With the emergence of communication and information sharing technologies in the past decade, it is becoming increasingly easier for people to access information online. Technologies such as VPNs and VLANs have made it significantly easier for organizations to share information and resources, but at the same time, they have left the company prone to several vulnerabilities. These vulnerabilities or security risks, though seemingly small, often have the potential to ruin any organization’s day. With the amount of sensitive information being moved both within an organization and without, it is becoming increasingly important to secure those physical or digital information exchange and storage mediums. This is where Information Security and CISOs come in.
On 30th September, 2010, CSO Pakistan organized CSO Perspectives – State of the Art, Annual Information Security Convention & Awards followed by a second day of CSO Executive Roundtables. Presented by Oracle and supported by NetSol Technologies and Trillium, the event consisted of several panel discussions ranging from the state of Information Security in Pakistan to the CISO’s role in Pakistan’s Business Environment. The event highlighted a number of issues and challenges Pakistan’s business community currently faces.
In the CSO Executive Roundtables held on the 1st of October, panelists highlighted multiple facets of Information Security and how they factor into the bottom line of an organization. The event also discussed how security assessments and metrics can be implemented to enhance organizational security.
One of the key discussions during the event was how an organization can measure the ROI of information security solutions. Over the past decade, there has been a significant increase in information security spending and in augmenting existing IT systems with security protocols and tools, but in the last few years, people have gradually started paying more attention to other vulnerabilities as well; vulnerabilities outside of the IT infrastructure. Security is no longer restricted to a firewall that you implement to keep your database safe, but it is a holistic change in your entire organization that secures information exchanges through any medium, be it electronic, physical or social. As a result, information security spending has increased significantly.
As with any investment, the executive management tends to look at the bottom line, or the return on investment. “In any organization, whenever a business case with respect to information security is presented to the standing committee or board, we have to justify how the proposition delivers value and benefits the organization,” Farooq Wahab Nayyer, CISO of the Dubai Islamic Bank.
Being one of the major challenges CISOs face, the argument of whether a certain solution or proposition is actually worth investing in, has been existent since the establishment of an IT infrastructure within an organization. Mr. Nayyer also stated that the best examples of this are the adoption of VPNs and online banking and this can be compared to how an organization protects against online frauds and cyber crimes.
Information security, despite being one of the most pivotal components of any organization’s infrastructure, is oftentimes, the most contested. One of the questions raised during this discussion was, “Looking at budget limitations, how would the management decide whether to invest in an information security proposition, or to invest in a business expansion opportunity? Why should they invest in IS when they can expand the business with the same funds?” by Rizwan Munawwar, country head of Oracle Applications for Business.
Asher Iqbal, Head of IT Security at KESC, added that “One of the arguments that the executive management always presents is that these ROIs are actually just guesses and estimates. You can’t really be sure about the results or fallout of a risk simply because we do not have enough tangible data on hand. Proper ROIs just aren’t possible till we have hard numbers.”
Shoaib Qureshi, Oracle’s Security Head, stated that “We need to increase awareness. When you invest in a business tool, you naturally expect a return. This return doesn’t really need to be signified by numbers. We need to spread awareness about how hard or how easy it is to implement a certain information security solution and what risks it minimizes.” The bottom line in this scenario is how well the executive management understands how the organization will benefit from the implementation of a certain solution.
Jamaluddin, (Oracle), commented that pitching the fallout of a risk is a very convincing argument to sway the management’s decision in your favor but this isn’t always the best way. Rizwan Munawwar pointed out that “As opposed to asking what we’ll lose if we don’t implement a security solution; why don’t we ask how we’ll benefit from the implementation?” Ammar Hussain Jafri, founder of PISA and Additional GM of the FIA, agreed with Rizwan Munawwar’s comments and further added, “How would you convince your father for a new car? Would you go up to him and tell him the negative aspects of not getting a new car or would you point out the positives?”
Mr. Nayyer stated that “We routinely give briefings to our standing committee for information security about upcoming risks and IS challenges. Creating and enhancing awareness of these challenges actually benefits the organization and influences the end decision quite heavily.”
Mr. Nayyer also pointed out that having a competitive advantage helps any organization tremendously. Add that into the mix and you have a very strong counter-argument for the executive management. If a competitive advantage in any other process can help improve the organization’s bottom line, so too can a distinct advantage in information security.
Highlighting another key aspect of information security, Ammar Jafri commented that “Every organization deals with information security in a different way. We need to think out of the box because risks and vulnerabilities can and will pop up in many, unpredictable ways.” Every organization is unique, and hence needs a distinct, tailor made solution. Though being vital, some information security solutions simply cannot be implemented because the rest of the industry has implemented them. The only way to properly justify IS spending and to show results is to ensuring that the organization deploys the right solution and counters the right risks. Sajjad Kirmani, Head of Operations, NetSol, added that “Information Security is highly context dependent and it all depends on what type of business you have. Every business is unique, and has different needs.”
Sajjad Kirmani added, “We need to create awareness; establish a level of understanding about possible issues. The better the executive management understands how the organization is at risk, the easier it will be for them to make a fruitful decision.” This is where the CISO plays a pivotal role and is instrumental in pointing out the right hole to plug in at the right time.
Ammar Jafri suggested that third party consultants actually have a very good effect on the senior management and “actually help in spreading awareness and a positive outlook in information security matters a lot. The bottom line here is creating awareness!”
On a side note, Saad Rizvi, Sales and Marketing – IS Consultancy, NetSol, pointed out that “The best example of IS leaks comes from the banking sector. We’ve all received numerous calls from people working in our banks selling credit cards. These people have quite a lot of information about us and that clearly is a security breach somewhere.”
Muhammad Kamran, CISO – First Women Bank, added, “All of this started from one bank that came in and started hiring people from other banks. Flash drives gradually and discretely shifted data from one bank to another through the employees changing jobs. They copied the data they could get and went over to the other bank, and the information they had, our information, slowly spread everywhere.”
Bringing the discussion back to the original topic, Sajjad Kirmani pointed out that the ROI has to be measured in business terms for the executive management. He further asked the panelists whether they look at IS holistically within their organization or at individual matters, piecemeal and address them one at a time. How an organization looks at information security varies from organization to organization but for the most part, they tend to prioritize risks and vulnerabilities and prepare roadmaps to tackle them. The panelists agreed unanimously that numbers are very important for the board but we simply cannot have precise ROIs every time.
All in all, the roundtable session shed light on several sensitive aspects of information security from policy-making to how IS departments can spread awareness about the organization within its employees. It highlighted the importance of investing in the right information security practice at the right time. The bottom line of securing information is, knowing where your processes can be compromised, whether it’s your organization’s social engineering or some unmonitored, discrete port. It all boils down to how well thought out your security framework is and how well the CISO and executive management understand your vulnerabilities and how well-coordinated they are.
