We built simple tool Ad Manager on our DLP solution which brought down the alerts at IGT to less than 50 alerts per day from earlier number of 20,000. That humongous number did not make much sense. Also we had a single policy leading to 100000 alerts a day. However majority of them were false alerts.
Deepening on the importance and data sensitivity of company assets, you need to prioritize, spend accordingly and build controls around it.
Mobile devices be it tablets, smartphones, wearables are compelling enterprises to adopt for IAM or IDM?
I have realized that any identity strategy built only for employees does not work. It has to traverse across the organization that includes vendors, partners, customers and other external stakeholders. All these identities converged into a single source and managing all of them is not an easy job. It is a gradual process and that's how an organization is able to build a strong IDM foundation.
One should not try to shoot too much in IDM space. But pick applications selectively around two parameters which we have been doing for the entire group. I lead security for 7 group companies. The challenge was putting 600 applications for IDM would not work. We selectively picked 5 applications (total of 35) from each group company under IDM out of 100 to 200 apps per company. The two relevant criteria for IDM are critically of the application from sensitivity of information standpoint and secondly the mass number of users.
If an application needs to be tied for identity of 10 users then it does not make sense for IDM as simpler and faster solutions are available. But if the company has a sizeable population plus the sensitive information that needs accountability, then IDM makes logical sense. That's what mobility is all about because if the application is secure though IDM then any mobility strategy or mobile devices can be rolled out.
Any Dos and Don'ts for peer CISOs building for a robust security posture at their organization?
The biggest Do I encourage - first and foremost - is that CISOs need to get out of the spectrum of IT. Don't think of yourself as an IT security organization and restrict yourselves to a support function. The legitimacy of security comes from its impartial, unbiased approach towards driving the entire organization. Looking at true risk posture and reporting it back to the orgn and supplementing and building in security controls.
If you say that you are an advisor to help you protect the business. If IndiGo runs a ticketing system and I work in an advisory capacity where I advise the business and also advice the IT team on security controls, the synergistic approach will be beneficial to the company. You will have 360 degree of whole thing rather than living in a cocoon in a silo of an IT support function. You should exist as a function like all other function like legal, finance as a separate entity of the organization.
Sign up for CIO Asia eNewsletters.