The second annual CSO Summit 2009 witnessed a gathering of more than 50 Chief Security Officers (CSOs) from various verticals to help them gain greater insights about their role. The two-day Summit was organised by 9.9 Media and took place on the 11th and 12th December 2009 at The Westin Sohna Hotel in Gurgaon.

Day 1/Sessions
Keynote 1: Evolving role of the CSO
Vishal Salvi, CISO, HDFC Bank gave the first keynote where he spoke about the strategic role of the CSO within the enterprise. He stated that security becomes intangible until it is delivered and that today many people are making their career as security officers as this role is now more independent than just a part of IT.

Salvi stressed on the CSO's role that should focus to make business more accountable for cost and risks. “Instead of the CSO asking the management for investment, they should explain the risks that the company can face and how technology can help them mitigate such risks,” he said.  

He added that it would always be the CSO's role to provide sponsorship and program management and also control the security policy of the company and for this they should update themselves with latest technology implementations.

Keynote 2: Trends in Information Security in 2010
The second keynote of the summit was delivered by Pinkesh Shah, VP, Product Management, Policy Compliance and Risk Management at McAfee who briefed the audience about today's evolving threats, top security trends and ways that can help organisations manage information security.

Shah revealed that host of new threats like malware, phishing attacks etc. are being targeted towards organisations and in every 30 seconds a new malicious website is detected. Ninety percent of these threats are financially motivated as compared to 40 percent in 2005.  He said that it is important for enterprises to understand the root cause behind such threats and also look at the various reasons for their existence like misused functionality, malicious intent, design flaws and poor common sense.  

According to Shah, the three key trends in Information Security for 2010 would be:
•    Extinction of standalone signature based anti-virus
•    Patch panic will no longer be an issue as 96 percent of attacks are patched
•    Data centric security would be more important than just network security

Panel Discussion: UTM- The new rules of ensuring security
The first day witnessed a panel discussion on emerging trends and technologies in the Unified Threat Management (UTM) landscape. The panel was moderated by Rahul Neel Mani, Editor, The CTO Forum that included Pramod Reddy, AVP and CISO, Applabs and Sachin Jain, CIO and CISO, Evalueserve.

Jain said that having a UTM in a distributed network will not make sense, but for small companies it would be useful. According to Reddy, small offices only need Internet connectivity, and hence UTM is the best solution . He cited an example of how Applabs has been using UTM for firewall and IPS from the last four years and not for spam and anti-virus, and it is taking the load without facing any threats.

The discussion was quite engaging with many audience members throwing up questions one after the other to the expert panel.

Some quotes on this panel discussion:
Vipin Kumar, Chief General Manager, Head-Information Services, Agri Machinery Group at Escorts: “UTM will not be replaced by desktop agent as it is security in one box; standalone products are very complex. We have been using UTM since the last three years and have never faced any problem.”

K.S. Narayanan, Head-Information Risk Management, ING Vysya Bank: “UTM gives an organisation all the functionality in one box, but I think the market is not yet matured for this solution.”

Pinkesh Shah, VP, Product Management, Policy Compliance and Risk Management at McAfee: “UTM is consolidation of different security solutions into one and vulnerability of application is not UTM's job and hence whether it is less or more important for a particular organisation (enterprise or SMBs) is not an issue but is about their requirement.”

Panel Discussion: Economics of security
Enterprises are challenged to optimise budgets, resources and time, particularly the IT organisations and hence this discussion addressed topics like consolidation, point products, juggling the cost of prevention against the cost of risk and remediation, building a hybrid architecture of virtual, hosted and on-premise security and managing costs of audits.

The panel was moderated by Sameer Shelke, COO and Co-founder, Aujas Networks and the panel included Ganapathi Subramaniam, GAP Resilience-Information Security Lead, Global Asset Protection, Accenture; Sabyasachi Chakrabarty, Regional Security Manager, APAC, British Telecom and Amit Raj Singh, Practice Manager, Managed Services, Wipro.

Some quotes on this panel discussion:
Sameer Shelke, COO and Co-founder, Aujas Networks: “We as a CSO need to fix security issues in a preventive control manner. Almost 60 percent of the risks that is found in the first audit are repeated and hence we need to focus on risk management.”

Ganapathi Subramaniam, GAP Resilience-Information Security Lead, Global Asset Protection, Accenture: “Security is more in terms of peace of mind, and hence measurement of security is not achievable and achievement of security is not measurable.”

Amit Raj Singh, Practice Manager, Managed Services at Wipro: “Information security policies should match the organisation's goals as the CSO needs to answers different stakeholders. Also while rolling out security the CSO should make sure whether the SLA is required or not, if it is it should be properly signed. Hosted model is cost effective and hence should be preferred.”

K.S. Narayanan, Head-Information Risk Management- ING Vysya Bank: “Consider security as a business risk and then IT risk. With this consideration ROI can be easily achievable.”

Keynote 3: Application and role of information security
G Kiran Raju, Senior Consultant, Applications and Database Security at Wipro in this session mentioned that the new threat landscape is moving from information based security to web application and database security that involves securing the custom code, libraries, back-end systems, web application and database servers and monitoring databases.

Raju said that applications are easily available on the Internet to hack into a network. For example if a bank’s website is not secure then it will lead to hacking of the customer's data. This happens because network security mostly ignores the contents of HTTP traffic.

He recommended some threat mitigation steps like:
•    Performing application and database scanning for vulnerability
•    Implementing Web application firewall
•    Building a better and more secure SDLC
•    Patching the application and the databases

Open House: Setting the Agenda for 2010-11
This session was led by Rahul Neel Mani and Burgess Cooper, General Manager, Information Security at Vodafone.  Priorities related to technology, business and leadership of CISO/CSOs for the year 2010 were discussed. DSC_0164 and DSC_0167
Some quotes on this session:

Murli Nambiar, CIO-Security officer, Reliance Capital: “ CSOs should concentrate more on data security by identifying data and it gets leaked.”

Vishal Salvi, CISO, HDFC Bank: “ CSOs are maturing on risk management but they should also focus on engaging in the business by acting as enabler.”

Captain Raghu Raman, CEO, National Intelligence Grid: “CISOs should start assessing themselves; they should start explaining the management the reasons why things went wrong. Also while negotiating the budget with the management the CSO should be straight forward in discussing the pros and cons of not deploying a security solution.”

Kaushal Kumar Chaudhary, GM-CISO: “Most of the CISO are biased towards IT; we need to lift ourselves from IT towards business and try to handle both.”

Nadeem Quraishi, CISO, Tata Motors: “We should try to reduce costs and this can be done through outsourcing. At the same time, we should also factor the risks associated with it.”

Day 2/Sessions
Keynote Session: Information warfare, cyber terrorism and end user security- A public-private partnership model to threat avoidance

The three key stakeholders in the information security space today are government, industry and end-users.  The panel discussion, with participation from all the stakeholders discussed about the possible ways to deal with threats like identity thefts, cyber crime, warfare and corporate espionage.

The panel was moderated by Anuradha Das Mathur, Co-founder and Director at 9.9 Media and the panel included Captain Raghu Raman, CEO, National Intelligence Grid; Felix Mohan, CISO, Bharti-Airtel and Summet Singh, Senior Consultant, Wipro Consulting Services.

Some quotes on this session:
Captain Raghu Raman, CEO, National Intelligence Grid: “Security needs public-private partnership. The big difference between government and private sector firms is that private sector is profit oriented. In government sector each crime is dealt by different government segments and hence there should be complete synchronisation.”

Summet Singh, Senior Consultant, Wipro Consulting Services: “The public-private partnership should not be an option but should be made mandatory. Government also plays a crucial role by forming laws and systems to tackle threats.”

Felix Mohan, CISO, Bharti-Airtel: “The public-private partnership is of two types viz. regulatory and collaboration driven. Regulatory mandates are there in all countries but what we as corporate entities should not counter it but should stand in a unified form.”

Panel Discussion: Transforming business through governance, risk and compliance (GRC)
This track discussed the best practices including how to leverage risk metrics and the need of a unified control framework to reduce the total cost of ownership of compliance. The panel concluded that GRC is more than software as it involves IT, risk, finance etc. and hence a comprehensive GRC will be handy. In addition, a unified approach to adopt the framework was also necessary.

The panel included Vishal Salvi, CISO, HDFC Bank; Burgess Cooper, General Manager Information Security at Vodafone; Murli Nambiar, CIO-Security officer, Reliance Capital and B M Rangan, CSO, Quattro BPO. The session was moderated by Rahul Neel Mani.

Some quotes on this panel discussion:
B M Rangan, CSO, Quattro BPO: “The GRC initiative connects directly to the management and there is a need to look at all possible shareholders.”

Vishal Salvi, CISO, HDFC Bank: “ Today I cannot think of any organisation that has adopted an automated GRC but in future they will be.”

Murli Nambiar, CIO-Security officer, Reliance Capital: “There is need to have a unified GRC instead of having them in silos as there could be overlaps when they function in silos.”

Panel Discussion: Leading the security and risk management teams through turbulent times
This track discussed leading information security or risk management function as a special responsibility requiring a mix of technical, political and social skills.

The panel included Sameer Shelke, COO and Co-founder, Aujas Networks; Rishi Bhargava, Director, Product Management, Risk and Compliance Business, McAfee; Sunil Gujral, CTO, Quattro BPO and Siddharth Vishwanath, Associate Director, Performance Improvement, PWC India.

Some quotes on this panel discussion:
Rishi Bhargava, Director, Product Management, Risk and Compliance Business, McAfee: “There is a need to go cross functional.  The cost of reporting that a customer’s credit card is stolen is high and hence it’s crucial to articulate the cost of non-compliance.”

Siddharth Vishwanath, Associate Director, Performance Improvement, PWC India: “Specific measures related to a particular initiative should be looked upon and then depending on the initiative clear metrics should be defined.”

Sameer Shelke, COO and Co-founder, Aujas Networks: “The most difficult task is to manage our own team. Also creating awareness among the user is not helpful, we need to educate them.”

Sunil Gujral, CTO, Quattro BPO: “Security should be looked as a facilitator. Organisations should focus on innovation and skill sets.”

Panel Discussion: Security in virtual and cloud environment
Cloud computing is picking up traction with businesses, and thus this session discussed the unique security risks it entails. The panelist of this last session included Pramod Reddy, AVP and CISO, Applabs; Rajeev Seoni, CIO, Ernst and Young and Felix Mohan, CISO, Bharti Airtel.

Felix Mohan, CISO, Bharti Airtel: “Cloud computing risks are related to data, people, organisation, provider and supply chain, governance and compliance etc.”

Rajeev Seoni, CIO, Ernst and Young: “Every vendor has different definition for cloud computing, we need to have a common platform. There are vendors that are pushing cloud but it depends on the need of the organisation. Security in the cloud is a critical aspect as the data resides in an unknown place and hence it is not safe. Private clouds are more secure.”

Pramod Reddy, AVP and CISO, Applabs: “Security in the cloud is business driven. The organisation should first consider what type of data they want to move on the cloud, if the data is not critical than security is not a major concern. Cloud is evolving and the issues related to it would be discussed and resolved in the coming years.”

Vishal Salvi, CISO, HDFC Bank: “In terms of convenience there is lots of scalability that a virtual environment can provide but cost and compliance are major challenges.  Questions linked to some legal aspects of the cloud are still not defined.”