|
Satish Das is the CSO of Cognizant. He has close to 15 years experience in dealing with various business and technology issues in the area of Information Security. He is a certified CISSP and CISA professional. Excerpts from an interview on Nasscom where he speaks on security strategies for enterprises and emerging the role of Chief Security Officers (CSOs).
Can you elaborate on the importance and role of security policies that companies should adopt?
Policies provide direction to people in the organization. To that extent, it should be comprehensive, and betimes, futuristic. We develop procedures and guidelines to implement policies. We frame standards to understand how well we have done in terms of defining our policies and then implementing them.
Policies help bring a certain discipline and standardization in a company and help communicate the level of security deployed to customers and other stakeholders. As such policies are critical and embody the commitment of an organization to approach things in a disciplined manner and measure it.
In a networked environment, where there are bound to be links to the Internet, what is the role of CISOs?
I would like to ask a question, "Did you ever meet a CISO three years back in India?" The answer would be a clear no. The role of a CISO emerged during the last three years as information security has become critical for businesses. The person in this role helps the company to balance business objectives with risk management objectives. For example, every company wants to use the Internet to provide leveraged services to their customers because of its inherent resilience, pervasiveness and cost drivers. In this situation, the CISO’s role is to make the organization understand the risks of doing business on the Internet and implement proper controls, leveraging technology, and mitigate the risks. I personally feel that a CISO should have a Techno-Business-Risk-Audit management profile.
What do you think should be done to raise awareness of security issues in the current scenario?
Industry bodies like NASCOM and CII must take on the responsibility of creating necessary forums to exchange ideas and spread the awareness, experience and importance of security among member companies. There are a number of initiatives around other key aspects that govern the industry but what is missing is a forum like the Information Security Forum.
What do you see as the biggest threats to a company’s security system?
Complacency and lack of or limited awareness among employees are the two major threats. Another threat is dealing with Security Incidents as a technology issue. If one drills down deep, in most of the cases, one would find that it’s more of an issue with people or processes. And we know how to deal with process and people. This process of viewing security as a technical issue rather than a process or people issue is the biggest threat to a company’s security system.
What are the security concerns that you feel dominate with your customers?
Customers are keen on knowing and auditing whether we have policies, procedures and controls in place to deal with any potential incidents. All of them are aware of the potential incidents that could arise out of security gaps. They like to experience first hand the controls and systems we have in place to deal with viruses, worms trojans and unauthorized access. They would like to know whether we frequently revisit our security definitions and audit our control and other check points.
Do you feel that Indian companies can compete with global companies in terms of getting in place, a world-class security infrastructure?
The fact that the industry is growing at over 30 percent is in itself a clear indication of our success in global marketplace. It is also fact that many global companies have been focusing on process and people, and alongside, investing in the latest security infrastructure. Unless we, as an industry, step up our investment in security infrastructure and people, we will lag. As often quoted, it takes only one poorly run company to ruin things for the industry. It’s not enough if the large players make significant investments in security infrastructure, every company should see this as an imperative for business.
What are your favorite tools for dealing with security problems?
Policies, Awareness Programs, Audit and Forensic Systems are my favorite tools. Some penetration tools are also my favorites.
Satish can be reached at Dsatish@chn.cognizant.com
Courtesy: Nasscom
|