5 Characteristics Of Information Security In Pakistan

As a result of our focused efforts in consulting for Cyber Security over the last 6+ years in all three major cities (Lahore, Islamabad, Karachi), and while working in consulting assignments with all major sectors (Banking, Telecoms, Enterprise, Government, and other), Delta Tech team discovered five (5) key characteristics of Information Security in Pakistan. The five (5) characteristics were found to be generally the same in all types, sizes, and locations of organizations, with a very minor variance (less than 5% exceptions). Following are the characteristics:

  1. Reactive security
  2. Superficial security
  3. Governance-overkill
  4. Box approach
  5. Contention within customer organizations

Following is the detail and description of all five (5) characteristics:

  1. Reactive Security

Delta Tech Cyber Security consultants discovered that proactive security efforts are widely missing in organizations in Pakistan, and security work is tilted heavily towards reactive approach. In order to be effective, security has to be built up from the ground up, based on a strong foundation through a structured security program. This requires hard work and efforts in security hardening of all IT assets with the help of International security benchmarks, plus a disciplined vulnerability management program. However, Delta Tech consultants discovered that even the basic foundations of security are missing in most organizations, and security efforts are more reactive than proactive.

  1. Superficial Security

Delta Tech Cyber Security consultants discovered that organizations lack depth in their security teams, and as a result, lack depth in their security implementation. For an average of 100 staff in IT, the percentage of IT Security or Information Security staff is 3-4%. Although there are exceptions to this generally observed industry average, security is mostly driven by compliance requirements (especially in the financial industry), and security efforts lack depth and are hence cosmetic, and superficial. Security in the “trenches” with strong controls on IT assets is generally found to be a missing phenomenon in Pakistan.

  1. Governance Over-kill

Delta Tech Cyber Security and IT Governance consultants discovered that risk assessments, policy documentation, and governance activities form the lion’s share of security efforts in organizations, however, this is in the absence of strong technical security controls applied in the “trenches” on IT assets. Delta Tech Cyber Security consultants also discovered that the voluminous documentation related to policies and processes exists only on paper, and its actual implementation in the IT environment does not exceed 10% (90% un-applied). Hence it is not difficult to conclude that the governance efforts which predominantly exist as security efforts within organizations are a mere wastage of resources and time, as the governance and documentation is not supported by an equal effort in technical security controls applied on IT assets.

  1. Box approach

Unfortunately, box-selling vendors have been selling security through the box (or appliance) approach as a silver bullet for too long. Essential appliances such as firewalls, web-security gateways, and email security solutions are all required by organizations. However, boxes tend to be sold as the “silver-bullet” and an excess of boxes to solve every security challenge tends to lead to an absence of optimal configuration and monitoring of the boxes in order to extract the full benefit of the boxes. Security has to be applied in the “people-process-technology” context and all three legs of the security paradigm are equally important. An improperly configured box is as good as no box !

  1. Contention within customer organizations

IT within customer organizations is surrounded by four (4) other departments (especially in the financial sector): Information Security, Risk, Compliance, and IT Audit. All of these four (4) surrounding departments are talking a different language, are relying on a different set of frameworks, and have a completely different view of how to solve security. This results in a lack of common security vision within the organization, and hence isolated and non-cooperative efforts on how to drive security for IT. Hence a lot of time and energy is wasted within organizations as the four (4) surrounding organizations are not on the same page as IT, or among each other, and do not even agree on what a secure IT organization should look like or how it should be built. This phenomenon is referred to as contention or lack of cooperation within organizations, making it even more difficult to achieve the tough security goals of the organization.

 

When we add up the above five (5) characteristics of Information Security in Pakistan, we observe that due to the above patterns which are consistent across Pakistan, there has been “denial” of Information Security in Pakistan for the last decade. After the global WannaCry Ransomware attack in May 2017 and numerous other hacks such as Careem hack, bank website defacements and e-commerce hacks (occurring now on an unprecedented increasing frequency), there been an awakening in Pakistan to the severe threats and irreversible damage that a lack of effective Information Security may cause to an organization. This increase in security awareness has only been observed in the last 2 years, however, we now stand a generation (approximately ten years) behind in effective security implementation posture across Pakistan.

Nahil Mahmood,
CEO, Delta Tech

By |2018-10-19T05:23:43+00:00September 16th, 2018|Security|0 Comments

Leave A Comment