Security Lies In The Mind And Not In Technology

by Ankush Sohoni    Dec 20, 2004

Security today has metamorphosed into a necessity. While enterprises today are definitely becoming more aware of the needs to be secure, are they actually working towards adequately ensuring their safety?

“No, mere purchase of security solutions is not the answer,” asserts Captain Raghu Raman, CEO - Mahindra Special Services Group in a riveting conversation with CXOtoday.

Starting with some of the common misconceptions prevailing, he stated, “The general perception that technology ensures safety is worse than not implementing security at all, as this enables people to be under the false belief that they are secure. Security essentially is all in the mind. Technology is present to enable implementation of security strategies. Information security is not about increasing security, but aligning it.”

According to him, enterprises must understand that investing in security technologies will not guarantee that they are safe. However, what it does is largely minimize losses caused due to security breaches. Illustrating his view with an example, he continued, “When a phishing scam occurs, customers tend to blame it on the bank. But this accusation is not justified if the bank has made a genuine effort to harden its network.”

Raman with more than 15 years of experience in the information security arena urges enterprises to realize the importance of intellectual property rights (IPR). “Even an institution like a school needs information security. We need to realize what we have, the value that it holds and protect this information,” added Raman.

According to him, many enterprises conduct an audit to check if their systems are in order. However, an audit is nothing but a policy. A policy, without procedure is worth nothing. “Evaluating a process is much better and more effective than just making a ‘motherhood’ statement. That is what an audit is, a motherhood statement,” declared Raman.

The need of the hour is a change in the mindset of the people working in an organization. People need to be aware of security and how a security breach can affect them indirectly, according to Raman.

“Many enterprises assign the role of security to a CIO, however, CIOs go completely wrong when it comes down to evaluating their own systems, mainly because they do not possess the expertise to drill down, dismantle and investigate a security system. They are also less interested in exposing the flaws of a system they have implemented themselves and they think more in terms of defense. When you are dealing with hackers and cyber criminals you have to be an attacker, you have to fight back and beat a hacker at his own game,” asserted Capt. Raman.

He recommends that when on the road to safety, it is important to consider hiring an external auditing company. An enterprise will not realize its flaws without proof extracted from its own systems. After the enterprise has been enlightened of its flaws, there has to be a complete change management process in the enterprise, and security has to be in the minds of the employees of the enterprise. Awareness is the key to a secure Web dominated computing environment.

In addition to several government agencies, Raman has served United Nations in various information warfare divisions. Capt. Raman is currently on the panel of RSA, Forum Engelberg, MDI, and ITBT.

Tags: security