What motivates companies to invest their time, effort and money
in securing information? We do not ask this question about physical
security. An imposing structure of the bank inspires confidence
that our precious physical assets must be well guarded in bank
lockers.
However, Information is an intangible asset. Its value is mostly
unknown. We do not know if the bank is also guarding our precious
financial assets, which are just bits and bytes of computer data,
in an equally safe manner. There is no visible sign to tell us till
an actual breach of information security happens and our bank
account gets hacked.
Although information is an intangible asset, it is providing
great opportunities for India. Our BPOs and KPOs who are in the
business of processing information, do convert it into very
tangible profits. However, the assurance they need to provide to
the clients is that the information is handled in a secure manner.
This is definitely a great motivation to invest in information
security. How do companies take up this challenge?
There are two essential motivating factors for information
security. One is – ‘Business Driven’ and second
– ‘Risk and Compliance Driven’.
Business driven
implementation
Business driven implementation of information security is evident
when the organization has serious business compulsions. The client
has imposed strict requirements towards information security and
unless the organization can demonstrate adherence to best practices
for information security, it may
not get that lucrative assignment. This results into an
‘opportunistic implementation’ of information
security.
Risk and Compliance
Risk and compliance driven implementation is evident when the
organization has to meet some legal or regulatory requirement. Such
compulsion results into ‘checklist implementation’ of
information security.
Non-existent
implementation
There is yet another class of organizations where there is no
known requirement of any information security implementation.
Mature implementation
Most noteworthy class of organization is where the management
has realized that information security could be a real business
enabler while meeting the legal and regulatory requirements. This
leads to ‘mature implementation’.
The four types of implementations could be viewed as four
quadrants of information security.It may be worthwhile to identify
the type of implementation done by your organization.
If you identify your organization to be belonging to any
quadrant other than the quadrant of ‘mature
implementation’, it is time for you to evaluate the reasons
and try moving towards the ‘mature implementation’
quadrant. Otherwise your information security efforts are not
giving the right results. If you are in an
‘opportunistic’ quadrant, you may be jumping from
opportunity to opportunity which may expose you to sudden
crisis.
If you are in a ‘checklist’ quadrant, you may be
getting a false assurance of security and not even notice
information security lapses till they develop into a crisis. And if
you belong to the ‘non-existent’ quadrant, you are
probably not using the modern information technology in a secure
manner and thus may be exposed to unknown risks.
Avinash Kadam is Director, COO and Head of Delivery at MIEL
e-Security