Now that’s a question everyone has on their minds. Are we? And if we are then exactly how eReady? The Chairman and CEO of NetSol Technologies, Salim Ghauri, is no stranger to the IT industry and the challenges faced from the perspective of security. After all, his company is one of few ISO 27001 (Information Security) certified IT companies of Pakistan to have its dedicated division of Information Security having team of qualified experts in the field. A lot of these competencies and certifications you are probably already aware of – expertise include CISSP, ISO27001 Lead Auditors, CISA, and CISP who help to ensure secure application development and enterprise level comprehensive information security within the NetSol.
A few weeks ago when the veteran technology professional announced a program called “Secure Pakistan”, CSO Pakistan got in touch with him to find out more.

There have been several platforms organized by many organizations to spread awareness about security in the past – What makes ‘Secure Pakistan’ any different than what is already out there?
Spreading awareness is only one of many functions of the ‘Secure Pakistan’ platform. The platform has been organized to provide solutions to implement proactive security through structured and systematic frameworks, standards and services which include Computer Emergency Response Team (CERT), Digital Forensics Lab, Security Operations Center (SOC) and formal trainings of internationally recognized qualifications and certifications.

CERT is a team of IT security experts whose main business will be to provide Reactive Services like Alerts & Warnings; handling, analysis, response and coordination of Incident, Vulnerabilities and Artifacts. Proactive Services like Announcements, Technology Watch, Security Audits/Assessments, Configuration and Maintenance of Security. Security Quality Management Services includes Risk Analysis, Business Continuity and Disaster Recovery.

Digital Forensics Lab will be fully equipped with state of the art tools and technologies required for forensics analysis of any digital evidence or device. This lab will provide services for investigation of cases that involve security violations through analysis of computer hard drives and other electronic media, recovery of deleted files, partitions, formatted drives, internet investigations, expert witness testimony, forensic imaging of all original electronic media. It will serve in the situations when an organization opts not to go to law enforcement agencies for any reason.

Security Operations Center (SOC) will perform continuous real-time monitoring and management of firewalls, intrusion detection systems, intrusion prevention systems, virtual private networks, anti viruses, patch management, asset management and other security products including expert analysis of log data, and immediate response to potential security threats.

How secure do you feel our financial sector is?
There are many opportunities of improvements in our financial sector because where there is money there is risk of fraud. Since most of the banks are offering some range of electronic service, it is easy to infiltrate into a bank through a computer securely instead of a gun. That’s why we read so much about electronic frauds in the financial sector of Pakistan. There is a great need of enterprise level comprehensive IT security in financial sector. The positive thing is that the process has been initiated and we are proud to say that one of the leading commercial banks in Pakistan has signed an agreement with NetSol to provide consultancy for enterprise level comprehensive IT security.

So let’s say the ideal scenario is such that an industry as sensitive as finance is as secure. In an ideal situation, what kind of impact will it have on the growth or revenue?
Due to increased IT security, decrease in fraud, losses and costs leads to public confidence domestic as well as international. This confidence will bring more investment in the market including FDI.

Do you really think the financial sector, as an example, can justify the expenses involved in IT Security when the ROI may not be very high?
If we look at recent incidents in financial sector, it’s obvious that organizations that spent more on IT security were safer from electronic crimes.

Secondly if the investment on IT Security is done haphazardly and without planning, you may be right in saying the “ROI may not be very high” but if a systematic Risk Assessment is conducted by calculating Risks, Exposure Factor, Annualized Rate of Occurrence and Annualized Loss Expectancy, and cost-benefit analysis of countermeasures, the ROI becomes justifiable.

Thirdly, calculation of ROI of IT security is also tricky. Can you really quantify the successful infiltration attempts if nothing was harmed or damaged?

How is it possible to assess the vulnerability of an organization? Most organizations don’t know their systems have been compromised until it’s too late?
There are many approaches, checklists, standards and best practices available such as Operationally Critical Threats, Assets and Vulnerabilities Evaluation (OCTAVESM), Control Objectives for Information and related Technology (COBIT), BS25999 – Business Continuity Management and last but not least BS7799 / ISO27001 / ISO27002 – Information Security Management System (ISMS). These enable an organization to implement IT Security proactively before an incident strikes. ISO 27001 / ISMS implements enterprise level information security in a very comprehensive manner addressing each and every possible issue of information security.

I would say that in current scenario ISO 27001 / ISMS is a must for every IT-enabled company.

If IT Security is so critical, does it really need to be a part of policy? Shouldn’t it be left to the individual organizations to maintain the level of their security?
It should be the part of policy of an individual organization as well as the policy of the whole country. The Ministry of IT is reviewing the ICT policy for the next five years and Information Security has been introduced as one of the area in this policy.

It shouldn’t be left to the individual organizations to maintain the level of their security. In the general interest of our nation and the public at large, regulators should play their role by enforcing IT security standards and best practices such as ISO 27001 as a mandatory requirement on the industry. Regulators such as the PSEB, PTA, SBP and OGRA should play their role for IT, Telecom, Financial and Oil & Gas industry respectively. The PSEB has taken a step ahead by sponsoring IT companies to achieve ISO27001 and ISMS Certification. This step would definitely attract foreign investment and customers in the industry. PSEB should be a role model for other regulators.

What kind of an impact will security checks and balances have on Pakistan’s software export if any?
The world is now concerned about privacy, confidentiality, accuracy, integrity and availability which can only be achieved through IT security. Many international regulations such as SOX, HIPPA and Basel require IT security for vendors and outsourced companies.

I would say a step further that if we do not implement IT security in our organizations, we will begin losing our businesses. That’s why our neighboring country has 426 certified companies, which makes them the country with the second highest number of ISO 27001 (Information Security) companies in the world. This is one main reason that most of the BPO and IT-related business in the world works with them.

In your opinion, how has the role of the CSO changed over the years?
The role of the CSO is to protect assets and property of the organization. Previously an individual who wanted to steal or damage the assets and property, had the options of penetrating through physical assets. Today, this malicious attacker can penetrate remotely to steal or damage the Information Assets or Intellectual Property of an organization. Therefore a new role of CISO (Chief Information Security Officer) is a must in every IT-enabled company. Besides securing brick and mortar walls and windows, security of Microsoft Windows™ and Firewalls will also be the responsibility of CISO.

Parting voice of reason?
Our government, financial and telecom sector organizations rely heavily on foreign and imported applications which inadvertently have an inherent risk of information leakage or even remotely controllable options. Many products including Israeli developed firewalls have been discovered to have such features. There may be many other attacks like Logic Bombs, Trap Doors, Hidden Code, Pseudo Flaw, Maintenance Hooks, Sniffing, Covert Channels and Salami Attacks.

Our industry and human resource has a potential and capability to fulfill the security needs of all sectors. As Bruce Schneier a well known international expert of information security and author of famous cryptographic algorithms, “Pakistanis are father of IT security because the first computer virus was developed by a Pakistani which gave birth to the field of IT security”.

The need is to redirect the abilities of intelligent and creative human resource of Pakistan in the right direction by giving them the opportunities of work in their own country. This can be done by acquiring all applications and software from local and secure IT companies of Pakistan.

Popularity: 1% [?]