The rising incidence of data leakage, most such leaks remaining unreported, is a threat that Indian organizations have to deal with.

Express Computer recently organized a CIO round table in the national capitalin which CIOs from three different industry verticals presented their views on the situation from their personal experiences.

Is data loss prevention really an issue?

Ravinder Jain, CIO, Aircel: We have rolled out a complete stack of telecom applications recently. While we have basic security infrastructure in place, we have not focused on DLP as yet. For a telco, reputation is more important than data loss prevention since loss prevention laws in India are not stringent but we are looking at DLP from the perspective of maintaining our reputation.

Previously our core applications were home grown legacy applications that would not talk to other applications, therefore we could not think of DLP in the past. However, with the newer IT equipment, we are looking at deploying DLP for business users to protect competitive information like marketing campaigns, tariff plans from being leaked. You need to focus on users with laptops.

Vijay Sethi, Vice President IS and CIO, Hero Honda: Hero Honda being a big organization, the kind of attention that it gets is enormous. Employees get access to a lot of applications on their laptops. Moreover, data loss through e-mail is the biggest concern after e-mail it is leakage through the Internet and finally through Instant Messaging. Measures including blocking the use of USB drives, CDROM drives etc can be taken but these create considerable inconvenience, while enabling better security. Since people can now access mails from phones, security becomes an issue even on these devices. Then you have the server applications that might create a security hole, if they are not patched on time.

Sachin Jain, CIO, Evalueserve: The kind of data that we handle is highly confidential. DLP as a term might be becoming popular these days but otherwise all of us have been looking at it in some form or the other for a long time. Proactively monitoring malicious content and seeing if employees are intentionally sending out information is vital. We have locked all USB ports, limited Internet access is provided to the employees, yet figuring out malicious sites that can lead to potential leakages is a complex process. It is often an issue of efficiency vs. security. You can create exceptions for employees during emergencies, but even that can turn out to be dangerous.

Is loss of reputation the only driver for DLP? How do you convince the management of the need for this solution?

Vijay Sethi: Loss of reputation is a secondary issue as most data thefts are not even reported. As an organization, you can lose competitive edge in the case of such breaches. India does not have stringent policy laws yet. Convincing CEOs is not a difficult task as CEOs themselves are quite tech savvy today. Security threats like terrorist attacks or data breach instances often push CEOs to ask CIOs to deploy better security solutions. Data classification is the biggest challenge as protecting every piece of data is impossible. Often only about 10% of an organization's data is sensitive.

Sachin Jain: It is difficult to calculate the ROI for such solutions. Security audits are the need of the hour. They become a prerequisite most of the time. Customers often ask for compliance, they want to know how safe their data would be with us and how we classify our data. The management is not required to be convinced about these solutions as they know that these things are required.

Ravinder Jain: In an outsourcing scenario, the company is required to follow customer compliance. In telecom or manufacturing, there are no regulations. It all depends on the nature of the business. In India, laws do not drive DLP it is the proactive nature of companies that drives it.

Vijay Sethi: Sometimes people do not even know that they have been exposed to data leakage. For e.g. people often forward their official mails to their private mail and then save some instance of that mail of their laptops or home computer, which might be insecure. They do this for convenience of work without realizing that the data lying on such devices is insecure. Many people have allowed data to leak on account of lack of awareness. CEOs are becoming more aware about such issues and CTOs/ CISOs are no longer restricted to IDS/ IPS, Anti-malware etc. All these are basics today. Beyond these, an IT head needs to take care of the data.

Sachin Jain: DLP is crucial from the information security perspective. It cannot be treated separately, if it is, then the concept of information security is lost.

—By Varun Aggarwal