Risky Environment
Rapidly deteriorating information-threat perceptions have catapulted information security from obscurity to front-page news. The CERT coordination centre at Carnegie Mellon University (which monitors global information security incidents) has reported a 68% increase in the number of attacks on enterprises in 2003. The environment is only worsening. Each day is packed with security headliners — about ten new software vulnerabilities are reported, five critical security patches are released, and 20 new viruses assault the Internet.

Corporate espionage through network penetration has become routine, and cyber crime is rising at an alarming rate. Today there is a flourishing market for machines that can be controlled remotely to host porn, send spam or launch attacks, and large blocks of such infected machines are openly offered for sale on the Internet (The going price for access to 10,000 such compromised machines is $5,000). Of concern is the fact that many of these compromised machines are part of corporate networks, placing intellectual property of penetrated enterprises at critical hazard. Today, inadequately protected enterprises are at the mercy of cyber extortionists and malicious competitors who can launch denial-of-service attacks at the click of a mouse.

Managing Information Risk
Security attacks and breaches can devastate an enterprise, crash business operations, tarnish corporate reputation, and weaken customer and shareholder trust — resulting in significant financial losses. But information security cannot be achieved through technology alone. Though security solutions have a technological component, the larger part relates to managing people and process uncertainties. Security is primarily a business problem, and companies need to approach information security as they do any other business uncertainty — in terms of risk management.

However, traditional risk management strategies have globally been found inadequate to manage the complexities of present-day information-related risks. A reason for this is that risk managers, who are usually found in the financial silo, are disconnected from technical and operational managers, and decisions regarding pre-emptive information security measures remain at a distance from traditional risk management. It is becoming crucial to integrate all aspects of information security (risk analysis, protection, control and reaction) with traditional risk management (risk analysis, avoidance and transfer) through proactive Information Risk Management (IRM) strategies.

The Indian Scenario
Competition and globalisation require that Indian Industry is competitive in terms of cost and quality. A prime enabler of this is Information Technology. The Economic Times CIO 2004 Survey highlighted that 83% of the Indian companies surveyed believed that IT contributed significantly to their business. As companies are getting more and more strategically dependent on IT, they are also being exposed more and more to potentially crippling information-related risks that can threaten the very survival of the enterprise. Today, it is no longer enough for the Management to ensure that IT investment delivers value and enables the business — they must also ensure that the investment encompasses what it would take to mitigate the risks that may arise from its deployment. IRM strategies make this possible.

To be globally competitive Indian companies would have to meet the increasingly demanding standards of international corporate and IT security governance. Already, the security factor has become vital to the growth of the Indian BPO industry. To be perceived as a 'trusted sourcing destination', not only is the quality-capability of Indian companies important, but also (and more importantly) their security-capability. IRM has come to play a pivotal role in getting there.

CII's IRM Initiative
Keeping in step with the unfolding business environment, the CII has expanded its suite of Industry-enabling services like TQM, WTO, IPR etc to include IRM. Notably, the CII IRM initiative, rolled out on 16th August 2004 in association with SecureSynergy, India's leading Information Assurance Company, is a first of its kind in the country aimed at meeting the Industry's imperative for robust information security practices.

The CII IRM service offers comprehensive consultancy and training — details of which are available on this site. Seminars, Workshops and an IRM newsletter aimed at keeping Industry posted on the latest developments in information security forms part of the service.

The CII IRM Consultancy encompasses three areas: i) Security Services covering all aspects of managing information-related risks — security policies, audits, risk assessments, business continuity planning etc ii) Compliance Services to enable Industry comply with international regulatory regimes such as Sarbanes-Oxley Act, HIPAA, Gramm-Leach-Bliley Act, 21 CFR Part-11 etc iii) Certification Services for attaining security best-practice certifications such as BS 7799.

The CII IRM training seeks to empower business and technical managers with practical information on the management and technical aspects of information security. Moreover, since 70% of information security breaches are caused internally, the CII IRM service includes Corporate Training and Certification of employees on end-user aspects of information security — fulfilling a vital Industry need. The training would be offered at all CII regional centres, at corporate sites, and through a six-month correspondence course on essentials of information security.

The Bottom-line: Though innumerable forums have focused concern over the need for robust information security practices to enhance competitiveness, not much 'walking the talk' has happened to enable Industry implement them. The CII IRM Initiative sets out to do this, in keeping with its mission of making India Inc globally competitive.