Calling Attention of HRD Managers

.

 

Information Security is a topic which is mostly discussed amongst the network Managers or IT professionals. Until recently, it was not a very familiar topic of discussion amongst the HRD Managers. But the recent Nasscom-IDC survey on employment opportunities in Information Security (IS) field has made it a hot topic of discussion and raised eyebrows in the HRD Community. 

What has jolted the HRD Managers out of their seats are statements associated with the publication of the report such as  

" Employment Opportunities for Information Security Professionals is 5 times that of IT professionals" or 

 "Salary for Information Security Professionals is 200 % of the normal IT professionals." 

According to figures  published in Nasscom’s Strategic Review 2004 of the IT industry in India quoting IDC, 

 The worldwide demand for IS services is expected to grow to $23.6 billion by 2006.

 The demand for IS professionals is expected grow to over 188,000 worldwide by 2008 as against 93,058 in 2004.

 In the Americas, the demand for IS professional is expected to grow to 56,216 from 29,953 in 2004.

 In the EMEA it’s expected to be 51,844 in 2008 as against 24,384 in 2004.

  In the Asia-Pacific region, it could be as high as 80,113 in comparison to 38,720 now.

 If the whole world seems to place a premium on recruiting IS professionals, it  appears natural that the Indian HRD Managers should also look at their HRD polices and examine whether they are recruiting enough numbers of IS professionals in their Companies. 

If the Indian HRD managers do not react, there is a possibility that they will lose potential candidates to the global market and there will be a drain of scarce resources. Also, by not recruiting sufficient number of IS professionals within their own organizations,  HRD managers will be endangering the interests of their Companies. 

In the emerging global business scenario, the Society is critically dependent on Information Assets which reside inside digital devices and are accessible through convergent technology devices. Loss of Information Assets arising through negligent management of assets is a matter of concern to corporate managements.

It is observed that the Information Assets are often not protected in Corporate environments because the staff are either negligent or ignorant. In either case,the HRD Managers are accountable since it is their responsibility to ensure that the human power assets of the Company are properly tuned to improve their asset management capability.  

This note therefore addresses the issues relevant to the HRD Mangers in the context of the growing realization that Information Assets need to be secured by an appropriate recruitment policy where the Information Security Knowledge and Skills are provided the due weightage in the HRD policies of Companies.

1. What is the True Nature Information Security Risk?

Information Assets of a Company are at risk when they are damaged, destroyed or stolen. Such acts can be done either through an intrusion of the system from outside or from employees and ex-employees of an organization.

The network technology expert is expected to take care of setting up necessary Firewalls to prevent external intrusion. He is also expected to set up suitable Intrusion Detection systems so that intrusions can be detected early and prevented if possible. Additionally, the technology expert is expected to set up effective Data back up measures to ensure recovery of data if lost.

These "Technical Security Measures" are often not effective enough against insider attacks for the reason that the attacker is already inside the Firewall and is also having access to inside information which can be passed on to his accomplices outside to carry out attacks.

Additionally, "Data back Up and Restoration" does not always provide sufficient cover to a company since attacks on its Information Assets may also result in legal suits for "Breach of Privacy", "Delay in Project Completion", "Loss of Reputation and Image" etc. It also does not provide for recovery of loss from the intruder.

More over, whenever a "Cyber Crime" happens through a Corporate network, the Company and its executives become liable for prosecution unless they can defend themselves with "Lack of Knowledge" and "Exercise of Due Diligence". If the prosecution can prove that there was a reasonable opportunity for the business executive (Which includes the CEO) to be aware of the incident and that the Company has been "Negligent" in taking preventive steps, the person becomes legally liable for the Crime. Often it is found that the staff of Companies in which Crime happens will be guilty of negligence which may lead to them being prosecuted for "Tampering of Evidence".

Such "Negligence" will also result in the Company being unable to use legal recourse for recovery of compensation in respect of any loss of Information Asset also. 

It is therefore necessary that any "Information Security" measure should not end up with the "Technical Security" aspect but should extend to the "Techno Legal Aspect" which covers the measures expected in the context of "Due Diligence".

The HRD Manager being the manager of the personnel,  has a duty to protect the interests of the Company by properly formulating his "Recruitment Policy" and supplementing it with a "Training Policy". Lack of Information Security Awareness build up in the staff members may itself be construed as a "Negligence" on the part of the Company conforming its legal liability to outsiders for Cyber Crimes.

The first task of the HRD manager is therefore to understand that "Information Security" means providing a "Techno-Legal Security Blanket" for the Information Assets of the Company.

2. Action Plan to be pursued by the HRD Manager

Having understood that Information Security does not end with Disaster Recovery, it is necessary for the HRD manager to look for the right skill inputs in his personnel either at the time of recruitment itself or during the initiation phase. This calls for a "Information Security Education Policy" to be adopted by the Company. If such a plan of action is suggested by the HRD Manager to the top management and it has failed to take necessary action, then the legal liability for negligence will be shifted from the HRD manager to the top management.

3. Top Management Responsibility

As a normal top management responsibility and more so if a recommendation has been received from the HRD Manager, it is expected that every CEO knows the steps to be initiated to protect the assets of the Company. The present knowledge level in the Corporate environment is sufficient for Courts to conclude that every CEO using IT is deemed to understand the "Risks to Information Assets" and is expected to take reasonable care thereof.

The reading of this article itself is a sufficient notice to alert any CEO of his responsibility in this regard.

The responsibility of the CEO could be pushed down on other executives if he appoints say an "Information Security Compliance Officer" or otherwise makes it known to the officials that the responsibility for Information Security lies with either the Network Manager or a CTO.

It is imperative that the CEO takes such a step as otherwise he will personally be liable for any Cyber Crime that may happen in the network.

It is in this context that the Nasscom-IDC survey should be viewed. If the above requirements  of Information Security is factored into the required skill sets of an IT professional, soon it becomes a minimum knowledge level for any IT professional.

As an example, we can say that "If you are recruiting drivers for your fleet of vehicles, you would consider the knowledge of  Traffic Laws and Carrying of a valid License as a minimum standard apart from the driving skills.". Similarly, if you are recruiting "IT Drivers" for your Company, you should consider that possession of  "Knowledge of IT Laws" and a "License" as mandatory.

Obviously, the next question arises as to where such skill sets are available. If all the one lakh Engineers coming out of the University have uniform ignorance of Cyber Laws, then obviously, you stand vindicated if you recruit the Cyber Law Ignorant IT worker and face the consequences.

However, if a HRD manager is forced into such a scenario, then he should think of deputing their staff for such a course at least as a part of the induction programme.

If however, the HRD manager is aware that there are institutions which focus on generating IT workers with Cyber Law Knowledge and are in the process of creating a new work force of "Techno Legal Experts", they should look at such sources for your next set of manpower recruitment.

In the interest of building a responsible Cyber Society and empowering our skilled IT workers with Laws of the Information Society, the author  urges Corporates to undertake "Operation-Techno-Legal Information Security" without any further delay.

Naavi

April1, 2004

One  institution that imparts necessary knowledge of "Techno Legal Information Security" and perhaps the only such institution, is Cyber Law College which also provides necessary guidance to Industry on Cyber Law Compliance Audit requirements.

The details of such courses and CyLawCom Certification programme is available at www.cyberlawcollege.com/courses.html  and www.naavi.org/cylawcom/ .

For details and comments e-mail to naavi@vsnl.com

Related Information:

26,000 new Jobs in USA available now for Information Security

Cyber Law Courses at RS 2000/- from Cyber Law College-Unprecedented Value for Money !!

Information Security is the New Job Churner

Want a job? Learn IT security skills..TOI

WSIS Principle on Education of the Young

Information Security is nothing if it is Not Techno Legal Security

Six Sigma,  ROI and  Cyber Law Compliancy

 

For Structured Online Courses in Cyber laws, Visit Cyber Law College.com

 

Back To Naavi.org