By Sathya Mithra Ashok
CIOs and IT managers in the region have to learn to balance what they divulge and what they conceal when it comes to security and network topology.
Security investments in information technology are one of the fastest growing market segments in the Middle East. More and more regional enterprises are spending dollars on deploying different products and solutions across corporate networks to provide an adequate bulwark against any threats that may come visiting.
But you would be surprised how inadequate all the latest, state-of-the-art technology can be in the absence of a security strategy that includes people, a mindset that dictates security in all actions and an inadequacy to practice what is preached.
In the last few months, I have met distinguished CIOs and infrastructure directors who were willing to share the detailed, nuts-and-bolts functioning of their internal networks with me. There have been instances they have even offered diagrams of the company's entire network in the country of its headquarters, complete with every node, router, switch and security appliance.
Of course, there is a valid reason for this. Most of these meetings are initiated as part of the search for unique and relevant case studies from the region. As a representative of one of the leading IT publications of the region, I conduct all conversations under strict confidentiality and maintain a certain level of reliability and integrity.
More often than not, most Middle East enterprises shy away from discussing security to any extent and I find myself often coaxing IT heads and assuring them that just the mention of products and implementation challenges will not pose any threats to them.
However, some of these recent incidents have made me realise that, at the other much more dangerous end, there are CIOs who are more than willing to share much more information than would be considered entirely safe for themselves and their networks. In the light of this, it would seem to be foolish to underestimate the strength of any person with malicious intent using a social engineering trick, to lay his hands on critical information that should be kept within the organisation.
These attitudes can be traced to the inadequacy of an organisation's security strategy or the complete lack of one. A comprehensive security strategy should set in clear terms not only how employees need to act during work hours, what they can bring in and take out but also how they ought to act when off work, what kind of information they can share and who they can share such details with. CIOs and IT managers in the region have to learn to balance what they let on and what they lock up on when it comes to security and network topology - whoever the person may be. Remember that every human in the chain who knows more than he/she should is a weak link.
For the record, I have never taken any of the potentially dangerous details that IT managers I meet were sometimes ready to give me. I am only human but I have no intentions of becoming a weak link that could prove fatal for any organisation in the region.