Traditionally, ISF has been maintaining a
low profile, what's causing the forum to change its tracks now?
It is important for us to come out and explain to the public at large
what we are because it is a not-for-profit organization and there are certain
commercial organizations that we compete with. We want to go well beyond the 300
numbers and reach the 500 mark. There are two dimensions to this. One is the
geographic growth and that is why I am sitting here today. There are parts of
the world that are not adequately represented in an information security arena,
and India is certainly up there at the top and, therefore, should be a part of
that.
And, the other one is going in-depth in terms of the sectors in
order to make sure that we don't just have banking and finance dominating the
forum. We have pharmaceuticals, the transport industry as well as the vendor
sector. So, it's very multicultural in terms of the spread as well as a
multidisciplinary gathering. We have government departments coming in from the
regulatory aspect.
How do you plan to broaden your base and
take your work beyond this standard company? Is ISF ready to handle this change
after being closely guarded for years?
Well, we did that with the forum's standard of good practice for
information security. We put that in the public domain about 6 or 7 years ago.
We have put a couple of reports out on the public website. It's all good
saying that we're a not-for-profit company and we're just a loose
conglomeration of people that we need to have a good legal standing for the
intellectual property. But people need to know if the forum says something,
although we are very careful about making statements because once you are
talking for 300 different organizations, there will always be who say that they
don't agree. It is our delivery work-the reports that come out, the survey
that we do, the congress that we have and it's a workbench-that speaks for
itself. It's an enterprise risk management workbench that we have put
together. It has a threat and vulnerability database, which controls, security
and legislation database, which the OECD has taken a big interest in and would
like to develop with us. So, it looks as though it's going to move actually
into the public domain with their support. It is for people to pick and choose
what they want to have. Hopefully, they get at least half of what they would
like to have because our program is decided by the membership. It is not decided
in some dark chamber. It is actually the members voting for what they would like
to have each year and we're just planning to attack on topics in the year
2007.
The OECD initiative will give us some visibility. I have also
been negotiating with the IT Governance Institute, and holders of the COBIT IPR,
which we have a license to use in some of our deliverables. We would like to do
some joint projects that would be available not only to our members but also to
those organizations that subscribe to ITGI. It might seem a slow process. On one
hand we don't want to disenfranchise the members who are investing in it but
on the other hand we don't want to completely keep the lid on it.
How do you plan to expand your member base
from the current 300 to the 500 mark?
Our current strategy is a sort of three-year horizon. So, I hope that
at the end of three years, not necessarily in a linear fashion, we will have
these members in place. There are some sectors that are not as strongly
represented as they should be compared to their importance in the global
economic activity. Therefore, there are still plenty of places and it is not
that we have exhausted the top layer.
£16,000 is a lot of money. At Alcatel, I have four different
departments to pay-the CIO, the chief security officer, the head of the
Internal Audit Department and the head of the Risk and Insurance Department.
This way, psychologically, nobody signs £16,000 and this is what I recommend to
others to do. Also in terms of sharing, I make sure that other departments are
involved in these various work groups in Chapter meetings.
A quick look at the ISF membership profile
suggests that there are more financial services sector participants than others.
Does that mean the sector is more actively engaged in the information security
front?
Yes, precisely. The banking and financial services have been the
mainstay and in a wider sense were really the founding element. Around 90 member
companies out of the 300 are purely in the banking and financial sector. Just
think of those in India who are not included in that but who in my opinion ought
to be-both state owned as well as private sector companies.
So, what do you have in store for India?
We still don't have any members from India and this is the reason
why I am dedicating two weeks of my private time here. As a volunteer chairman
of this association my job is to get a critical mass in India and have future
Chapter meetings here. We already have existing member companies with operations
in India who could also participate in this, but they do not necessarily always
have information security specialists on site. I think we could do just with
this companies like I have mentioned but that still, for me, is missing the
point. The actual point is to have the Indian insurance companies, software
companies, manufacturing companies, and government departments.
We are very careful about making statements because you are talking for 300 different organizations |
If you were talking to an Indian
technology or BPO or services company, what would you tell them on the gains of
becoming a member?
They would gain the existing library and get a full set of
deliverables. Also, they would be able to participate in the ongoing process of
creating new deliverables. But, above all, they would have, instantly, a
networking relationship with other 300 companies around the world. It's like a
circle of trust where literally you can pick up the phone, look in a directory
and see somebody who is in the same sector as you in Australia. You may not have
met this person but you can make a call to this person or, ideally, have an
introduction through a third party that is commonly known to them. In the forum,
people will happily share information and views without any sense of monetary
gain or goal in their mind. It is really like 'I help you today, you help me
tomorrow'. So, they would benefit greatly from sitting at the table albeit in
a virtual sense, except at congress when we all get together once a year.
Do you think the law has not changed as
per technology needs?
The law by its inherent nature lags behind. I feel very much that
there is a dangerous route that we can take. Whilst on one hand we may criticize
the law for not being able to cope with the cyber age, on the other it should
not be the norm that we try and formulate laws in every single thing that has to
do with cyber activities. There are plenty of existing statutes. But somehow we
seem to think that for information security, we cannot pursue somebody because
there is nothing on the statute that actually mentions the word PC or whatever
the terminology is. Surely, some things need to be changed but we really don't
have to go as far.
The younger generation has this attitude that the cyber world is
a sort of free for all zone and that is, I think, where we get into the legal
aspect. The attitude amongst the younger generation is that if technically
something is possible then it is probably all right. I think this is leading us
down in creating laws for the cyber space, which, in my view, is not needed. If
you have done something that has injured somebody else, who cares what the
weapon was, but we certainly need to be mindful of the fact that there are some
things that might need to be notified. But, I don't think we need to go and
set up like a parallel legal system for the cyber world.
Shubhendu Parth and
Shipra Arora
vadmail@cybermedia.co.in