The biggest Do I encourage - first and foremost - is that CISOs need to get out of the spectrum of IT as per Samarendra Kumar, Head- Group Information Security, InterGlobe Enterprises. "Don't think of yourself as an IT security organization and restrict yourselves to a support function. The legitimacy of security comes from its impartial, unbiased approach towards driving the entire organization," says Kumar.
What does the new-year of 2016 hold for the security world?
Concentration to build various platforms does not work today due to the flat use of processes and flat use of platforms in IT infrastructure. We are moving towards a model wherein the security investments will be done as per what is significant to the organization and how it can be protected. That will be the sole driver. We as an organization prioritize the security processes depending on the data type - secret or confidential, internal or public domain and so on.
Secondly, the model of overly restricting employees and partners too much around platforms will disappear. And we would be moving more towards the application layer combined with the end user computing. That's the way forward.
Where would you place jargons like APT, IDM, DLP to name a few in hype cycle or reality?
I would say they are somewhere in the middle path of adoption curve. Neither are they completely useless nor are they 'must to have' for an organization. You can stack up all these technologies like IPS, NGF, IDS. But at the end of the day, you have to protect some assets in your company. For example NGF can restrict employees to Facebook, twitter. But you would not want to be bothered much about that aspect as they are not posting official posts on social media.
You cannot built-in the same state of security for diamond you hold, gold you hold and the plants in the garden. All are not equal in terms of asset value and the need for high-end security cover. The security solutions need to be prioritized as per the value of asset to be protected. However one can supplement and complement with adequate restricted alert mechanisms. Again, too many alerts are as bad as no alerts. The way the story of target is being sold is not that they did not have best of breed security. They could not restrict the alerts to meaningful alerts.
IGT (InterGlobe Technologies) deployed DLP across the organization last year which was a challenging project as there were no reference points. This was one of the first full-fledged DLP project in India's aviation industry. The solution creates the use cases that help protect the data leakage but also does not create a problem for users and continue to give them good usage.
Sign up for CIO Asia eNewsletters.