| The participants were Dr. Michael T. Clark, Chief Executive Officer, IGTL Solutions, (a former Executive Director of the US-India Business Council); MatArshad in, Executive Vice President, Bindview Corporation, US (a former Partner at McKinsey & Company); Vijay Mukhi, IT expert, public representative director on the Bombay Stock Exchange's governing council and Head of Nasscom's special interest group on security; Abhay Gupte, Partner and National Director for Enterprise Risk Services, Deloitte Haskins & Sells; and Sunil Mehta, Vice President, Nasscom. The discussions were moderated by Palakunnathu G Mathai. Edited excerpts: Moderator:Let me throw up a few issues. Do we do enough to ensure IT security? That is, do we have adequate data protection laws? |
| Do companies know the kind of data that they should protect, do we have a security culture or do Indian companies have a 'chalta hai' attitude? Secondly, whose responsibility is it to assure security? When and how? What is the role of the government, the private sector, other institutions, including Nasscom? What is the role of self-regulation versus public legal regulation? |
| The security record in India has been pretty good so far. Strikingly, most of it has been handled at the firm level. Unlike intellectual property protection, say, in patents where the issue was that you first had to have a legal regime, in the IT and the BPO area we actually had a very different approach "� to work it out at the firm level, develop contracts and then use India's independent legal system to enforce contracts. The time between when a vulnerability is known and the time it is actually exploited is shortening. That is driving the increased focus on security. There is a lot of integration across platforms within an enterprise and across enterprises between partners and customers which is exposing the vulnerability in the system. |
| A second driver is regulations, and we are seeing a lot of this in the US and western Europe today and it is beginning to bleed over to India because of BPO and other offshore activities. Section 404 of the Sarbanes-Oxley Act explicitly mandates chief financial officers (CFOs) and chief executive officers (CEOs) to certify that due care was taken in securing the network and infrastructure. |
| A slew of other regulations like BS 7799, the Gramm-Leach-Bliley Act (GLBA) in the banking sector and the Health Insurance Portability and Accountability Act (HIPAA) of 1996 in healthcare have similar requirements. |
| Finally, just as India has become an integral part of the value chain as a supplier of software talent and so on, we expect that over time Indian companies will increasingly begin to build expertise around security. We ourselves have set up a development centre in Pune and are beginning to add security specific talent to it. |
| A lot of software companies that sell to the US will be mandated by their customers to certify that the way they develop their software is actually secure. That, again, will drive a lot of focus on security in India. |
| Security has the potential of touching every human being. Science.org, a well known site, installed Windows XP on a machine and put it up on the internet. Thirty minutes later it was compromised. This means that every person's machine which uses Windows, if he does not take precautions, will be virused. So it is not just a business issue, but a people issue. The most important thing is the control culture in an organisation. It should not be just merely a regulatory-driven or compliance-driven kind of thing. The organisation needs to ensure that security exists, that information is protected and that everybody within the organisation complies with that culture. |
| Thirdly, when you develop applications you need to build in security. Typically, you implement the software, develop applications and then you go and check whether there is adequate security and start adding security pieces to applications later on. We need to look at incorporating security when applications are developed "� incorporate issues like access control, validation and things like that in a secured manner. |
| To do that, you need to have a whole eco system around it. It is then not only the IT or the BPO companies, it is the enforcement authorities, the judiciary, the employees within the industry. |
| The regulatory environment in the US is a mix of self-regulation as well as industry specific regulation. The European Union has a far more onerous regime. The EU Privacy Directive is fairly stringent and only a couple of countries around the world have been able to adhere to it. We are looking at how we can maintain a mix of our self-regulation plus draw the best out of US and EU laws and incorporate these into it. |
| India needs to have a robust legal framework which will address our security. Our security and privacy are two sides of the same coin. We are extensively engaged with customer organisations in the US and industry bodies in the UK. Within the next 3 to 6 months, the already advanced legal framework in India will become even more robust. |
| Moderator: What has been the government's response to all this? |
| Mukhi: The government's role is public relations. When it comes to security, it hasn't done very much. The world over the electronic world is insecure. We have a wonderful opportunity to go around telling everyone that this is how secure we are. We don't seem to be doing that. |
| Moderator: Do you agree with this? |
| Clark: Given the ordinary experience of most internet consumers today, the challenge for India is going to get a lot tougher because the challenge in the US is about to get a lot tougher. The point about cyber security is no longer just the internet and then every other form of communication. It is now all linked. People find that on their home computers they can't go to many sites without getting attacked. |
| If you go to some well-known sites, even security web sites, you may find yourself getting into trouble. The debate in government is really not about whether we can convince everybody that it is secure. In the US it is fairly simple "� there are two propositions. Is there a problem with the internet? Yes. Can governments fix it? No. But somebody has to do something "� use the threat of regulation as a club to force the industry to get its act together. |
| The position of the software developers is to keep government out of this. The data privacy directive in the EU gets into this debate in two ways. The Anglo Saxon view is that you develop a law to deal with the problems that have emerged. |
| The European view is to develop a law to anticipate and to regulate the problems before they can emerge. The other part of it is plain old trade warfare. You develop different regulatory regimes to make it difficult for players to be global. |
| But in the OECD countries, there is going to be a lot of pressure on the software industry to look at the way it deals with vulnerability assessments. The industry is not very interested in having this getting around at all. Equipment makers and others have a very different view, which is that industry needs to be informed and, if there is vulnerability, it has to be made aware of it. This debate will blow into the open. |
| We were with our friends in the implementation of security for the Bombay Police in August. My company was involved in implementing a British standard which comes out of an ISO standard. I asked a very naïve question "� 'Why are we using a British standard? Why don't we have an Indian standard?' Shouldn't we be looking at using Nasscom as a forum to develop a very rigorous Indian standard? Then you get a kind of first mover benefit. We are delivering BS 7799 because it is the best in the market today. |
| We think that we can probably come up with something more rigorous and independent and then negotiate with the two other sides (the US and the EU) to say, does this standard meet it? We are not going to be able to do the US safe harbour provisions because for that you need the eco system that Sunil was talking about. One problem with that, as with patent law, is that they are not easy to build, they are expensive, and a lot of players have to be brought into the game. |
| Mukhi: I agree with Michael. Today there is no gold standard for security alone. There is that open space for India to create that gold standard. Most of the standards don't have much weight. And in the security world, the technology is changing. Your standard has to keep evolving over time. |
| Moderator: You have a welter of regulations. Is another security standard the best answer? Will our more stringent standard be accepted by others? |
| Matin: Both ISO 17799 and BS 7799 are two big standards. As a vendor selling software in that space, we support both of them. What we find, though, is that each customer has its own implementation of these standards because it looks at its business requirements, at the regulatory environment it lives in and then at its own unique situation. |
| It will be great to have an Indian standard which is better than anything that is out there. On the other hand, the real challenge will be implementing that in an organisation. Most attacks happen from the inside. So the government can play some role but when it comes down to brass tacks, day-to-day operations have more to do with the top-down mandate of setting up policies or setting up interim audit mechanisms, investing in technology, knowledge and people. |
| In India, service providers have to offer a level of credibility and trust to customers in the US. Enterprises in India will have to come up with a management culture, process and organisation to back it up so that their internal controls are in place. Standards play a very important role, but they can only take it this far and no further. |
| Moderator: But do we have a security culture at the company level? |
| Gupte: Under the Sarbanes-Oxley requirement, whenever work is outsourced to a third party, you are required to get an audit done under the Statement on Auditing Standards No. 70 of the American Institute of Certified Public Accountants. |
| If that particular organisation is not an ISO or BS 7799 organisation, you cannot place reliance on that certification. You have got to go and do the audit and gather internal control information. Whichever standard you are following, whether it is BS 7799 or ISO or any Indian standard, you have still to go through the rigours of internal control environment. A standard is something that indicates where you are. |
| Matin: Internal controls is part of the CEO-level dash board. I know that first hand because I personally get calls when an organisation is unable to generate a weekly report which captures the state of security in that organisation because of some issue with the product itself. So it is not in every organisation but it is beginning to permeate and emerge. |
| Moderator: How widespread is this? |
| Matin: It is more widespread in the more regulated industries, obviously in the financial institutions and the healthcare institutions. Anybody who is exposed to big fines and to a bad press around privacy are the ones who actually are paying a lot of attention to this issue. And they are looking for an on-going way of measuring it. |
| In fact, I would say that instead of investing in a new standard, what will be great is if we could develop an index of security. You can look at a number of different factors "� what is the state of known vulnerability today in the market place? How did my scans overnight do? How many servers in my global network met or did not meet these requirements? How many violations did I see overnight? And you combine those things and come up with an index. |
| Clark: What is a standard? It simply defines what you mean by security and says people should do x, y and z. We have just done this. We took the Customer Operation Performance Certification (COPC) standard for our call centre operations and not only mapped out how we are going to achieve it, but we built a dash board. |
| That gives us not only all the parameters in real time of all the SLAs, but also 39 COPC standards. We showed it to a customer only last week, how with the press of a button we get it live and there is a print button by which we suddenly know how the thing was built, what they have done, etc. |
| Mukhi: No matter what clients do, the number of security incidents is growing exponentially. Bill Gates has said that security is the defining moment of Microsoft. Linux is selling more today because it is perceived to be more secure. No matter what standard we adopt, no matter how many detection systems we have, the problem is getting worse. And as more and more transactions go online, it will get even worse. |
| Moderator: What can you do about it? |
| Mehta: From our perspective, it isn't only about our technological standards or BS 7799. If global standards exit, we can build on those, have them endorsed by customers and implement them through a rigorous audit methodology. |
| So as an association we are evolving this framework which has the standard, the audit methodology and which is endorsed by customers and regulators and say, 'Yes, this evolved out of India, all Indian companies adhere to it.' That may still leave the issue of industry specific regulations on GLBA, HIPAA. |
| Matin: And we do all of that at a reasonable cost. In the Sarbanes-Oxley in the US this year, companies have to meet the November deadline. The amount of money that has been spent by public companies in the US is phenomenal. They are actually embarrassed to make public how much they are spending. |
| I've talked to Fortune 300 companies, and they have had hundreds of people internally hundred per cent dedicated to Sarbanes-Oxley and IT is only a big piece of it. They have had external consultants doing that work. They are telling us that next year when they go through Sarbanes-Oxley, they better find a more cost effective way of doing it. They want to be complying without too much of a push and to do it at the right cost. There has to be more investment in automation, in standardising and in making this more repeatable every year. If you don't do that, people will just comply for the sake of complying as opposed to truly becoming more secure. |
| Moderator: Reverting to Mukhi's earlier point, why are more attacks taking place? |
| Mukhi: Because we don't know how to write software. |
| Clark: You are not answering the question why it is happening. You are saying it can happen. |
| Mukhi: We never place this while writing software that somebody is going to do things that he should be doing. That is the fundamental problem. We need to rewrite all the rules of writing software. |
| Matin: That is an important reason but not the only reason. As a security software vendor, we sit on both sides of the table. The Department of Defence (DoD) and other government agencies in the US are beginning pushing vendors to certify that the way they wrote the software is secure and there is a certification process. There are labs that look at each line of the code that you write and certify. |
| That is very costly and time consuming. But there are people who are beginning to focus exactly on what you are saying. Another side issue with implications for Indian companies, is that DoD is also very leery of buying software that is not developed in the US. It can't really implement it because it cannot buy any software these days. It only wants one with a 'developed in the US' stamp on it. |
| But it is beginning to focus on how and where software is developed and where it is certified. But we can make the operating system and the applications more secure, but there will always be a group of people who will find a way to get around it. |
| Clark: If you want to look at the issue of security squarely, there is the other side of communication called the 'Revolution in Military Affairs' in the US. Governments want to maximise security in their communications. They don't want the private actors to have the same level of security. So this is an issue of encryption levels, particularly when you get into telecommunications. Perhaps it is something that should be taken up during this hi-tech cooperation group as an item. |
| Moderator: How often are business continuity plans (BCPs) tested? Are they adequate? |
| Matin: They are adequate. It is clear from some results from research. They say pretty clearly that there are certain patterns around companies that do a good job versus those that don't. And the ones that do a good job in security tend to have more security staff. It is a very simple thing "� you just have more people dedicated to security. And it is not just people who are doing day to day work but people with a high visibility function, often reporting to the risk operation section and not to the CIO. So the chief security officer might report to the chief risk officer who might report to the CFO. They really separate the security function completely from the IT function. |
| Gupte: The higher end companies that are providing the services have most of their service level agreements (SLAs) in place with the foreign companies for which they are providing the services. They do follow the rigours of following business continuity plans (BCPs) or things like that. |
| But if even organisations within the country have a mandated disclosure "� that they have a BCP in place, they have a security officer and so on "� it makes it much more easier for people to do business with them. That is something that we should try to achieve. Otherwise it is only known to the auditor and to the company, not to customers with whom they do business. |
| Mukhi: I am the public relations director on the Bombay Stock Exchange. ' |
| We do about Rs 2000 crores a day. I don't see security discussed at the board level. The banks are very serious about security but once again it is a closed system. So the amount of security awareness within the company depends upon the level of transactions it is handling. Most Indian companies are not handling much. So they don't take it seriously. |
| Moderator: Mr Mehta, you'd mentioned the eco system. |
| Mehta: Globally, the eco system of security has been driven not so much by internet security, hacking and so on but also by this whole issue of anti-terrorism. They are inter-connected and creates a perception of being under attack. I don't see that changing in the near future. It might even get heightened, which is apparent at the perception level. |
| If I as an ordinary US citizen am going to be bombarded daily by at least 30 to 40 messages from various media about alerts, it creates a huge perception problem which no amount of regulations or technology solutions are going to solve. To me that is a huge concern. Two, if it is going to be a perception issue, how do we as an industry address it at the real and perception levels? |
| Moderator: Thank you very much. |
Top Section
Explore Business Standard