1. In association with
Gold Security Partner Silver Partners
Security Solutions Partner Security Partner
Information Security Summit 2013-14
11th December 2013, Vivanta by Taj President, Mumbai
Post Event Synopsis

4. CONTENTS
iCxO INFORMATION SECURITY
SURVEY 2013 - 14
Director-Content
Director- Marketing & Alliances
Contributors
Research Support
Cover Design
Publication design and Layout
Printed by
Sudhir Narasimhan
Vasuki Kashyap
Kanika Goswamy
Rajeshwari Adappa
Ramya Ramachandran
Shwetha.S.
Likhith Creative Lens
Bangalore
Paramesha at Ganesh Printers
Bangalore
The copyrights of this publication are owned by Aquaint MediaWorks Pvt. Ltd., 674, VALMIKA, 20th Main, 27th Cross, Poorna Pragna Nagar, BSK V stage,
Bengaluru-560061, Phone:+9180 6547 5039. This is a limited edition publication with a controlled circulation. The contents of this publication can not be
reproduced in full or in part without the express permission of the publisher. This publication is not for sale and can be selectively distributed by the publisher only.
Combating threats: An
industrywide perspective
Four Trends that will redefine
Information Security Strategies
Organizations will spend more
on security in 2014
Organizations should have
strategic as well as tactical
solutions to counter threats
Transform your security
Operation centers into Security
Intelligence centers
Innovation is Fortinet's key
strength
ExpertsSpeak
Panel Discussion
Glimpses
5
8
9
11
12
13
14
15
18

5. 05
Information Security Summit 2013-14
Post Event Synopsis
check prior to employment, employees go through anmajor highlight of the iCxO Information Security
induction programme that familiarizes them with theSummit 2013-14 was a high profile panel
security policies of the company. “We also carry out thediscussion featuring prominent CISOs and CIOs
process of validating the knowledge and knowhow on theand technology providers. The discussion,
information security processes, privacy processes on amoderated by Sivarama Krishnan, executive director, PwC
regular basis as part of their typical day to day KRAs. Alsoprovided insights into how enterprises across different
processes are well defined. We validate and update themindustry verticals viewed emerging security threats and
regularly so that they are relevant to the changing IThow they were preparing to address them.
landscape,” he said. He was of the view that while one can'tParticipating in the discussion Sunil Mehta, Senior vice
mitigate threats with technology alone, it was a mix ofpresident & Area systems director (Central Asia), JWT, said
processes, people and technology which ensured a largethat JWT did its first security audit way back in 1999 when
part of the security needs of his company. He noted thatthere were no compliance requirements like SOX or ISO
implementation of a GRC solution gave them a lot of27001 and that proactivity helped when the company later
comfort on governance across the globe.became compliant to SOX and ISO regulatory regimes. He
Noting that data security was of paramount importancesaid while all company laptops at JWT were encrypted the
to banks, V.Subramanian, Chief Information Securitycompany was open to allowing social media access to
Officer IDBI Bank said that data stored in a bank is money inemployees for work related stuff. “We took a creative
reality and when data gets transferred from one account toapproach to educating employees on information security
another it is actually money that is getting transferred. Hewhich helped keep threats at bay,” he said.
said that security as part of a normal process in banks hadPresenting a view of how a large services company like
changed as banks had to defend themselves and theirVFS global which processes visas for 45 governments in
customers from fraud in a big way. With the emergence of102 countries around the world, DhirenSavla, Chief
electronic channels banks today needed to authenticateInformation Officer, VFS Global said that the Information
remote users and this was a major challenge. “We are nowsecurity process in his company starts right from the time
going into electronic channels where ATM, internetthey hire employees. In addition to a thorough background
A
Combating threats:
An industrywide perspective

6. 06
Information Security Summit 2013-14
Post Event Synopsis
banking, mobile banking and point of sale terminals are the ParagDeodhar, Chief Risk Officer and Chief Information
areas that account for maximum transactions. In IDBI bank, Security officer, Bharti AXA, said that he viewed risk from a
the amount of transactions through electronic channels has holistic angle which consisted of operational risk,
far exceeded the transactions through the traditional Information Security, fraud risk and reputational risk.
banking channel over the last couple of years. “While we have deployed security measures at various
Consequently authenticating a remote customer becomes levels, to me what is more important is how various
a major security challenge,” he said. restrictions affect our business. We have to make sure that
the security is transparent to the users, partners andAmit Pradhan, Chief Information Security Officer, Cipla
everyone. Security should not become an impediment tosaid that security challenges faced by pharmaceutical
business but instead becomes a system enabler,” he said.companies were radically different from those faced by
BFSI or other sectors. “The most important asset in a Adding a technology provider perspective to the
manufacturing or a pharmaceutical company is intellectual discussion, HarmeetKalra, Head-Strategic Accounts,
property. There are figures which say that about 65% to Checkpoint, seconded Deodhar's view and said that
75% of IP reside s in email so by default the first and the information security restrictions should not be a deterrent
foremost asset that we need to protect is emails. We have to doing business. He also felt that understanding one's
all the basic to advance controls in place for emails,” he business was critical to coming out with a successful
said. He also noted that the other important issue was strategy to combat security threats. “I think the
changing the mind-set from content security to contextual differentiator between a successful security deployment
security. “Data is important, how the data is used and and an unsuccessful one is whether the customer
applying risk to it gives us more sense and more help to understands his own business environment well or not,”
understand the controls around it,” he added. he said.

8. 08
Information Security Summit 2013-14
Post Event Synopsis
from infrastructure, application and the network to thehe keynote address delivered by Sivarama
users.” It's no more about how we are going to secureKrishnan, executive director, PwC focused on
our infrastructure, application or Information. It'show the economy had changed over the last
about who accesses what and when and where. It's300 years and how business evolution cycle is
about whether the user is logging on to the enterprisegetting shortened in recent times. He highlighted the
network from inside or outside,” he said.importance of how business evolution cycles are
faster than technological evolution cycles. Changing In his view enterprises still tended to associate
global demographics, regulations and new security with boundaries while we were entering a
governance structures impacted Information Security boundary less world. “When we think of security we
in their own ways. mostly think of boundary and how to protect the
perimeter, the data center, servers and theConsidering the highly connected world shaping
application. But today we are transitioning fromup today, he said that Information access today was
boundaries to a boundary less world. We no morelike a circus. And because organizations have to
should look at boundaries but what we have in termsjuggle within this circus like situation, he felt that
of information and how to protect it,” he said,securing Information was a major challenge.
“Infrastructure revolution, Internet of things, data The next trend he outlined was that security today
explosion or big data, and ubiquitous connectivity are is maturing from control driven to intelligence driven
posing challenges. It's not IT connectivity alone but protection. In the past protection meant preventing
also devices are getting connected. Future finance someone from accessing in excess of what he/she
and the way we are dealing with finance are changing needed alone. “In the present context it's not enough.
and maybe this is encouraging unscrupulous We need more information than that. Who's accessing
elements to take to cybercrime,” he observed. He felt what and from where and how and analytics takes
that we need new identity and trust models. The care of that. It's no more about the individual alone, it's
Information based device based, application based the situation that becomes more important,” he said.
identity models of the past will no more work. Enterprises today need two levels of protection, one
when an employee is accessing the company networkHe felt that four trends will define future
from within the company and one where he'sInformation security strategies of organizations. The
accessing the network from outside.first trend was that the focus on security is shifting
Four Trends that will
redefine Information
Security Strategies
T

9. 09
Information Security Summit 2013-14
Post Event Synopsis
he iCxO Information Security trends 2014 and iCxO also sought to probe how secure were the various
beyond covered CIOs and CISOs of 500 large components of enterprises networks. Office applications
enterprises in India to gauge threat perception presented the largest security concern with 76 per cent of
and understand how they are gearing up to the respondents saying that they were vulnerable to
protect their information assets against emerging threats. external attacks. 72 per cent of the respondents said that
The survey revealed that there is a growing awareness client OS and client hardware were of major concern from a
among organizations about the risks posed by Uber security standpoint. 70 per cent said that networking
connectivity and consequently the Information security hardware like routers, switches etc. were the weak links in
spends are increasing in 2014. 85 per cent of our their IT infrastructure. 60 per cent said that business
respondents said they will be critical apps like ERP, Core
spending more on securing their Banking Systems, and CRM
information assets over the next a m o n g o t h e r s w e r e
two years. vulnerable. 58 per cent said
that external internet appsWe sought to find out the major
accessed by employeess e c u r i t y c o n c e r n s o f t h e
caused security concerns.enterprises. 62 per cent of the
enterprises we covered cited The survey revealed that
internal security as the biggest area with enterprises embracing
of concern, 59 per cent said that new technology paradigms
data theft and unauthorized like BYOD, cloud that they
physical access was a major need to re-engineer their
concern, 41 per cent said that processes to address
phishing was also a major concern emerging security concerns.
and 25 per cent said that mobile and 4 1 p e r c e n t o f t h e
client security were also a cause of respondents said that they
concern. need to upgrade their
T
Organizations will
spend more on security in 2014
52 per cent of the respondents
said their biggest challenge
was providing network access
to external entities like
customers, partners and
suppliers

10. 10
Information Security Summit 2013-14
Post Event Synopsis
security policies and processes to combat emerging and security as a critical tactical aspect of their overall IT
threats. strategy.
Despite increasing external threat and the highly With the last few years seeing a massive uptake of
connected nature of the world, many organizations mobile devices, more and more enterprises are evaluating
continue to allow their employees to access external apps equipping their executives with mobile devices. While
on the internet freely. 55 per cent of the respondents said mobility provides flexibility and productivity gains there
their organizations allowed their employees to access are serious security concerns around mobile clients. 34 per
whatever they wanted except dubious sites that cent of our respondents said their organizations were
compromised their security. 24 per cent said that they don't evaluating providing mobile connectivity to select
allow their employees to access to public domain apps employees. 38 per cent are already providing mobile access
including Gmail and Yahoo from their corporate networks. to enterprise applications. 31 per cent said their
However they were allowed to access these from their organizations do not have a compelling business case for
home networks. adopting mobility.
Getting management buy-ins for security investments We asked our respondents to list their biggest
is becoming easier. 55 per cent of the respondents said challenges with regard to Information Security. 52 per cent
their managements were more receptive and of the respondents said their biggest challenge was
understanding regarding investments in information providing network access to external entities like
security. However, 21 per cent said getting management customers, partners and suppliers. 48 per cent said their
buy-ins for security related investments was tough and 17 biggest challenge lay in managing security information
per cent said it was somewhat tough. and taking proactive steps to secure the perimeter. 48 per
cent said securing the data center was also a majorWe sought to probe the importance organizations
challenge.45 per cent cited external threats like phishing,attach to Information Security. 31 per cent of the
DDoS and data hostaging presented a massive challenge.respondents said their organizations viewed Information
41 per cent said internal security was a major challenge.security as a strategy that furthered their business goals.
39 per cent said their organizations view IT as a strategy

11. Ramandeep Singh Walia,
Principal Consultant, India
& SAARC, Check Point
Software focused on the
kinds of threats enterprises
and governments had
witnessed over 2012-13.
Ramandeep Singh Walia, Principal Consultant, India & SAARC, Checkpoint
Software focused on the various kinds of threats enterprises and governments
had witnessed over 2012-13 and outlined what one can expect in the future.
“We have seen advanced persistent threats, up going identity frauds,
revocation of certificates and reuse of certificates. The reason attributed to the
fact is that everyone needs access to data anywhere and everywhere. In the
bargain, users get targeted for financial gain or competitive advantage,” he
said. He noted that interfaces commonly accessed by users were being targeted
and specific apps and interfaces had been seeing the vulnerabilities and the
exploits over the last 18 months. Also hacktivism and syndicates of the
underworld cyber economy were complicating the situation. “People are selling
exploit nets with post sale support etc. Advanced threats today are not limited
to an exploit, an intrusion, or a botnet. And it's not just non-state actors who are
exploiting your info. It's not even a zero day malware,” he said,” Earlier they
were on the desktops and now they have moved from laptops to mobiles and
tablets. Advance threat is a permutation of all or any of the ones as the linear
equations here. There are motives that can be governmental, military or
anything else.” In his view, most target attacks start from a reconnaissance of a
weak user. The attackers also know how to conceal themselves so that security
systems won't be able to detect them.
He quoted a Checkpoint real data survey of 900 organizations from 90
countries across the globe. Every 43 minutes a host is trying to take users to a
malicious site. The attackers, he said, have lucrative ways of drawing their
victims to the site. 63 per cent of the users had got infected. The first infection
always lead to a communication with the people who were attacking.
Walia said that organizations should have a strategic as well as a tactical
solution. They should have a physical layer as well as a cyber-layer. “We
need to think about how we can change a physical strategy model to a
logical strategy model. Today is a time of collaboration. We need to
collaborate with entities all over whether they are within India or
outside. You need the right tools and the right infrastructure at
the entry and exit of your infrastructure. You have to have the
right tools to detect the threats and combat them” he added.
Information Security Summit 2013-14
Post Event Synopsis
Organizations should have
strategic as well as tactical
solutions to counter threats
11

12. Gopinathan K, Practice Head for
managed security and Network
Services, Wipro Infotech felt
that Information thefts were
primarily due to the advanced
thefts occurring in the network.
Gopinathan.K, Practice Head for managed security
and network services, Wipro Infotech, felt that
Information thefts were primarily due to the advanced
thefts occurring within the network.
In his view, botnets were moving from command &
control connectivity to peer-to -peer kind of
connectivity. Referring to a recent incident in the
Middle East where 38,000 desktops were down due to
Botnets, he noted that DNS reflection attacks and DNS
amplification attacks caused major problems. DNS
attacks are known to very few people.
He felt that high bandwidth attacks and targeted
attacks in a BYOD scenario could inflict great damage.
He also told users to be aware of existing
capabilities and mitigating the attacks.” Figure out
how you can mitigate threats within your resources.
Document them and have cyber threats response
documented and make them available for everyone
concerned within the organization,” he said.
He also emphasized that user awareness was a
major area of concern. Basic controls on taking actions
and vulnerability control were necessary.
He advised users to transform their security
operations centers into security intelligence centers.
“Reporting of security incidents should be translated
into the language of business. Strategic advisory
needs to be communicated in a proper way,” he
observed.
Finally, he emphasized on the importance of how
Incidents needed to be analyzed in a 360 degree way.
Physical security needed more concern as well as
integrating various data and tracking user activity
from a holistic perspective.
Transform your
security Operation centers into
Security Intelligence centers
12
Information Security Summit 2013-14
Post Event Synopsis

13. Navin Mehra,
Regional Manager,
Fortinet, emphasized
on how Fortinet had a
new security label and
the company had more
than 133 labels
NavinMehra, Regional Manager, Fortinet,
emphasized on how Fortinet had a new security label
and the company had more than 133 labels. He said
that the company had not focused so much on
marketing as it had been working on technology.
“People who have been using Fortinetproducts over
the years have seen how good they are in terms of
their features, deployments and total cost of
ownership,” he said. From a global perspective, he
said that Fortinet had operations in over 40
countries and employee strength of around 2500
people with five R&D centers. Fortinet also had
threat response centers across the world. “We give
updates, prevent zero day attacks, creating
awareness about it among other things,” he said.
He also pointed out how Fortinet was placed in
the leading quadrant and was among the top most
vendors in the world with the highest market share.
“Innovation has been our key strength; the products
that you have been using in 2010 can today be
upgraded without changing the form factor onto the
same box. Today we have 15 products,” he added. He
also outlined how the next generations of Fortinet's
firewalls will help enterprises secure their networks.
Innovation is
Fortinet's
key strength
Information Security Summit 2013-14
Post Event Synopsis
13

14. 14
Information Security Summit 2013-14
Post Event Synopsis
It's no more about how we are going
to secure our infrastructure,
application or Information. It's about
who accesses what and when and
where. It's about whether the user is
logging on to the enterprise network
from inside or outside
Sivarama Krishnan
Executive Director, IT Risks & Control, PwC India
We need to think about how we can
change a physical strategy model to a
logical strategy model. Today is a time of
collaboration. We need to collaborate with
entities all over whether they are within
India or outside. You need the right tools
and the right infrastructure at the entry
and exit of your infrastructure
Ramandeep Singh Walia,
Principal Consultant, India & SAARC, Checkpoint Software
Reporting of security incidents
should be translated into the
language of business. Strategic
advisory needs to be communicated
in a proper way
Gopinathan K,
Practice Head for managed security and Network Services, Wipro

15. 15
Information Security Summit 2013-14
Post Event Synopsis
We took a creative approach to
educating employees on
information security which
helped keep threats at bay
Sunil Mehta,
Senior vice president & Area systems director (Central Asia), JWT
We validate our processes and
update them regularly so that
they are relevant to the
changing IT landscape
Dhiren Savla,
Chief Information Officer, VFS Global
The amount of transactions through
electronic channels has far exceeded the
transactions through the traditional
banking channel over the last couple of
years. Consequently authenticating a
remote customer becomes a major
security challenge
V.Subramanian,
Chief Information Security Officer, IDBI Bank
PANELDISCUSSION
Innovation has been our key
strength, the products that you
have been using in 2010 can today
shape up and be upgraded without
changing the form factor onto the
same box
Navin Mehra,
Regional Manager, Fortinet

16. 16
Information Security Summit 2013-14
Post Event Synopsis
We have to make sure that the
security is transparent to the users,
partners and everyone. Security
should not become an impediment to
business but instead becomes a
system enabler
ParagDeodhar,
Chief Risk Officer and Chief Information Security officer, Bharti AXA
The differentiator between a
successful security deployment and
an unsuccessful one is whether the
customer understands his own
business environment well or not
Harmeet Kalra,
Head-Strategic Accounts, Checkpoint
Enterprises need to re-
engineer their processes and
upgrade them to meet
emerging threats
Sudhir Narasimhan,
Director-Content, iCxO
PANELDISCUSSION
65% to 75% of IP reside s in
email so by default the first
and the foremost asset that we
need to protect is emails
Amit Pradhan,
Chief Information Security Officer, Cipla

18. 18
Information Security Summit 2013-14
Post Event Synopsis

19. 19
Information Security Summit 2013-14
Post Event Synopsis