/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsIt’s costly. It’s about control. And it’s oh-so regulated. Yes, the three-pronged worry monster always haunts the already murky woods of enterprise security. Then, on the tail of security decisions are other questions. But ones relentless enough to send those very decisions into a tailspin. Is IT diversity a problem? How do I deal with it? How do I sift hot air from genuine worries in the threat skyline? When would Security stop being a nightmare for virtualization projects, IT on Cloud? Security weaved in the Cloud or added atop the Cloud? Questions that never end.
But a chat with Kartik Shahani — Country Manager for RSA, India & SAARC attempts to nail just these very bugbears. Here it goes.
Cost of compliance, Control buttons and Regulatory teeth. Would you agree that these three top concerns for enterprises are worth the worry for security investments?
It’s interesting and yet simple. Corporate governance is for yourself. It is inward-looking. Regulatory work is for others, it’s outward-looking. One is not the same as the other and possibility of redundancy can exist. Some questions matter. How important is data leakage? Can we allow remote connectivity? Risk and threat however differ as per environment. Some platforms can be high-risk and at every point the key parameter is business-criticality. Even if it is not regulated, business criticality is still important. Isn’t it?
How do these fears and questions play out in the context of virtualized environments or Cloud platforms?
Control is naturally a concern that CIOs have strongly. Till the hosted environments follow regulatory patterns, things are different. You may be co-hosted with a competitor. Huge amount of data could be transferred to and fro the Cloud. Now does it fall under the boundaries you have set for yourself?
So is it about being Security an add-on layer? Shouldn’t it be integral when it comes to a Cloud platform?
Absolutely correct. In a physical world, security is always bolted on. In Cloud, it is built-in. For a Cloud, security is embedded inside. Built-in and not bolted-in. Because that’s how it will work best. Whether it’s RSA or anyone else, it has to be inside the Cloud and not at some end-point.
Would you agree with the idea of shifting responsibility needle? Would it not be tough for the customer to manage in an increasingly diversified landscape?
That’s the reason Cloud is catching up. How to scale, or how to integrate or how to support it, these are strong issues. It can turn into a nightmare for the customer. Managed services can be a good answer here.
Coming to the other side of the bridge, is there a shift happening for security vendors as well? Specially when we see the likes of Microsoft or Cisco extending security frameworks into their own products.
As to that trend, we need to go one step ahead and then one step back. Security is now consolidation of technologies. Now in the Cloud, storage is done at same place where security was. Everyone is the same space, and day after day, the differentiation is fading away. All technologies are getting tightly integrated. EMC-RSA, HP-Compaq or Intel-McAffe are examples enough. There will be four to five good players that will stay. And the clincher would be —what pedigree one comes from? Consolidated solutions are what the future would look like.
What exactly do you offer at RSA when it comes to GRC? Is it something actually radical?
GRC is Governance, Risk and Compliance. G is what all companies have. R is relates to what impact it has on business and its environment, and hence it varies from industry to industry. C is about mandates set by regulators of a particular industry or country. Any gaps as per an audit requirement can be a long and cumbersome process. What if the process is automated for these gaps so that you go right ahead and fix it? That makes GRC not a cost-centre but an investment.
In Jan this year, RSA acquired Archer Technologies which is a leading provider of enterprise GRC solutions and has more than six million licensed users. With the regulatory environment in India evolving rapidly, RSA is of the opinion that it will open up a huge market for GRC solutions in India and lead the way for Archer’s market leadership in the country
Is GRC a natural build-up to what RSA already had or an overlap for the existing infrastructure?
If you do not have GRC, then no other tool can do what GRC does. It takes feeds from other technologies or consoles and then we start building reports. So, GRC is the top-most layer.
How does it fare when it comes to compatibility?
GRC makes rules and works accordingly. Like what points should a firewall block or how many gaps are tolerable here? That’s how it makes reporting work.
Would it be interesting for India?
According to Forrester Research, the GRC industry in India comprising of software, consulting and related services is currently growing at 24 per cent yoy and is slated to grow from $2.6 billion in 2009 to over $24 billion in the next five years. As per Industry reports, the spend on GRC in India by the top publicly listed companies is fast approaching $1.5bn. There is need for GRC solutions among organizations in India which are facing increased compliance obligations and are exposed to civil and criminal liability. The importance of a holistic GRC strategy for enterprises is high given the expose of recent corporate frauds and the global financial turmoil