Information Security is
a topic which is mostly discussed amongst the network Managers or IT
professionals. Until recently, it was not a very familiar topic of discussion
amongst the HRD Managers. But the recent Nasscom-IDC survey on employment
opportunities in Information Security (IS) field has made it a hot topic of
discussion and raised eyebrows in the HRD Community.
What has jolted the HRD
Managers out of their seats are statements associated with the publication of
the report such as
Opportunities for Information Security Professionals is 5 times that of IT
Information Security Professionals is 200 % of the normal IT professionals."
According to figures
published in Nasscomís Strategic Review 2004 of the IT industry in India
worldwide demand for IS services is expected to grow to $23.6 billion by 2006.
for IS professionals is expected grow to over 188,000 worldwide by 2008 as
against 93,058 in 2004.
Americas, the demand for IS professional is expected to grow to 56,216 from
29,953 in 2004.
In the EMEA
itís expected to be 51,844 in 2008 as against 24,384 in 2004.
Asia-Pacific region, it could be as high as 80,113 in comparison to 38,720
If the whole world
seems to place a premium on recruiting IS professionals, it appears natural
that the Indian HRD Managers should also look at their HRD polices and examine
whether they are recruiting enough numbers of IS professionals in their
If the Indian HRD managers do
not react, there is a possibility that they will lose potential candidates to
the global market and there will be a drain of scarce resources. Also, by not
recruiting sufficient number of IS professionals within their own
organizations, HRD managers will be endangering the interests of their
In the emerging global business scenario, the
Society is critically dependent on Information Assets which reside inside
digital devices and are accessible through convergent technology devices. Loss
of Information Assets arising through negligent management of assets is a
matter of concern to corporate managements.
It is observed that the Information Assets are
often not protected in Corporate environments because the staff are either
negligent or ignorant. In either case,the HRD Managers are accountable since
it is their responsibility to ensure that the human power assets of the
Company are properly tuned to improve their asset management capability.
This note therefore addresses
the issues relevant to the HRD Mangers in the context of the growing
realization that Information Assets need to be secured by an appropriate
recruitment policy where the Information Security Knowledge and Skills are
provided the due weightage in the HRD policies of Companies.
1. What is the True Nature Information
Information Assets of a Company are at risk when
they are damaged, destroyed or stolen. Such acts can be done either through an
intrusion of the system from outside or from employees and ex-employees of an
The network technology expert is expected to
take care of setting up necessary Firewalls to prevent external intrusion. He
is also expected to set up suitable Intrusion Detection systems so that
intrusions can be detected early and prevented if possible. Additionally, the
technology expert is expected to set up effective Data back up measures to
ensure recovery of data if lost.
These "Technical Security Measures" are often
not effective enough against insider attacks for the reason that the attacker
is already inside the Firewall and is also having access to inside information
which can be passed on to his accomplices outside to carry out attacks.
Additionally, "Data back Up and Restoration"
does not always provide sufficient cover to a company since attacks on its
Information Assets may also result in legal suits for "Breach of Privacy",
"Delay in Project Completion", "Loss of Reputation and Image" etc. It also
does not provide for recovery of loss from the intruder.
More over, whenever a "Cyber Crime" happens
through a Corporate network, the Company and its executives become liable for
prosecution unless they can defend themselves with "Lack of Knowledge" and
"Exercise of Due Diligence". If the prosecution can prove that there was a
reasonable opportunity for the business executive (Which includes the CEO) to
be aware of the incident and that the Company has been "Negligent" in taking
preventive steps, the person becomes legally liable for the Crime. Often it is
found that the staff of Companies in which Crime happens will be guilty of
negligence which may lead to them being prosecuted for "Tampering of
Such "Negligence" will also result in the
Company being unable to use legal recourse for recovery of compensation in
respect of any loss of Information Asset also.
It is therefore necessary that any "Information
Security" measure should not end up with the "Technical Security" aspect but
should extend to the "Techno Legal Aspect" which covers the measures expected
in the context of "Due Diligence".
The HRD Manager being the manager of the
personnel, has a duty to protect the interests of the Company by properly
formulating his "Recruitment Policy" and supplementing it with a "Training
Policy". Lack of Information Security Awareness build up in the staff members
may itself be construed as a "Negligence" on the part of the Company
conforming its legal liability to outsiders for Cyber Crimes.
The first task of the HRD manager is therefore
to understand that "Information Security" means providing a "Techno-Legal
Security Blanket" for the Information Assets of the Company.
2. Action Plan to be pursued by the HRD
Having understood that Information Security does
not end with Disaster Recovery, it is necessary for the HRD manager to look
for the right skill inputs in his personnel either at the time of recruitment
itself or during the initiation phase. This calls for a "Information Security
Education Policy" to be adopted by the Company. If such a plan of action is
suggested by the HRD Manager to the top management and it has failed to take
necessary action, then the legal liability for negligence will be shifted from
the HRD manager to the top management.
3. Top Management Responsibility
As a normal top management responsibility and
more so if a recommendation has been received from the HRD Manager, it is
expected that every CEO knows the steps to be initiated to protect the assets
of the Company. The present knowledge level in the Corporate environment is
sufficient for Courts to conclude that every CEO using IT is deemed to
understand the "Risks to Information Assets" and is expected to take
reasonable care thereof.
The reading of this article itself is a
sufficient notice to alert any CEO of his responsibility in this regard.
The responsibility of the CEO could be pushed
down on other executives if he appoints say an "Information Security
Compliance Officer" or otherwise makes it known to the officials that the
responsibility for Information Security lies with either the Network Manager
or a CTO.
It is imperative that the CEO takes such a step
as otherwise he will personally be liable for any Cyber Crime that may happen
in the network.
It is in this context that the Nasscom-IDC
survey should be viewed. If the above requirements of Information Security is
factored into the required skill sets of an IT professional, soon it becomes a
minimum knowledge level for any IT professional.
As an example, we can say that "If you are
recruiting drivers for your fleet of vehicles, you would consider the
knowledge of Traffic Laws and Carrying of a valid License as a minimum
standard apart from the driving skills.". Similarly, if you are recruiting "IT
Drivers" for your Company, you should consider that possession of "Knowledge
of IT Laws" and a "License" as mandatory.
Obviously, the next question arises as to where
such skill sets are available. If all the one lakh Engineers coming out of the
University have uniform ignorance of Cyber Laws, then obviously, you stand
vindicated if you recruit the Cyber Law Ignorant IT worker and face the
However, if a HRD manager is forced into such a
scenario, then he should think of deputing their staff for such a course at
least as a part of the induction programme.
If however, the HRD manager is aware that there
are institutions which focus on generating IT workers with Cyber Law Knowledge
and are in the process of creating a new work force of "Techno Legal Experts",
they should look at such sources for your next set of manpower recruitment.
In the interest of building a responsible Cyber
Society and empowering our skilled IT workers with Laws of the Information
Society, the author urges Corporates to undertake "Operation-Techno-Legal
Information Security" without any further delay.
One institution that imparts necessary knowledge of "Techno Legal
Information Security" and perhaps the only such institution, is Cyber Law
College which also provides necessary guidance to Industry on Cyber Law
Compliance Audit requirements.
The details of such courses and CyLawCom Certification programme is available
at www.cyberlawcollege.com/courses.html and
For details and comments e-mail to
26,000 new Jobs
in USA available now for Information Security
Cyber Law Courses at RS 2000/- from Cyber Law College-Unprecedented
Value for Money !!
Security is the New Job Churner
Want a job? Learn IT security skills..TOI
Principle on Education of the Young
Security is nothing if it is Not Techno Legal Security
Sigma, ROI and Cyber Law Compliancy