Questionnaire for Times Ascent
Posted on January 5, 2011
Q1: IT security seems to be a very generic term considering the width of the security function. From the functional and implementation point of view, how will you classify them broadly?
IT security can be broadly classified into physical security and data security. Physical security typically involves controlling the accessibility to the locations where the IT infrastructure is housed by using biometric access, advanced CCTV's, mantraps, etc. At CtrlS we use the six zone system to protect infrastructure. Data security is done by multiple layers of firewall, port management, anti-viruses, IDS, IPS, etc.
Q2: There seems to be many facets of security like Access control, Email security, Firewalls, Intrusion detection, Data leak prevention, Malware, Spyware and so on. Is it necessary for an organization to protect it against all and is it possible? Is it worth the investment?
It is possible to protect the data from most of the dangers, by proper planning, continuous updation and monitoring. For those companies which cannot afford the huge investments required, but the data integrity is critical, outsourcing to data centers is the best way forward. The investments in security are more important than taking insurance policies. Insurance pays money after the damage is done and that too to only the extent of actual losses. The loss of credibility with the customers and brand value are protected only by security.
Q3: There is a reasonable amount of confusion in terms of who is ultimately responsible for 'overall corporate security' in an organization – the CIO, the CEO, CTO or the Board. All arguments seem to have valid points in support of their views. Your comments.
The modern knowledge economy changed the meaning of security. Previously the assets to be protected used to be mostly goods and physical assets. Today especially in the service industry, these are insignificant compared to the "Information or data". The situation can be addressed by creating a new role called Chief Information Officer – CISO.
Q4: It is an accepted norm that which cannot be measured cannot be improved. Is it possible to measure the value of security? If so, how?
A day before any breach the ROI of security is zero. The best way to measure security is to define various threshold levels and measure its effectiveness. There are a lot security issues which would be common across various organizations. Such as how consistent an organization is in installing 85%-95% security patches in a 24 hour period or efficiency of updating anti-virus files. The organization can then decide on what levels of security it wants and set thresholds. Action can be taken once the security level dips below the threshold. And then the effectiveness of this security can be measured by following how well it does before, during, and after a security incident.