Just like other processes in an organization, Information Security has its own set of challenges before it is embedded into the fabric of a business.  Keeping in mind the critical role that InfoSec plays in keeping businesses competitive, few companies are able to really get a handle on how its planning can be executed and enforced through the layers of the organization. In previous issues of CSO Pakistan we’ve talked to professionals about some common challenges organizations face, and here, we speak to Talha Habib, lecturer at UAAR and an Information Security Analyst at NIMIS about the misconceptions and security-specific HR issues faced by Pakistani organizations. 

One would think that security is the responsibility of the IT department. After all, it’s all technology and code isn’t it? According to Talha Habib, there are some critical misconceptions with how Information Security is viewed within the organization itself which creates many of these problems. “Information Security is not just the IT department’s job,” he says. “As long as  InfoSec is looked upon as an expense by the top management, they will never take ownership of it and drive its policies as they need to be implemented.” Just like the success of any migration sits in whether or not the top management believes in it, Information Security, the field that is supposed to minimize how vulnerable an organization is, will always struggle to do its function.

“Once again, the Management buy-in and oversight is important but the IS department must lead Information Security within an organization. IT personnel have to make things available, secure or not. Keep a network running, map out a connectivity route or bring a remote location online. These are some functions of IT. Security, a big concern, must be led by InfoSec Teams.”  Even if it’s one person, there has to be a champion who deals with security policies before IT makes something live or brings it online. Consider the InfoSec champion, a translator between IT and the rest of the organization. People within the organization have a request based on a business need. They convey this requirement to the IT department, which maps out the solution and makes it happen. The InfoSec guy in the middle needs to be aware of the request and the consequence its execution will have on the organization, from all angles. It should be the InfoSec team that will be able to assess whether or not the request will make another part of the organization’s archives vulnerable. And based on this risk assessment, the IT department will probably be given a list of security protocols which must be implemented as part of their solution.

Business-related designations of specific responsibilities are more commonly understood and appreciated than roles of a specific nature such as IT or IS. “There are some major problems with InfoSec in local organizations. The fact that there is very little or no support from the management for the implementation of security is critical. There is a general lack of awareness of security measures and protocols. It’s just not there in our organizational culture or environment. Lastly, I think the appreciation of what InfoSec measures can do for the success of a company, is always undermined by the company staff and employees.”  Try and implement something as basic as a universal block on USB ports across all workstations and you’ll feel every InfoSec departments’ pain.

There are specific policies for data-at-rest as well as for data-in-transit, for example. Companies, for whom their entire survival depends on the integrity of their data, obviously understand the significance of these policies. “It’s not the IT companies that need to be educated on the critical importance of Information Security – it’s everyone else who isn’t a technology company and yet has their survival dependent on their intellectual capital!”

There are many things done by the management which are just incorrect. Information Security isn’t something that can, or ever will be, implemented overnight. The second is the fact that when an organization decides to adopt policies from other organizations, they fail to customize the terms. In fact, based on the specific ecosystem and business practices, every country or region has its own set of IS benchmarks to follow. Having said that, every company has to start somewhere, and looking at policies and practices that are implemented in other companies is usually the best place to start.

But what guidelines should companies in Pakistan be adhering to? Talha explains, “While it is logical that businesses follow specific guidelines across a particular region, it really depends on what sector they are in. It is more important that the organization adheres to international best practices or guidelines pertinent to the specific business industry.”  For example, banking and finance, healthcare, software development would all Talha says, “The Information Security market is quite small in Pakistan so professionals usually have enough awareness about opportunities in Pakistan. But the IT guys don’t have too much exposure or awareness of the field of Information Security or the opportunities it offers.” Areas such as Business Continuity Planning, Disaster Management, Redundancy of a network and areas are extremely important. Talha says, “Organizations are oblivious to the risk of terrorist attacks. They should be able to proactively decide and plan for business continuity and resumption.”

And of course, when we talk about Information Security, the question about legislation always comes up. So – how about the legislation? Is there enough pressure from legislation to actually implement and enforce security framework within organizations?  “Actually, the security framework is only implemented to satisfy specific requirements, but that’s not the problem. It’s the enforcement which is the missing link. Security frameworks and standards are implemented but they are not properly maintained, nor are they enforced, hence making them useless documents.”

The Hype
There is so much hype about Cloud Computing and Consolidation of data and resources. It has everyone trying to grab a piece of the action without really being able to talk out their concerns. Sure SAAS and PAAS are ways to plug some of your businesses into an existing system whereby hopefully cutting back on some of your local configuration headache, but how much do people really know about its security aspects? In organizations in the West, there seem to be enough common interest groups and discussion forums which help InfoSec specialists share their concerns and work through their security fears.  And, the discussion helps to put concepts into perspective, which can then help companies make the security-savvy decisions that they need to. So is there enough discussion taking place involving security analysts and consultants to put the right perspective in place for Pakistani organizations?

Talha doesn’t even hesitate on this one. “No, IT and security professionals do not have forums to discuss these issues or technologies.  Security Consultants and Analysts must discuss the advantage and security concerns of Cloud Computing since it is becoming increasingly popular.” Of late, in fact, there have been several concerns raised by security professionals about the fact that there are more issues than they know about, and the move to the Cloud really has to take place slower.

Forums need to do more than just lead discussion – they need to be able to identify areas where local organizations may be weaker and be an interaction point between companies and professionals. Talha stresses that local forums such as the Pakistan Information Security Association (PISA) can help promote a widespread awareness, share latest technologies, discuss security trends and conduct Research and Development in Pakistan. “It’s not the technology that is the problem – it’s the lack of understanding on how to use

it responsibly. Thanks to the proliferation of the Internet, for example, everyone has access to the Web, but the education of how to use it intelligently, is lacking.” Organizations are no exception.

WHAT DO YOU THINK?
Do you agree? Have you had an experience with the things Talha Habib is talking about? Information Security is very new field that can help to change the shape of the way things are in the workplace today. Do you think the awareness of these measures and benchmarks will increase in Pakistan with time?

Share your predictions, opinions and general feedback about the article with us online or send us an email to info@ciopakistan.com – Remember, the more you write back, the longer we can carry on a discussion that makes an impact.

Popularity: 4% [?]