A: We have this struggle in the company all the time, especially as we are more sensitive to this issue, because as a security vendor, we cannot afford to have a security breach. As we transition towards the knowledge industry, I think decentralisation is almost inevitable . The line between employee and contractors, outsourcing and vendors will eventually blur and there will be more of telecommuting global organisations and so if all that is being driven by business requirements, and you can't say no to that. That's when we need to figure out what are the security risks involved and how are we going to address them.

A: I think there are two kinds of users. One user thinks of compliance. They feel if they do not have a DLP solution then the compliance auditors will point it out. The other one thinks about their enterprise risk and data loss, for example a small outsourcing company like a chip design company who get the requirements from a major customer. If its only a 50 employee company, it will jeopardising if an employee leaks critical information to a competitor. The company may even have to shut down. However, since its a 50 employee firm, the management doesn't bother despite it being most critical to them.

At the other extreme, from my perspective, I use this logic, 75 percent compliance is good. I told our auditors, its not a painting competition where I have to stand first , I'm fine if I pass, for that I'm willing to cut  some corners. So in my mind I do this calculation, frequency of occurrence of an event and the impact of that event . Look, If that event occurs every 50 years but has large impact as compared to an event that happens every day but has no impact, are you going to do something about that? Based on that I have to decide.

However, for certain events, I will have to self insure. For example, if I have to store a data for 10 years and I store it only for eight since nobody asked for it. And then one day somebody asks for it, I am done! I may even lose hundred thousand dollars in compliance in addition to other hassles. And such events happen once in five years.

It should be a decision based on requirements.

A: White listing, black listing are all solutions but none of them is a silver bullet. White listing is a major task. You cannot rely on this completely. What if the white list got compromised? What if someone did not digitally sign their file, there are so many updates being delivered everyday. So white listing is a good option but not a silver bullet, same with black listing.

A: Japan is small country but with higher level of security awareness, that makes the environment relatively clean. They wouldn't have the same frequency of security events as India, but use of  IT in India is more  innovative because India has constraints, so you have to work around that and so in some ways that is the challenge they face but that is also what the hackers will exploit. I think the big difference is the evolution in India is much faster and diverse.

A: We have to follow the hackers, because for us to cover all possibilities is too expensive. Assume you have to break into a house with 20 windows, if we make it completely bulletproof and you walk in through the door, so it’s a waste. We would have to figure this out once you have entered and react fast upon it. The other reason to promote is the cloud protection.

One of the interesting things is  the new detection  rate coming from 3rd party vendors. We considered detection as the only metric ,but the other metric is time to retaliate . 99 percent  detection  is nothing if you take 6 months to protect. So time-to-protect , from  the  first time the  threat was analyzed , is critical to ensure a comprehensive solution.

A: Three years down the line when we recruit employees mid career, especially if they are from big organisations, would ask about the strategy document? One of the major realities of this business is you can't have strategy document of all kinds; hence agility of the organisation is the biggest investment. Vectors might change, technology might change, so we have to evolve , other wise we might be out of business.

So the hacker is always one step ahead because they are the ones who will exploit the usability. In my view an unconnected computer is safest. See dial up is better than broadband , which is better than wireless  but people are driven by usability . Then they say give me the security to provide that usability. That's why the need for Cloud. The CFO wouldn't care what name we give it, he is driven by the cost whereas some people are driven by its usability  So if usability is driving cloud adoption , then security needs to catch up because hackers will exploit usability .

So what we need are the invisible bodyguards. If you wanted to go to Chandni Chowk for a stroll but due to the high crime rate in Delhi the invisible bodyguard warns you not to , you don't go  and you are safe . And if you're flanked by bodyguards , you'll be safe but it'll take the fun away . Hence if we made security so hard to use , then people won't use  the internet. We want make it as unobtrusive , but give freedom to an extent , the only way to do is foresee what the hackers are up to.