Even as corporates, all over the country, are getting hooked on to LAN, WAN or the Internet network at a frantic speed, driven either by their communications needs or e-business exigencies, network security is not getting the attention it deserves, barring in areas like banking and finance, software and IDCs. Lack of awareness or an understanding of what network security really means may be a reason in some cases. More pertinent is the fact that even organizations that are aware of threats or vulnerabilities have largely been looking askance at issues pertaining to security. Complacency and an escapist attitude overwhelm a reasonable and well-conceived effort at fortifying networks from attackers or intruders. Left to hardware and software, security for most organizations is a comfortable sleep in the lap of firewalls and anti-virus software.

Sometime back when VOICE&DATA asked CTOs of both big and small enterprises as to what were the five biggest challenges and issues they faced with respect to their network and communications infrastructure, none of them made even a passing mention of network security. Interestingly, these included a very large company whose core business is information collection and distribution and also an ISP for whom network itself is the business.

"There is a lack of structured approach to deal with security. Most organisations buy bits and pieces of hardware and security is not seen as an integrated mechanism. People think firewall is everything", says Neel Ratan, partner, global risk management solutions, PricewaterhouseCoopers, India. Most people do not even appreciate the need for security, he points out. S V Ramana, country systems engineering manager, Cisco Systems, agrees when he says that many companies consider the purchase and installation of security hardware to be the end in itself, unmindful of the fact that security is not just a box installed on the network. Swapan Johari, business head, emerging solutions and services, HCL Comnet, cities another issue. "People in charge of the network may be highly aware of the threats or security needs but they don’t seem to have the urgency or pressure to practice ideal security guidelines", he observes.

A broad organizational lack of interest in the issues related to security has led to other anomalies in the corporate India’s approach towards security. On considering the responsibility of the IT, the engagement of the top management or for that matter the larger involvement of people (who could be using the network at various levels in maintaining security discipline) is never considered. "Security is 50 percent products and 50 percent process. And process has to be run, analyzed and managed by the people. And here the people or the process part is largely ignored", says Johari.

All this means that while there are well-documented policies pertaining to several other organizational functions, there is none when it comes to dealing with security. According to KPMG, around 77 percent of the organizations in India do not have a formal security policy. Similarly, Pricewaterhouse Coopers’ IT Security Survey among the top Indian corporates, revealed that even though 74 percent of the companies stated that information security was a high priority for their business, only 17 percent had complete and descriptive methods to monitor their security. This, despite the fact that 60 percent of those surveyed reported security breaches. The lack of well-defined security policy is perhaps one of the main reasons why most organizations do not practice a holistic and focussed approach to security.

And as one thing leads to another – organizations lacking security policies often look at security as something static. This means that while deployment of systems or solutions become an end in itself, periodic assessment of threats or the third party audit of security adequacies is never thought of. Even such minor things like analysis of log generated by firewalls that could give a fair idea of the state of one’s security network are rarely looked at. It is rarely realized that when those looking for holes in it keep changing their destructive weapons, how can be a security system remain unchanged?

Cost is another issue. Cost, it seems, is more often an attitudinal problem with organizations defining it more in terms of the immediate expenditure, instead of taking benefits from preventive measures into account. Security is considered a costly expenditure and an investment. "Organizations are unable to justify an expense for building and maintaining the security systems, and the easy alternative is to deny access to all and share information within a selected few through outdated modes", says Cisco’s Ramana. He adds that whether the justification is based on retention of power of information or lack of skills to manage, access to information is different for each organization.

The other prominent barriers to security are the lack of trained security professionals and the pace of technological changes. These, to a large extent, are outside an organization’s control. "What happens in most cases is that an IT professional doubles as a security professional, in the absence of specialists dealing in security", observes Ratan. The fact that even though organizations themselves lack the skills to maintain and monitor a security mechanism, the idea of outsourcing their security requirements to specialist agencies does not appeal to them, compounds the issue of shortage. "Outsourcing of security management is also seen as a threat, since trust with the security services organization is not desired or non-existent. Also, outsourced security services are seen to be exorbitantly priced", believes Ramana.

And where there is an awareness of vulnerability, network managers find it difficult to keep pace with the promptness of technological changes. "The truth is that CTOs or CIOs and people usually looking after security, are spending more time on understanding the new and emerging technologies", points out Ratan.

The network or for that matter information security scene in India is indeed grave. This is not a sweeping statement but a conclusion drawn from the writer’s interaction with the security consultants, integrators and vendors. And also, the users who described the situation with adjectives like grave and frightening with serious implications not only for the networked businesses but the national image as well. "The damage it can do to the image of the country is very high – especially in such businesses as call centers, ASPs, IDCs, network infrastructure management services", warns Neel Ratan.

However, like the proverbial light at the end of the tunnel, organizations are gradually taking proactive security measures. "The Indian scenario was earlier different, primarily due to the low deployment of IT and the unavailability of the Internet. The situation has changed today. With the deployment of VPNs, companies are beginning to understand the benefits of connectivity as well as the requirements of security", said Ramgopal Vallath, country sales manager, 3Com India. He observes that as the connectivity market develops in India, the security details will also begin to be better understood.

While Vallath may be right when he says things are changing, the fact remains that even the majority of relatively aware people still think of security in terms of technological tools and passwords.

For most organizations, it is just another support function for which provisions need to be made in the budget every year. Unfortunately, network security is very much like the ceremonial unarmed security guards seen outside most offices these days.

As senior management attention and support is lacking, barring few cases, security issues are largely seen in isolation and not as part of the larger organizational goal. Exercises like risk and threat assessment, security policy development, and third party audit of the security system are largely unheard of.

Ravi Shekhar Pandey