'Security should not hamper business'

by Abhinna Shreshtha    Apr 26, 2010

What is the top threat before organizations according to you?

The majority of threats today are from inside the organization and not outside. They need not be consciously malicious but could result from negligence or carelessness on the part of employees. To give you an example, we have an employee working with us whose wife is working for our competitor. Now, this happens with many organizations and it is not necessarily a reason for mistrust, but still you need some kind of monitoring system, technical or policy-based, to know how data is being used, who is using it, and whether an unauthorized person is viewing classified data.

This becomes even more pertinent when you have employees on field or working from home.

You spoke of the importance of creating a security-conscious atmosphere. How does a company go about doing this?

We have implemented a data monitoring system to monitor data usage. At the same time when an employee views or uses some data, his/her immediate superior is made aware and given ownership of the data. This instills responsibility towards security within the team.

In most of the cases, employees feel security is the responsibility of the technology team. Even IT teams are not immune from this kind of thinking. Don’t own security would be my advice to IT teams, align it directly with the business, thus making everyone in the company an equal stakeholder on security issues.

Apart from this, what would be your advice to your peers when it comes to security?

When you buy a new product or deploy a new technology ensure that it is compliant with your security standards. Another important thing is that security should not hamper the business. What I mean by this is that having a secure organization is obviously very important, but this should not cause customer dissatisfaction or loss of business.

To give an example, we have operations in different regions throughout the country and bandwidth is a major issue. Now, if I have a client who wants to login to the system to make a transaction and if his bandwidth is so low that 3-factor authentication makes the transaction very slow, there are high chances that the client might just get frustrated and go away without making a transaction.

So here you have a perfectly fine security system, but due to infrastructure constraints you are potentially losing out on customers. This is something that CIOs and IT teams should keep in mind. There is no optimal solution, one can only know how well it works once we start using it, but ensure that business does not suffer and if you feel this is happening then immediately stop using it and start looking for other options.