“There is a notion that information security comes in the way of whatever business does, what do you gentlemen feel?” CIO’s editor-in-chief Vijay Ramachandran asked the group of CISOs assembled for the round table conference. The question had the desired outcome of stimulating the conversation, as many CIOs wanted to second that statement, but not without providing a convincing account of how the notion is unfounded.
Gopal Shukla, VP-IT, Coca Cola India felt that while it’s easy to brand information security executives as villains, the reality is that information security has become a fact of life. He said that since every innovation in a product or a process has an infosec angle to it, those employees who are associated with bringing in innovation need to be made aware of the security standards.
Some CIOs felt that CIOs too have a part to play to dispel the perception that the IT security department exists only to breathe down employees’ necks. Mohammad Wasim, Director – Infrastructure Practice Lead, Sapient felt that the security officer needs to understand the culture of the organization while framing an appropriate policy. In his company, Wasim said, collaboration tools have become indispensable and the infosec department needs to bear that in mind while putting the needed checks in place.
The tendency of the security officers to pose as policemen is counter-productive, says Deepak Rout, Head - IS, Unitech Wireless. “Security often takes a role of dictating inputs to business, but it needs to move away from that attitude,” Rout said, adding that security ought to aligned closely with business. “IT has to find out what business needs and work around those requirements,” he said. “Security people should not be seen and heard but they must be felt,” Rout said, implying that it’s just as important that security does not lower its vigil.
Another discussion thread initiated by Ramachandran on how strongly security needs to be embedded in the company’s processes evoked enthusiastic responses. “What do you have to do to ensure that security is integral to business processes and not just bolted on at the end?” Ramachandran asked.
Airtel’s Sr VP and Global CISO, Felix Mohan said that in a company like Airtel, security is a fundamental component of new process development. “There are clear milestones in a development cycle and at each of these, signoffs from security are required,” he said. Moreover, Mohan said, in Airtel, security has added value to business. When the telco wanted to launch video calls, the government refused to grant license unless a monitoring mechanism was in place. The technology for monitoring didn’t exist but the security department helped design an appropriate solution.
K P Ganesh Raj, CIO, S Tel felt that it’s a sad reality of the Indian security scene that security often gets added as an afterthought. But others including Hitesh Arora, Head – IT & Infrastructure, Max New Your Life Insurance Company felt that many organizations, especially financial institutions can no longer afford to be lax in their security policy. The new RBI guidelines spell out in great detail what banks should do to address different potential security risks,” Arora said.
Ramachandran also asked the round table participants what they felt about the convergence of physical security with IT security. Mohan, who asserted that his company has been driving convergence, also spoke of its benefits. “A single database for access control also integrates with the HR applications and this (the convergence) has helped bring down our costs. We have been able to optimize our headcount this way,” he said.
