Information Security - More about Implanting Practices Than Just Awareness & Training

With more and more data getting electronic, and with more and more data going on line, information security is becoming a vital discussion and area of concern for organizations, federal agencies, governments, even individuals.

Because of this, many organizations have been spending a certain amount of effort and time in conducting awareness training, and, coming up with ways to make people more aware with hoardings, sign boards and what not. This is done to take the best short-cut approach in making their most vulnerable asset for information security, their people, educate and realize the pros & cons, and to preach awareness about how responsible they should be.

But lets be honest to ourselves? Have we been successful? There are still cases I hear knowing organizations, colleagues, friends, acquaintances compromising their vital information and getting hooked, whether be their own personal credit cards, documents and what not!

I believe that a well presented training and awareness program does invoke thoughts about aspects of information security and realization of being secured, but it CANNOT ensure how the attendees may take that very invoked thought ahead and if they can really implement the thoughts in their lives, unless and until they happen to witness an incidence themselves!

Through this article, I am trying to open a thought process, where we think beyond just training and awareness campaigns, but infact implant the very practices in their people.

Everybody is aware about wearing a seat-belt while driving and helmet while riding, everybody is aware about the fact that smoking tobacco is injurious to health, everybody is aware about the benefits of having good food habits, exercising daily and waking up early. Awareness exist, but practices does not.

As health is important for people to think about, similarly, information security is equally important for organizations to maintain their competitive edge, confidentiality of their data, integrity of their organizational practices, and availability of resources and data as and when required.

By and large, following are the gaps with training and awareness programs:

• Training programs are not aligned with the risk assessment that has identified the potential risk areas to the business and organization;
• Success of majority of training programs are immeasurable;
• Majority of training programs are unrealistic and based on generic aspects i.e. they're not tailor-made;
• Focus is more on presentation, or as a periodic practice of just having a training program but not on what people want.

So what next?

Simple. Just three aspects:

1. Conduct risk assessment to identify risks;
2. Target behavior change;
3. Prepare a yearly timeline and set realistic targets;
4. Engage people personally.

Lets get realistic. Lets start putting efforts in the right direction, because you anyways are or you anyways will have to. Remember, precautions are always easier than corrections! The awareness has to be embedded in the most important and most vulnerable asset of the organization - human resource i.e. people, and at certain stages in some organizations, this has been.

For example, when was the last time, you changed the password of your LinkedIn, Facebook or Twitter account? That's because LinkedIn or Facebook doesn't prompt you to change passwords every 60 days! But, if you work in an organization, where the password is set to be changed in every 60 days, you will do it, and there's no other way out to avoid it. But again, every organization doesn't has this practice implemented or is been restricted to certain users; but they will always talk about securing their data and pass-coding their machines / workstations through passwords!

Tail-gating, phishing emails, malware attacks, you've been talking about it in your training, but no one takes it seriously. Implement practices to curb or catch hold of people to train them that they are doing it wrong.

For ex: create a dummy account, send an email which looks like a phishing mail, see how many open it. Call those people and then train them, that it is not the correct practice and they shouldn't be opening emails, make them aware about the real time incidents of how the accounts of even many CEOs, CTOs were compromised because of phishing emails and the consequences, ask them to report such emails to the network monitoring team (or whosoever can take care of these aspects in the organization). 

You see an unlocked workstation, click it and then tell the custodian that you were abut to send his resignation letter to his boss with a pinch of humor. 

I believe Information Security is one of the most discussed and challenging subjects for organizations, federal agencies, and governments, but at the same time it is one of the most easiest practice to secure the information, only if you follow the basics and the under-lying processes efficiently. The most basic fundamental about information security is the fact that it all depends on the custodian themselves to realize how vulnerable they're and it is them who must follow and embed culture around them to become immune to any InfoSec attacks! It is like snow and rains, which is targeting everything around you, but if you have the right gear, you will walk without feeling a pinch of it.

Let Project Portfolio start working for project, and project for you!

Lets start with project...meaning of the project, in simple words, is a planned set of interrelated tasks to be executed over a fixed period and within certain cost and other limitations.

Moreover, projects add value to the organizations, as they not only mean business, but executing projects effectively helps organizations gain recognition and reputation. Organizations also endow effort, time, finances and different types of resources for execution of their projects.

That is the reason why many organizations believe in delivering projects through their well-planned, self-defined and structured project management, where they identify the different phases of the projects, list of activities to be carried out within each phase, limitations. Organizations also weave project life-cycles depending on their classification of projects, major or minor.

The simple definition to realize importance of project is that projects are executed to achieve a specific goal. This goal may be for its clientele or for the organization itself. If project is executed loosely, you may not achieve goal in the desirable way. To achieve efficient execution of projects, organizations have project management or as they may realize it through their dedicated group or department commonly named project management office.
But can project management translate an organization's business strategy? Answer is No! Then who? Answer is Project Portfolio Management!

I have worked on developing various programme management framework for clients across various domains, and I realize clients, even internal resources are usually confused between what project, portfolio or programme (some call it 'program' as well) is or for them, or if they are all the same!

But that’s not true! These are three different verticals and they have different functions to perform. You may have a well-defined project management in place, but it is always going to assist you in delivering a single project. Project management will define the best practices to assist you develop a plan and timeline to deliver specific set of deliverable defined for a project.

But is project management all what organizations need? Rather, let me ask is your organization doing just one project a year? You have multiple projects, and what about handling them, who is going to handle them? Project management will help you deliver each of those multiple projects, but what about managing those multiple projects? For this aspect you have Progamme Management.

Programme Management helps managing several related projects, often with the intention of improving an organization's performance. In practice multiple projects, span functions within an organisation, includes business elements (set of projects makes a programme).

But again, what if an undertaken project is not aligned with the organization’s strategies or does not make use of its core competencies, ultimately resulting in poor returns. What if the projects are overlapping and organization finds itself in a pool of resource crunch, despite having adequate resources?

Take a simple example of tubes, metros or commuter trains. Consider train as a project, which is well - executed, follows signals from starting point to its destination and has an efficient driver (project manager). But your train is not the only train in the system. There are multiple trains (projects) operating at a quick pace as they have to meet their defined timeline. They require the railway track, platforms for commuters to get in and out (resources), and all these trains share the same amount of resources!

If these trains are not managed efficiently and effectively, trains may end up being at the wrong terminal at the same time. Not just that, this may cause major accidents with trains being on the same track (projects to be delivered on the same date), and exhausting of resources (SME required for 2 projects at the same time)! It will be a chaos!

Therefore, as it is important to manage projects for the organizations, they also need to manage the portfolio of projects. Portfolio of projects will ensure a central repository or database consisting of projects in pipeline, current and projects that were executed in the past.

This will assist in strategizing delivery of projects based on the business strategy, assessing and managing the projects in a collective manner with the following:

• Determining whether (and how) a set of projects can be executed by the organization with finite set of resources in a specified time. Business Benefit is estimating and selecting capital investment projects with strategic plan;
• Efficient and effective utilization of organization’s resources including financials, inventory of project assets (servers, workstations etc), human resources etc. Business benefit also extends to realizing annual resource allocation, resource utilization during adverse impact minimal or nil exhaustion of resources;
• Planning and prioritization of any new all-of-a-sudden project requirements, new and amending regulatory demands, or requirement of enhancements;
• Proactive risk assessment of project related risks. But caution – this depends on how you develop your risk assessment methodology, your focuses. Do they include quality or information security or both or what?

Project Portfolio Management will create a balanced platform of projects by categorizing, sorting and prioritizing based on identified criteria. Organizations may identify these criterions from business context, to utilization of resources, expenditures, financial profit cost centers, etc.

Look at this below picture, Project Portfolio always sits up in the hierarchy when it comes to effective handling of projects, as it is responsible to provide input for annual business strategy to organizations and also ensures that the organization’s strategy is not compromised by the execution of projects.

If organizations are conforming to certain ISO certifications, Project portfolio also turns vital now, as it advocates top management leadership and business alignment.

But key to a successful Project Portfolio Management is to define and set priorities through an intent of:

• Achieving appropriate business value optimization for the organization;
• Considering risk recognition and mitigation is equal to reward;
• Conducting periodic reviews of the portfolio with top management understanding the concerns or issues through a bottom’s up approach

Remember - A project is complete when Project portfolio starts working for project, and project starts working for you!

Ahmedabad, and it's foul stories!

Anu - "Chacha! one bottle of mineral water please!"

Shopkeeper - "Here you go!"Anu - "This isnt a Kinley or Aquafina! Dont you have one of them?"

Shopkeeper - "No son! This is all I have. I am done with their stocks!"

Anu - "Okay! Here are 20 bucks. Thank You"

Shopkeeper - "No No! Water is a necessity, just 10 rupees please!"

Shushi - "Is the water really mineral?" I mean it reads 20 INR and you charging us only 10!"

Shopkeeper - "Do you know how much does these mineral bottles cost us?" 7 INR! So, as I said, water is a necessity. You take a red bull or a cold drink, I will charge you the maximum, but not for water. Allah wont be happy if I do that!"

Where do you think this may have happened? Ahmedabad, next to infamous Siddi Sayed ki Jalli. The little shop is next to a pan shop opposite to the Siddhi Sayed ki Jalli!

This is my blog after more than a year, and trust me, I always wanted to write on this topic, but then onset of the biggest election of the human history showed in. I didn't want to publish this, before I cast my vote, because my motive of writing is to pen down my thoughts and what I see and witness, rather being read as imposing my thoughts and personal liking for any given candidate who may be standing in the Indian election s 2014. Because, this would have not helped my motive and effort. 

It really bothers me, when my friends from outside Gujarat keep asking me if the stories that they hear from few political parties and sections of Indian media portraying about Gujarat since 2002 are true. I am probably grateful that they think I am well-versed with current affairs nationally and globally, and have been born in Ahmedabad and spending a considerable amount of time in Ahmedabad, would give a honest response. 

I love Ahmedabad as much as I love Calcutta, where I spent my childhood or Mumbai where I worked and have pent most of my summer vacations or a small sleepy town in the center of India, where I did my high school. I am completely against stereotyping of any city or people or communities, because I am an Indian, which is the largest secularist and democratic state to the globe. By the grace of God, I have traveled and lived in many places in my country, and when folks ask me which one is better. I really cannot think of one, Because every city has it's own charm and beauty, thats why they different. Mumbai has it's own charm, which is not as same as Calcutta or Chennai or even New York. Lol, infact the samosas of Mumbai, Ahmedabad or Calcutta tastes different, so why not love the charm of every city.   

Almost all the major and minor communities, ethnicity, races reside in India and have their steam in it's roots. India is a culture born out of each and every community, races and that is what makes Indians religiously democratic in nature. I have discussed in one of my previous blogs about Internationalism, which is the call of the hour for our globe. I did point out that how we will find people of our likings and disliking in each and every country carved on this planet. It's just the geographical divide, climatic conditions that make us look different. 

Ahmedabad, is the seventh largest metropolitan area and the fifth largest city in india . It is the judicial capital of Gujarat state, which has the largest coastline in India and has rich and vibrant history from an era as old as Indus Valley Civilization. Ahmedabad, as the name suggests, is named after it's ruler from 1400 B.C., Ahmed Shah, and take this as one of the pointer what I am trying to convey. 

The city is so vibrant that Mahatma Gandhi also established his ashram here on the banks of Sabarmti river, which flows beautifully midst of the city.

Despite all this, my city, is stereotyped and dragged by political parties and certain sections in media as being communal. This is extremely hurting, and false implication on the vibrant city. Ahmedabad is home to various communities who live in harmony with each other. Yes, there has been instances o f communal tensions between certain communities in and before 2002, alike other asian or western cities. Every city in the world, and I say that on record, have faced some kind of internal fighting sadly. If we humans were so damn matured, we never would have had wars or spending on armed forces. However, history has been my favorite subject and I believe, it makes you learn, forgive, and develop a better world around you. Ahmedabad has learnt from the wound. The communities are in harmony and there has been not even a slightest violence registered in it since 2002. It was probably because they never opened up, lived in themselves, they all drew lines and never realized what they were doing. 

Just for the record, I was giving my 10th grade exams in 2002 and now, here I am, an engineering grad. and a a full-fledge IT professional! Is it not sad on the part of few media houses and political parties dragging a state and a city in for their personal causes? May be they want to humiliate a given politician or party. Acting matured is an art you can't expect from classes, but atleast do not dare dragging a state or a city in your conversations. By doing that you acting no good, you are actually hurting the sentiments of many and many lives, many communities and even the economic prosperity of a state and city. What is the consequence?  

Someone today asked me she has heard there were no Christmas breaks in Gujarat, a principal and a scholar writes a letter to tell a story to it's students, but drags the state. Years back, a friend of mine from Delhi asks me that she heard there were human right violations in the state. In my eyes, this is completely incorrect. This also at certain level hampered economic investments in the most prosperous state of India.

Every entity on this planet needs continual improvement. I will be glad if real issues that brings prosperous change to a city or a state are brought on table by media or by political individuals.  I have friends from every corner of the world and am always open to meeting new people, learning new communities. We have one life, why not really love the fact that there is many beautiful and rich spirtiual believes and culture breathing around us. Needless to say, I had roommates from every community, I infact find usage of words like 'community', religion' taboo and while jotting this write-up, am wondering if they should be really written?  Gujarat and my Ahmedabad is rich and peaceful. If you want to talk about a sad year 2002? Why don't you remember that city was peaceful and together, when a temple was attacked by terrorists from across the border, when a series of serial blast shook Ahmedabad, and it stood strong and everyone had hands were clubbed together. How do any human being feel when their wounds are purposely kept afresh or pressed now and then?

As I said, Amdavadis will never tell you that you hurting their wounds. They will infact keep ignoring and laughing at such silly stories, and be graceful of not correcting you, as they will have all of the time to make their penny a pound! 

One more thing, that I wish to talk about is, the Gujarat Police. I everyday cross helmet circle, and I crib about the heat that I face for some 10-15 mins of halting at a signal. I see those policemen standing all day, safe-guarding and managing adrenalin rush. Similarly, on festive seasons, they have no holiday. I feel for them when the whole Police force of a state is questioned and go through media trial over. If certain folks do wrong they shall face the trial and be punished for it, but tagging and stereotyping the whole of police force is completely incorrect. Its an insult, that atleast my soul wishes to disagree with as those policemen at midnight hours guard societies. 

Drive someday, in the late hours in Ahmedabad, and you see them standing, guarding your city. Infact deployment of so many cops is also because the state and city is under constant threat and made vulnerable, as it has even stereotyped as not being vibrant and tagged as ungraceful. You are making my city, and India's fastest growing city vulnerable! Furthermore, Ahmedabad is a beauty. If one has ever come to the city, they fall in love with it. It has a rich heritage. The Srakhej roja mosque, which has been filmed in many Bollywood movies and Lothal, which reminds you of Indus valley civilization.  Ahmedabad is a city, where if you come across someone cutting your way in the traffic, he would smile and step behind to let you go.

Traffic! Ahh! Thats the core issue, by the way. Ahmedabad's traffic sense sucks! 

Gujarat is a dry state, and few people even have a problem with that. Well, it is based on the ideology set by the world-acclaimed Mahatama, whose preaching even the U.S. president wishes to follow, and Gujarat is proud to continue the ideology. Gujarat has been a dry state since years now, and the beauty is, that even without the taxes collected from alcoholic earnings, Gujarat is prospering -  an example that can be shared by India to the globe and followed by states which believe that alcohol is one of the medium of economic earnings!

Finally, you go, discuss issues you wish on political spectrum in India or anywhere in the world, but please do not drag a state or a city in pity conversations. Be sensible, think sensible, and do not hear.. believe what you see. 

Coincident to this write-up, just for the record folks, the infamous three wise monkeys of Mahatma Gandhi, who tell us the proverbial principle of "see no evil, hear no evil, speak no evil" are in Sabarmathi Ashram of Ahmedabad! 

By the way, the mineral bottle wala chacha was helpful in tellling me about the textile mills and factory outlet in the outskirts of the city where I can find the few branded clothes with quite an irresistible price tag!