- More than half of the CIOs we spoke to, had a Compliance policy in
place. And half of those spent most of their time ensuring Compliance.
- Only 10% had fully outsourced their security management.
- More than half admitted to a 'little difficulty' in convincing top
management to invest in security solutions.
- About half had low satisfaction levels with security vendors.
Security is a key area of concern for just about everyone nowadays, because
it's not just about combating viruses and worms anymore. It's also about
establishing and enforcing a set of policies in the organization on how and what
can the employees access. It's also about ensuring that all critical company
data is safe from prying eyes. A good security setup will always ensure that it's
based on the right set of technologies backed by strong policies. There has to
be a proper balance between technologies and security policies. Even if you use
the latest security technologies, but don't have strong policies to control
its usage, your setup will suffer. Likewise, you may have strong policies, but
unless there are technologies that will help you enforce them, all effort goes
The importance of security
By and large, security was the most important concern for slightly more than 50%
of the CIOs we surveyed. While that may sound reassuring, the interesting point
to note is that there are still areas that are more significant than security.
One of course is the organization's core business and the systems that support
it. Business supporting systems, ERP, legal requirements, business continuity
are all areas that get higher priority over security. Add to that system uptime,
maintaining low cost for data transfers and connectivity as a few others you may
want to place at a higher peg than security. These last two are also linked to
the previous ones, because what good is security if the systems themselves are
not up? We've had discussions with many CIOs in the past, where the most
important concern had been ensuring that all the systems were up. In fact, this
was one of the areas that gave most of them nightmares.
|How important a concern is security in your organization, vis-Ã -vis other areas of IT?
What if they were sleeping and in the middle of the night, a critical server
or storage device went down? What if they were travelling on an important trip
or were out of office and received an urgent call from office to return
immediately because the ERP server had gone down? Speaking of nightmares, there
are quite a few that security can also give to an IT manager or CIO, and God
forbid if any of these outages are caused due to a security breach. Malicious
software and viruses aside, what about threats from within like illegal access
and system abuse? Or how about employees turning hostile and passing strategic
business information to competition? These are all spine chilling thoughts. Many
of our respondents put these possibilities and more before us on threats from
|Which security issues are CIOs spending most of their time on?
While the Internet has been a boon for everyone, it's also brought in lots
of concerns. Hacks during data transfer, or bank account kidnapping through
phishing are nothing new. They have been happening and will continue to happen.
Most organizations just wish that it doesn't happen to them. That's enough
material to keep everyone on their toes. The first point to consider while
framing a security strategy is to analyze its relevance with respect to other
areas. One way is to do a direct correlation between various areas and the
resulting financial and productivity losses if they were to go down.
Prioritize areas that need attention
So what is it that keeps CIOs and security specialists on their toes? Where do
they spend most of their time? All the 'nightmares' we just highlighted won't
go away through technology alone. Nor would they go away by merely establishing
a set of policies. They'll at best be minimized only if policies are enforced
and complied with. So ensuring compliance and adherence to security policies was
what kept a majority of our respondents the busiest. The next task that kept
them very busy was combating external threats, followed by enforcing measures to
prevent data theft and training employees on security. Surprisingly, combating
phishing, spam, and zero day attacks were not priority for the respondents.
Possibly, the first two would automatically be minimized through proper
A set of rules that can help employees identify spam or phishing mail from a
genuine mail is not very difficult to create. If a mail asks you to provide any
personal information such as your bank account's user id or password, should
obviously be ignored. Likewise, instead of trying to unsubscribe to spam mail,
if a user just deletes it and informs the IT department, it's good enough.
Responding to a spam mail only confirms to the spammer that your email id is
valid, which opens the gates for more spam to come in. Incidentally, social
engineering attacks, for all their hype didn't seem to worry our respondents
much. Guess that's also taken care of through proper training. Once you've
identified the areas that are important to your business, you need to identify
the key things that need to be done in them. In security for instance, identify
the area that needs the maximum attention and similarly work out your priorities
for the remaining tasks. Is combating virus and worm attacks a priority
Most anti-virus software are able to handle it, and your own IT staff would
be adept at handling it. But ensuring that all anti-virus packages are up to
date with the latest definitions would be something you have to ensure.
Likewise, you need to create a priority list of all tasks.
|Has your organization ever suffered financial losses due to a security attack?
Learning from downtime
Security was taken pretty seriously by our respondents, because there was hardly
anybody whose organization had suffered any financial losses due to a security
breach. However, we did get a few reports of productivity losses due to security
threats. Most of these had to do with downtime, which went from a few hours to a
few hundred hours. What's important to note is not how much downtime occurred,
but what should you do about it so that it doesn't happen again? One is to
keep the production network isolated from the Internet. As most security threats
enter via the Internet, this can actually work. But then if your organization
relies on the Internet heavily, then you have to look at other measures. Another
learning that emerged was that internal security threats can sometimes be more
deadly than the external ones. This is indeed an important thing to keep in
mind. A disgruntled employee could give strategic information to competition. It
could even be done by an innocent employee 'unknowingly'. Both cases are
equally dangerous and need to be tackled differently.
Importance of policies
Like we mentioned above, internal threats are equally if not more dangerous than
external ones. One way to combat them is by having the right set of policies. As
Internet is where the maximum threats come in from, an Internet access policy is
a must. A majority of our respondents had an Internet access policy in place. As
internal threats from employees are also significant, you need policies for
using desktops, servers, and applications. These should govern how employees
should use their desktops, what they can or can't do on it. How should they
access the servers and applications, and what should the not attempt to access.
Detailed guidelines on these, along with proper training on the same are very
important. So the next major set of respondents had policies for desktop,
server, and application usage.
|Security policies in place*
|* Note: The values don't add upto 100% as most of the CIOs had multiple security policies
Spam, phishing, and virus attacks come largely via email these days. While
you do need anti-phishing, anti-virus, and anti-spam tools to combat them, you
also need the right set of policies. Half your worries of threats coming via
this channel will be gone if an email usage policy is put into effect. Around
76% of our respondents had one. Patch and update management and network access
control policies were up next. While these may not be something that requires
employee training, they're important. You need to define access policies so
that you have control over who can access what on the network. Moreover, this
needs to be done not only for people, but also applications and services. Many
threats can creep into the network through open ports, and therefore need to be
kept at bay. We've already done a story on patch and update management, and it
threw up a lot of interesting facts. For instance, you must test all your
patches on a test system before applying them to the production system.
|What action does your organization take if an employee is caught stealing sensitive data or attempting to hack into a critical server?
Employee is given a warning
Interestingly, one policy that slightly more than half of the respondents had
was for compliance. This is surprising because one would assume that just about
everyone would have it. Possibly that's why a majority of them are spending
time on ensuring compliance and adherence to policies. Or is it that there's
no compliance policy in place, due to which unwarranted time is being spent on
it? The latter can be dangerous and unproductive.
|How frequently do you conduct security training programs for your employees?
Key elements of a security policy
Having security policies is one thing, but ensuring that they're always
updated is equally important. How frequently do you do it? Have you on an
average fixed a time for doing the updating? If not, then maybe it's time you
did. A majority of our respondents said that they update their security policies
once a year. Another set of people said they do it every six months. Very few
said that they do it more frequently than that. Whatever the frequency you're
following, there are certain things to keep in mind when drafting security
policies, according to our respondents. We received lots of inputs on what
should the key elements of every security policy should be. Have a clear list of
do's and don'ts in your policies came up as a major element of a security
policy. This has to be accepted, and a commitment taken from the top level to
enforce this. In case there's a breach, then penalties must also be defined. A
clear definition of what is a security violation needs to be put down, along
with penalties for violating the same.
We'll talk more about penalties later in this story. Incident management
procedures are another critical element that a security policy should contain.
One more interesting response was that there has to be an HR policy on
information security. It has to be business oriented and therefore driven from
the top. Moreover, a policy must not be theoretical, meaning whatever's put
down must be implementable. Having strong passwords is a must, and more
important is that users should be aware of keeping their passwords secret.
Besides making passwords difficult to remember, users must not share them with
anybody. Lastly, one key element that every security policy must contain is
adherence to legal/statutory requirements. Some of the security standards that
our respondents were following included Serbanes-Oxeley, COBIT, ISO 27001,
BS7799, BS15000, and even 168-bit encryption.
|Level of difficulty in convincing top management for investing in security solutions
Importance of training
All policies are a waste if the people who need to follow them are not even
aware of them. Thankfully, 62% of our respondents said that they conduct
training programs on code of ethics and security policies for their users. The
concern was that the remaining 38% did not conduct such a program. Of those who
do conduct training programs, a majority use a mix of in house and external
consultants for the job. Training or no training, what if you catch an employee
stealing sensitive data or attempting to hack into a critical server? What
action do you take? About 14% of our respondents said that they would take legal
action immediately. Another 24% said they sack the person on the spot. Another
31% were slightly more benevolent and gave a warning to the person first. If the
action was repeated, then the person was sacked. What action do you take in your
organization? Your security strategy must define it very clearly. Speaking of
security breaches and hacking, it is said that 'attack is the best form of
defense' in the world of security. If you want to know how strong your network
security is, you use hacking tools to test its strength. Unfortunately, we didn't
get a swiping 'yes' to this question. The answer was split almost equally
between a 'yes' and a 'no' amongst the respondents.
|Satisfaction level with security vendors
|Your security setup is managed by?
Issues with vendors
We asked our respondents whether they were satisfied by the service offered by
their security vendors. We didn't get an overwhelming answer for 'completely
satisfied'. On a scale of 1 to 5, most of the response was equally split
between 2, 3, and 4. The reasons for dissatisfaction were many, ranging from
lack of skills on the vendor's part to lack of proactive response. While there
can be many concerns from vendors, one thing is clear that they must be skilled
enough to handle security issues of their customers.