Discussion with CIO (Pharma/Healthcare) – 1

recently i had a chance to have a discussion with a CIO of a leading generic drug manufacturer in this part of the world. the discussion was mainly around information security, the pressing needs for his organization an how to set up a vision around information strategy and then get it executed.

being a generic drug manufacturer, the organization had thin margins from the products they sold. hence, it was imperative for his team to be able to provide a secure operating environment for the organization at the same time keep the cost of ‘security’ low.

In fact, he was not the only one with that mandate. most of the CxO’s i have met, have the same single line agenda on their charter.

in the past 3 years, the IT security spend is range bound between 7 – 9% of overall IT spend across the industry verticals and the trend is same for NA and EMEA. also with never ending developments in the threat, vulnerability & risk theaters there is a need with the need to respond in real or as near to real time as possible. hence, the IT teams are faced with considerable challenge to ensure a secure environment for business to operate and to provide assurance to the management on the same.

the discussion also revolved around using point best of the breed solutions against eco system based approach to secure the IT landscape.

i believe that an ecosystem based approach is much better than using best of the breed point solutions. usually there is a huge cost associated with purchasing and maintaining the best of the breed solution portfolio as mentioned below:-

since the solutions are best in their category, the customer has to pay a premium to purchase them in the first place. (yes, some large organizations do have the capability to arm twist the vendors 😉 based on the brand name of the customer.). then comes the issue of the ensuring the skill set in the team to implement and manage such solutions. in most of the cases, it does require imparting training to the team or picking up someone from the market. and in-spite of qualified team very often than not, the manageability of a portfolio of point solutions and their integrations still remains an issue an issue.

with cert reporting that about 72% of the downtime is caused due to configuration issues, it becomes important to ensure that manageability of a solution portfolio becomes an important criteria while selecting a solution along with integration capability & fitness into the existing solution portfolio.

an eco-system based approach generally involves having solutions that need not be the best solutions in their respective areas but that can provide as an ‘integrated system’ to ensure a secure environment. It also ensures an overall reduction in overall management and integration complexities. having said that, irrespective of a strong philosophy and ecosystem approach, i don’t think one can avoid having a stand alone point solution due to the inherent nature of the risk and dynamics associated with the domain of information security. but, the number of point solutions can be still be kept under control by adopting an ecosystem based approach.

one of the questions he put up for me was – there are so many point solutions in the market claiming to address issues around information security,  what were my thoughs on how the solution space would evolve in due course of time..

in my opinion, solution which are targeting issues that are seen as significant by the customers would either be absorbed by system or network vendors. there will always be some niche players in the market with fancy toys 😉 to address a very unique or niche requirement. however, the moment customers start perceiving the requirement as significant and the requirement then becomes pretty much standardized, these niche solution providers will be ready for acquisition by either system (e.g. microsoft) , network (e.g. cisco, juniper) or players like IBM, HP.

hence large infrastructure vendors will keep on the M&A activities to either fill security gaps in their portfolios by acquiring best-of-breed security vendors or as compensatory solutions to cover the security related weakness in their other offerings. the velocity or urgency of M&A will also be driven by the customer pressure on these players to minimize the risk to the customer environment due to inherent weakness in the solutions offered by these players (e.g risk in the customer environments due to susceptibility of a windows based systems to worms etc may drive customers to push Microsoft to acquire or offer HIDS solutions also in future)

  1. we are already seeing the leading network equipment providers incorporating features like firewalls, ids and ips in their portfolio. some of these  solutions are already being manufactured and marketed by the network equipment manufactures like cisco, juniper etc as is the case today. the next transition of such solutions will be to have them as part of the feature set of the networking products itself.
  2. similarly in the systems space, with microsoft entering into the picture has ruffled many alike. microsoft’s acquisition of companies like giant, sybari and the recently introduced offering of ant virus, ant spam solution has proved to be one of the most significant development in the security market in my opinion. i have started hearing discussions in meeting rooms where cio’s and cso’s are asking their teams to evaluate the solutions that microsoft has started offering. i don’t see people ready to discard the solutions that they have been using in the past in favour of microsoft security solutions yet.

the enterprise IT security teams i have interacted with are adopting wait and watch stategy but nevertheless, it is in their radar definitely. atleast to the ones i have interacted with, are seriously tracking how the solution from microsoft evolves and what kind of effort microsoft puts in to make it a credible offering.

similarly is the case for system security solutions like data at rest encryption, biometric authentication for systems etc. at one point in time, either these will become pretty much standard feature set of the underlying hardware (i believe some hardware manufacturers are already providing laptop models which have inbuilt processors to encrypt the entire hard disk, fingerprint readers etc) or would be offered as out of the box, standard feature of the operating systems (e.g microsoft already offers encryption solutions along with the os platform).


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: