Security: Paranoid About IT Security

DQI Bureau
New Update

One of the alarming trends noticed in the past year was the way corporates

were responding to the challenges of digital security. A bit of fear is

essential to kick start any change and given a choice between an indifferent

management and a concerned one. Most would prefer the latter. However, when the

concerns of an ignorant management lead to paranoid actions, the results could

be devastating. 


Advances in technologies and great products notwithstanding, let us not

forget that the aim of security is to reduce risk to acceptable limits. It is

not to try and eliminate risk at the cost of business. However, several

experiences seem to indicate that many organizations have launched a digital

security crusade that ignores this basic tenet of risk management.

The most apparent of this manifestation is the management's obsession with

monitoring employees and laying down 'security' restrictions. Various

companies ask their visitors to deposit their cell phones and USB drives at the

security counter. This is done to avoid any security breaches.

Security or Embargo

Let's try and get real here. What is the aim of a corporate office? Among

other things, an organization's headquarter is its interface with the external

world. Sure there are certain areas which are sensitive and it is only fair to

restrict entry to such parts of the premises but when one is asked to deposit

all electronic items at the gate, it is reminiscent of a high security prison

rather than a corporate office. But for the sake of argument let us take this a

step further and examine whether such extreme measures actually improve

security. Actually they don't.


Firstly, the security guards are pretty much relying on the declaration of

the visitor about his personal belongings. If the organization gets about 400

visitors a day chances are that more than 99% of them are law abiding citizens

with no ulterior motive. And the one odd hostile person will hardly

'declare' his intent at the gate. Thus a system that relies on the thief to

declare his intent of theft is a pretty lame one. Besides, where does one stop?

An iPod can double up as a USB drive. Incidentally, recent versions of the Swiss

army knives have USB drives built in and frankly until networks within companies

get upgraded to the levels of transporting megabytes of data in real-time, the

USB drives do perform a very real function.

Tackling Web Threat

Certain corporates also seem to have fallen for the classic parody of

using technology just because it is there. Web monitoring is one such example.

There are a plethora of tools that allow the management to monitor the web

activities of their employees. So in theory, one can observe just what each one

is up to. But the question is-to what purpose? It is a given fact that on a

typical day a certain percentage of time of the employees will be spent in

browsing the net or perhaps checking private mails. So what? Couldn't the

employee be making private calls or writing private letters? In an age where

most employees spend upward of 12 hours in the job environment or commuting to

it, isn't it fair to expect them to attend to some personal tasks during that

time. Ok, so there is that one odd person who is spending most of the time on

the net surfing, but since when did software becomes a substitute for managing



For Improving Information Security
  • CEOs should have an

    annual information security evaluation conducted, review the results

    with staff, and report on performance to the board of directors

  • Any security system

    should take into account the human resource angle

  • Organizations

    should conduct periodic risk assessments of information assets as part

    of a risk management program

  • Organizations

    should establish a security management structure to assign explicit

    individual roles, responsibilities, authority, and accountability

  • Organizations

    should provide information security awareness, training and education

    for accountability among all users, including partners, suppliers and


  • Implement

    mechanisms for user authentication and authorization when accessing

    organization's network

  • Organizations

    should conduct periodic testing and evaluation to determine the

    effectiveness of information security policies and procedures

  • Control physical

    access to information assets and information technology

  • Develop business

    continuity and recovery plans. Test them regularly


Besides, there is the point of privacy. In any socio-economic framework,

every employee has the right to her privacy. While the management may have a

technical right to monitor it's assets, one can doubt that it does much good

for the morale of the employees to get the message that they are not trusted.

There can be some basic hygiene such as barring of porn or sites containing

racial material but banning Web mail accounts etc is downright unwarranted. Not

in this day and age where most employees are considered to be knowledge workers,

even if they are engaged in non-IT work. This makes it absolutely essential for

organizations to understand the implications of stringent procedures and polices

on its most valuable asset, employees. Hence to achieve its desired goals, a

corporate security policy should align itself to the HR policies of the


Best Practices in Place

Understand that the entire gamut of security management systems comprise

primarily of three components-identity and access management, threat

management, and security information management. All these help an organization

achieve operational efficiencies and regulatory compliance, as well as contain

costs, mitigate risk and ensure continuous business operations.

In an age

where most employees spend upward of 12 hours in the job environment or

commuting to it, isn't it fair to expect them to attend to some personal

tasks during that time

In order to achieve these corporate objectives, organizations need to have a

robust system in place. The reason why most of the organizations act

over-zealously in matters of security because they do not incorporate some of

the best practices into their operations to improve information security.

So a concerned management must exercise jurisprudence while protecting their

assets. With increased number of online users and the associated challenges,

organizations must understand the need of security within the IT framework.

Their criterion should be that whatever the IT deployment, it has to bring value

to the company both in terms of data protection, increased business and enhanced

employee morale. Finally, security system should serve its purpose rather than

be deployed because others are doing it. In short there is no need to get

paranoid about security else one could end up with a very secure but demoralized

and inefficient organization.

Captain Raghu Raman, CEO,

Mahindra Special Services Group