IT security is a complex undertaking: ISACA | SupportBiz

Tech Mate

IT security is a complex undertaking: ISACA

The complexity of ensuring information security is steadily increasing for all businesses. Providing some insightful aspects of the status of information security among Indian SMEs, A Rafeq, Community Leader on COBIT 5, Knowledge Center, ISACA, shared his views with Faiz Askari, Editor North of


ISACA, a global association of 95,000 IT security, assurance and governance professionals, enables increased availability of IT personnel.

Threats to the IT infrastructure of SMEs

According to a recent study by Gartner, India is the ninth-largest economy in the world, and the pace of economic growth in India is expected to continually increase.

Despite global economic challenges, enterprises are expected to continue to invest in Information Technology (IT), with IT spending in India projected to grow 9.1 percent at $79.8 billion in 2012 against $71.1 billion in 2011.

India like other emerging markets continues exercising strong momentum despite inflationary pressures and appreciation of local currencies, which are expected in rising economies.

This growth in IT investments in India has been seen not only in large enterprises, but also in small and medium enterprises (SME). There is increasing dependence on IT for delivering services to customers even in the SME sector.

This has brought the role of IT into sharp focus and increased the threats to IT infrastructures. The IT threats for SMEs are more on account of the nature and size of SMEs and the manpower available.

The primary IT threats for SMEs are:

  • Breakdown/failure of IT infrastructure: Hardware, network, system software, application software, etc.
  • Loss or theft of IT resources including data impacting business due to lack of awareness of the need for IT security and low level of controls.
  • Lack of adequate security affecting the confidentiality, integrity and availability of IT resources
  • Dependence on few personnel on managing IT, dependency on IT vendors and lack of skilled manpower due to lack of processes, policies, procedures, standards and guidelines.
  • Lack of independent assurance of the status of IT security and controls

Availability of skilled manpower for IT security is one of the key focus areas for ISACA. Opportunities in the Indian market..

In India, there are 10 chapters of ISACA in all metros and other cities which have more than 6,000 members to date. Further, there are more than 5,000 professionals based in India who have earned an ISACA certification: CISA, CISM, CGEIT and CRISC.

The member profile…

The members and certified professionals are from different sectors such as government, public and private and include professionals at different layers of management ranging from top level to operational level and from diverse backgrounds such as management, IT, assurance, risk, security and control. There are more than 2,000 professionals from India who take up the certification exams of ISACA every year.

Key challenges faced in terms of ensuring security for common users

The key challenges in IT security are primarily lack of awareness, lack of involvement by senior management, absence of relevant policies and procedures, lack of documentation, lack of adequate business continuity planning, laxity in securing data, and dependency on vendors/key personnel.

The most important challenge is the mindset of accepting status quo and not taking action till the security incident actually happens leading to problems and disruption in service.

We believe in ignorance is bliss and if nothing has happened so far and nothing serious happen in the near future and we will see when it happens, why bother now.

This type of thinking is a serious cause of concern in implementing adequate security.

Users of everyday technology are now regularly using mobile, social media and other online applications for his or her business activity. The IT security aspect of all this…

There is no doubt that advances in information technology over past decade have created a much more flexible work environment. Social media is being used as one of key mediums for attracting and retaining customers.

However, with every new technology, there are new and increased risks which need to be mitigated by implementing appropriate security.

Social media as a consumer-oriented technology is increasingly being leveraged as a powerful, low-cost tool for enterprises to drive business objectives such as enhanced customer interaction, greater brand recognition and more effective employee recruitment.

While social media affords enterprises many potential benefits, information risk professionals are concerned about its inherent risks such as data leakage, malware propagation and privacy infringement.

Considering such transformation in business communications usage, the threats that are affecting this market…

Enterprises seeking to integrate social media into their business strategy must adopt a cross-functional, strategic approach that addresses risks, impacts and mitigation steps, along with appropriate governance and assurance measures.

For example, the key risks of social media applications in enterprises are:

  • Malicious software entering corporate network
  • Loss of employee productivity
  • Risk of sensitive information being shared on personal networking sites
  • Reputational damage due to employee behavior on personal networking sites

In large organizations the concept of CISOs (Chief Information Security Officers) is getting much of popularity.  Is the same transformation on cards in the mid-sized or smaller businesses?

Although ideal, it may not be practically feasible to have a full time CISO for mid-sized or smaller businesses as the value/volume of transactions do not warrant a dedicated person.

However, the responsibilities of CISO would be discharged by an IT professional who may be assigned other IT security/maintenance responsibilities.