred hours. What's important to note is not how much downtime occurred,

but what should you do about it so that it doesn't happen again? One is to

keep the production network isolated from the Internet. As most security threats

enter via the Internet, this can actually work. But then if your organization

relies on the Internet heavily, then you have to look at other measures. Another

learning that emerged was that internal security threats can sometimes be more

deadly than the external ones. This is indeed an important thing to keep in

mind. A disgruntled employee could give strategic information to competition. It

could even be done by an innocent employee 'unknowingly'. Both cases are

equally dangerous and need to be tackled differently.

Importance of policies

Like we mentioned above, internal threats are equally if not more dangerous than
external ones. One way to combat them is by having the right set of policies. As

Internet is where the maximum threats come in from, an Internet access policy is

a must. A majority of our respondents had an Internet access policy in place. As

internal threats from employees are also significant, you need policies for

using desktops, servers, and applications. These should govern how employees

should use their desktops, what they can or can't do on it. How should they

access the servers and applications, and what should the not attempt to access.

Detailed guidelines on these, along with proper training on the same are very

important. So the next major set of respondents had policies for desktop,

server, and application usage. 

Security policies in place*
* Note: The values don't add upto 100% as most of the CIOs had multiple security policies

Spam, phishing, and virus attacks come largely via email these days. While

you do need anti-phishing, anti-virus, and anti-spam tools to combat them, you

also need the right set of policies. Half your worries of threats coming via

this channel will be gone if an email usage policy is put into effect. Around

76% of our respondents had one. Patch and update management and network access

control policies were up next. While these may not be something that requires

employee training, they're important. You need to define access policies so

that you have control over who can access what on the network. Moreover, this

needs to be done not only for people, but also applications and services. Many

threats can creep into the network through open ports, and therefore need to be

kept at bay. We've already done a story on patch and update management, and it

threw up a lot of interesting facts. For instance, you must test all your

patches on a test system before applying them to the production system.

What action does your organization take if an employee is caught stealing sensitive data or attempting to hack into a critical server? 

Employee is given a warning 

the first time. If action is repeated, 

the employee is sacked31%


Interestingly, one policy that slightly more than half of the respondents had

was for compliance. This is surprising because one would assume that just about

everyone would have it. Possibly that's why a majority of them are spending

time on ensuring compliance and adherence to policies. Or is it that there's

no compliance policy in place, due to which unwarranted time is being spent on

it? The latter can be dangerous and unproductive.

How frequently do you conduct security training programs for your employees?


Key elements of a security policy

Having security policies is one thing, but ensuring that they're always
updated is equally important. How frequently do you do it? Have you on an

average fixed a time for doing the updating? If not, then maybe it's time you

did. A majority of our respondents said that they update their security policies

once a year. Another set of people said they do it every six months. Very few

said that they do it more frequently than that. Whatever the frequency you're

following, there are certain things to keep in mind when drafting security

policies, according to our respondents. We received lots of inputs on what

should the key elements of every security policy should be. Have a clear list of

do's and don'ts in your policies came up as a major element of a security

policy. This has to be accepted, and a commitment taken from the top level to

enforce this. In case there's a breach, then penalties must also be defined. A

clear definition of what is a security violation needs to be put down, along

with penalties for violating the same.


We'll talk more about penalties later in this story. Incident management

procedures are another critical element that a security policy should contain.

One more interesting response was that there has to be an HR policy on

information security. It has to be business oriented and therefore driven from

the top. Moreover, a policy must not be theoretical, meaning whatever's put

down must be implementable. Having strong passwords is a must, and more

important is that users should be aware of keeping their passwords secret.

Besides making passwords difficult to remember, users must not share them with

anybody. Lastly, one key element that every security policy must contain is

adherence to legal/statutory requirements. Some of the security standards that

our respondents were following included Serbanes-Oxeley, COBIT, ISO 27001,

BS7799, BS15000, and even 168-bit encryption.

Level of difficulty in convincing top management for investing in security solutions 

Importance of training

All policies are a waste if the people who need to follow them are not even
aware of them. Thankfully, 62% of our respondents said that they conduct

training programs on code of ethics and security policies for their users. The

concern was that the remaining 38% did not conduct such a program. Of those who

do conduct training programs, a majority use a mix of in house and external

consultants for the job. Training or no training, what if you catch an employee

stealing sensitive data or attempting to hack into a critical server? What

action do you take? About 14% of our respondents said that they would take legal

action immediately. Another 24% said they sack the person on the spot. Another

31% were slightly more benevolent and gave a warning to the person first. If the

action was repeated, then the person was sacked. What action do you take in your

organization? Your security strategy must define it very clearly. Speaking of

security breaches and hacking, it is said that 'attack is the best form of

defense' in the world of security. If you want to know how strong your network
security is, you use hacking tools to test its strength. Unfortunately, we didn't

get a swiping 'yes' to this question. The answer was split almost equally

between a 'yes' and a 'no' amongst the respondents.

Satisfaction level with security vendors
Your security setup is managed by? 

Issues with vendors

We asked our respondents whether they were satisfied by the service offered by
their security vendors. We didn't get an overwhelming answer for 'completely

satisfied'. On a scale of 1 to 5, most of the response was equally split

between 2, 3, and 4. The reasons for dissatisfaction were many, ranging from

lack of skills on the vendor's part to lack of proactive response. While there

can be many concerns from vendors, one thing is clear that they must be skilled

enough to handle security issues of their customers.