Security & Privacy: Making the CaseSagar Karan of Fullerton India, on Influencing Senior Management
How relevant is ROI when demonstrating the value of security to senior management? How seriously do Indian organizations take the practice of privacy? Sagar Karan, CISO at credit organization Fullerton India, share his insights on these topics.
Emerging security threats are taking a toll on organizations and their traditional security investments, says Karan, who is based in Mumbai. What was cutting edge security technology yesterday may already be on its way out today. And upper management may be slow to react to these changes, putting the burden on security leaders to build their business cases for new investments.
"Considering the way in which threats are evolving today, you are always going to be building a new case for investment," Karan says. "Existing investments are never going to be enough."
ISMG spoke with Karan at the recent Interop conference held in Mumbai, where he was part of a lively discussion on demonstrating security ROI to the management. In this exclusive interview, Karan shares insights on the changing nature of translating security to the management. Karan also comments on:
- The privacy implications arising from data breaches;
- How organizations respond to the privacy ecosystem in India;
- The legalities involved in a data breach.
Karan has close to 14 years of working experience, the past six of which have been in financial services. He has been invited to various industry forums to speak on security issues. He was previously the CISO at Kotak life insurance and BISO Reliance Capital respectively. Karan believes that information security, rather than merely being a technology issue, is more of a 'people' issue.
On Selling Security
Varun Haran: What are some of the ways in which the value of investing in security can be translated to senior management?
Sagar Karan: Today an ROI figure may not be the correct measure to demonstrate the value of security or investment into security. If you look at some recent breaches like UPS and Target, it's not like these organizations did not have a mature security practice or a mature preemptive alert mechanism in place. But still the management failed to see it coming. This could happen to any organization that is focusing on whatever information is available today and pegging their measurement of security basis that.
But when it comes to a zero-day attack, there is no way of knowing what will happen and when. And this is precisely where explaining the value of investing and trying to be a step ahead of where others are today, really makes sense. If we take the latest threats that the world is facing -- the advanced threats and advanced evasion techniques -- you may have very well-defined perimeter security within your organization. However, the data can still get stolen the minute these devices stray out of the perimeter. For many security incidents, value cannot be directly ascribed.
Haran: Apart from measuring security bases on the reputation or brand damage, what are other ways to measure security impact on a company or brand?
Karan: Whether your management feels that the brand is completely protected against such issues would depend on the geography you are working in and how strong your brand is. Example being, if you are in the lending business -- you don't store credit card information, etc. -- incidents like website defacement really won't make much impact because people come to you to borrow. They are concerned with your products, your interest rates. So in such cases, the yardstick for measurement would be different.
In my opinion, there are many ways to show your management the value of security. This has to be in the context of the business. While the basic ROI-centric approach for valuing security might not be as relevant in today's security scenario, the statistics in terms of the threats your security mitigated against the investment that helped you prevent those threats play an important role. Breach prevention certainly is a selling point, as is showcasing security as an enabler for new business opportunities and revenue streams.
But more than that it is the connection you can establish with the management and your understanding of their business concerns. Considering the way in which threats are evolving today, you are always going to be building a new case for investment. Existing investments are never going to be enough. Soft skills may be the most important skill a security person can have when it comes to selling security to the line of business.
Haran: Data loss from breaches also has privacy implications. What is the situation in India as far as the privacy ecosystem is concerned?
Karan: In the Indian context, the security norms are fixed by the government or the regulator, and are very loosely defined for non-banking finance entities like Fullerton, for instance. The guidelines always read as 'this is good to have.' The interpretation of phrases like 'reasonable security' are left to the interpretation of individuals like us. When it comes to an individual interpretation, it's the company's core value which takes precedence.
Fullerton India holds personally identifiable information (PII) of customers that is also an asset for us. Cross-selling resulting from leakage of this information can hurt our business directly. However, this may not necessarily be the view taken by the market. Customer awareness is also historically been an issue in the Indian geography -- consumers we are not aware, or have not been made aware because of very loosely held governing controls.
The IT act in India talks about reasonable security and privacy that any organization managing personally identifiable information needs to take care of. We have regulations saying that privacy should be protected, however many organizations may be taking advantage of the lack of awareness at the consumer level to ignore the privacy issue. The onus to prove the data breach is shifted to the victim.
Haran: Are there recourses available for consumers and for companies in the event of a breach of privacy?
Karan: There are two kinds of victims in a data loss situation. One is a corporate body suffering a data loss. The other is the individual consumer. The first category would be something organizations today are very familiar with, which they take up seriously with their fraud examination teams. When a competing organization steals your data, for example, there is usually a complete trail of where the data was stolen. There is a value that can be demonstrated to lawyers and management, which makes for a concrete case. Such cases are rare in India.
But on a daily basis, data lost in small pockets is something that the law struggles to attach a value to. However, we have matured to a great extent in this regards in the last seven years. I remember times when I have spoken to the police in cases where they are not able to ascertain how data can hold value
Recourses are available to the consumers in the case of leakage of PII, but the biggest lacuna in these processes is that when a complaint is made against entity A, constituting concrete evidences against that entity is a big question. For example, when you receive a cross-selling telemarketing call for products or services, nobody today asks where the caller got the information. A complaint can be filed citing the number the call was received from. Based on the telecom regulatory guidelines, however, the service provider may be sued for it, whereas it is not the service provider that is the origin of the leak.