Advertisement

Features

What's your story idea?

Overall security – Who is responsible?  (View Comments)

Sheetal Srivastava

Posted On Tuesday, July 29, 2008 at 02:46:25 PM

Information security has always been the centre of attention for organisations. It is imperative for the management to focus on mitigating risks and threats within organisations.

 

External as well as internal threats are quite prevalent, and there is no doubt that both need to be safeguarded, depending on the nature of business. “Some people have lost their web identity, while few others have lost their servers due to virus/worm etc,” says Mohan Ram, MD, Lattice Bridge Infotech.

 

IT security seems to be a very generic term considering the width of the security function.

Physical security typically involves controlling the accessibility to the locations where the IT infrastructure is housed by using biometric access, advanced CCTVs, mantraps, etc. “We use the six zone system to protect infrastructure. Data security is done by multiple layers of firewall, port management, anti-viruses, IDS, IPS, etc.,” affirms Sridhar Reddy, chairman and managing director, Ctrl S.

 

There are many facets of security like access control, email security, firewalls, intrusion detection, Data leak prevention, and so on. Is it necessary for an organisation to protect against all? More importantly, is it possible to do so? “It is possible to protect the data from most of the dangers through proper planning, continuous updating and monitoring,” says Reddy. “For companies who cannot afford huge investments, but the data integrity is critical, outsourcing to data centres is the best way forward,” he adds.

 

Having said the above, there is still a reasonable amount of confusion. Who is ultimately responsible for the overall security in organisations? “Security has to move away from being a technology issue to a business related issue. Security means including everyone and everything,” asserts Reddy.

 

However, Ganesh Vanapalli, chief security officer, Asia Pacific, BT says that the Board and the CEO are the ones who are ultimately responsible for any non-compliances of the organisation - whether regulatory or financial. “Depending on the organisational structure, a few corporates have a CSO/CISO who owns the security/compliance issues. In others, where a CSO is not present, the CFO or CTO is responsible.”

 

Prakash Seernani, COO, Synlog is of a different opinion. He feels that while it is true that all responsibility finally ends at the CEO, it is incorrect to hold him entirely responsible. It actually falls in the realm of a CSO (Chief Security Officer).

 

He says, “The team under the CSO is cross-functional and controls not only electronic, but physical security as well. The IT security policy is created and owned by the CSO, while it is implemented by the rest of the organisation (both line and staff). Every organisational policy or regulation change needs the approval of the CSO.”

 

Many organisations do not warrant the need for a full-time CSO and thus, the role is played by either the CIO or the CTO. An organisation needs to look at the value of information that is being protected, along with the probability of its theft, and the damage that it will cause, in order to justify the investment. Security has already become a boardroom issue. But CEOs, the board of directors, and auditing committees of large enterprises need to increase their security awareness. It is also important to understand that all employees need security awareness training.

 

The modern knowledge economy has changed the meaning of security. Previously, the assets to be protected used to be mostly goods and physical assets. Today, especially in the service industry, these are insignificant compared to the “Information or data”. “The situation can be addressed by creating a new role called Chief Information Security Officer,” concludes Reddy.

(Please send in your comments/queries to sheetal.srivastava@timesgroup.com)


Rate me....
Mail this articleMail this articlePrint this articlePrint this article
Share
Share Reddit.com
Share del.icio.us
Share StumbleUpon.com

Post Your Comments

 

Fields marked * are compulsary

Disclaimer

View Comments

Samrina Says:

i know of some back which lost all its data during mumbai floods. and it takes lot of money to recover the data and besides it is sometimes not possible to retrieve all the data. Just imagine what will happen, if, your company doesn’t not have a data protection system in place and you suddenly loose all your data. Many small organizations go out of business every year due to data lose.

Bhawna Says:

Well written article! Information security is indeed crucial for a success or faliour of a company. Keep writing such articles. Cheers!

Yasar Says:

This article again proves the already existing norm in the industry, ie, in this information age, security for the information is a must.

Loading...

Most Searched Tags

age  work  MBA  employer  telecommuting  vocational  employee  glory  moles  games  development  time  engineer  autonomy  responsibility  social  day  experience  testing  job  entrepreneurial  attrition  professionals  industry  Taj  professional  management  success  mentor  customers  boss  behaviour  confidence  Hospitality  aspirant  healthcare  conflict  skills  law  entrepreneurship  business  Paternity  virtual  walk-in  Global  negotiation  CSR  security  engineering  stakeholders 
Brand Potion

Advertisement

Thought Pool
New

Here's your chance to be our 'Student Journalist of the Month', a contest for aspiring students to pool in their ideas and views on burning issues in the Human Resource space. It's simple! Post your article here and you could be the winner.

Topics of the month

  • The need for CSR
  • Role of EQ in a successful career

Terms & Conditions

Post your Article