“There’s no such thing as foolproof security, you can only increase the levels of deterrence”
Dinesh Pillai, CEO Mahindra SSG, talked to Prashant L Rao about the company’s nomination for an IFSEC award, common issues that turn up while doing information security risk assessments, business continuity in India and how companies can deal with BYOD
Tell us more about Project Firewall for which you have been nominated for an IFSEC award?
That was a project that we did for Dr. Reddy’s. We studied the organization and went back to the management and showed them the risk that they faced on a short as well as a long term basis. That made them understand that perhaps they had not adequately looked at their information and physical security. We were asked to fix the gaps that we had identified in physical and information security as well as in training people. We did the pilot for three locations. We have ensured that whatever we recommended has been implemented. We restructured the organization, put in metrics, generated procedures for asset lifecycle management, trained people on new procedures, etc. Based on the successful pilot, they have given us another 16 locations.
What are the most common issues that you come across while doing information security risk assessments?
From a strategic POV, the top management thinks that everything is in place and that if something goes wrong, they should get an alert. They may have invested in technology but—because of lack of process, people and accountability—that technology is wasted. You have to start with the process and people and then move on to deploying technology. That’s how the flow should go. When it comes to security, people tend to go straight to technology thinking that it will magically solve all of their problems. Most of them forget about the parts that should come first—process and people. Most of the time accountability for information security rests with the IT team and for physical accountability with the administration department. These are the service departments and the business units will never take them seriously. Unless accountability lies with the business, any initiative will die in three to six months.
Another mistake that companies make is that they don’t tell the employee what’s expected of him or her.
People tend to believe that this is a cost center rather than an investment. Most organizations lack the mechanisms to figure out if something is going wrong.
Most companies give safety a high priority. We try to show organizations that, if lapses in safety can hit you, so can gaps in information security. Once the management is convinced, then it becomes easier to manage the situation.
How comprehensive are the Business Continuity plans of Indian companies?
If you look at DR/BC in manufacturing, if anything happens at the plant level, it is unlikely that you can do anything to recover from that. What you do is look at your critical processes, at things like customer service and compliance that have to revive. In the financial sector, the daily report has to be generated. In DR, crisis management (how do you react to a disaster) is being practiced by most organizations. DR is still being looked at as an IT backup. This is more on the technology front. If you are looking at BC, then it’s a different game. There you are looking at a situation where a process has to come back up within a few hours. The BC plan will involve an alternate facility, workforce, technology etc. That’s much more complicated and few companies are geared towards that unless pushed to do so by regulations.
Which are the key standards that are important from an information security perspective?
ISO 27001 and 27005 are the standards here. Essentially, the standards are saying that there are 130 odd controls and, if you have these, you can get certified. Getting certified doesn’t indicate that a company is truly secure, however. The standard doesn’t talk about process gaps or issues in the business that can fail because of the lack of integration of technology, process and people. When we do projects, we don’t base things completely on ISO standards. We tell clients that, if you want to do certification, it’s a part of the process.
How do you advice companies to deal with BYOD?
Today companies are allowing BYOD for a few reasons. It brings down OPEX, the updates and obsolescence are taken care of by the employee and there’s huge capital saving in terms of cost and maintenance of equipment. There are sufficient controls that you can put in place on devices to stop employees from using them in violation of company policies. E.g. you aren’t allowed to copy stuff onto USB drives. You can look at a dual login system where you log into a personal space to access personal stuff and when you are in a company login, what you are doing is monitored. There’s no such thing as foolproof security, you can only increase the levels of deterrence. It requires discipline from both the organization’s and the employees’ side. Today, lots of employees use data cards and laptops. The moment you connect through a data card or airport Wi-Fi, your entire security infrastructure is bypassed. You need to implement some elements of your security on the laptop through measures like data encryption in this instance.