- Strong focus on metrics and governance
- Focuses on maximizing returns from existing security investments
- Instrumental in Idea Cellular’s bid for ISO27001, DLP/DRM and federated IDAM
Idea Cellular’s chief information security officer Sunil Varkey is a man who believes that in security, one needs to make the most of what is available, before succumbing to the problem of choice. His primary focus, since taking up the reigns as CISO at Idea Cellular in June 2011, has been optimizing the existing setup, rather than procuring new technology and making huge investments.
Varkey had a good springboard from which to dive in, since, as part of the Aditya Birla group, Idea Cellular was already a well governed organization. Varkey is responsible for providing information security to a customer base of over 100 million users and almost 40,000 dealers, all of whom touch the organization’s vastly extended perimeter and systems in one way or another.
So how does he deal with this enormous challenge? Compared with segments such as banking, Varkey says that the lack of standardization and varying levels of maturity at points of contact pose significant problems. Confidentiality, availability and regulatory compliance remain the three driving factors in Varkey’s security strategy. He says that a proactive approach to security is required to ensure that his users get the maximum possible freedom in a domain that is highly technology centric.
Varkey reports to the CIO, and has found the Idea Cellular management extremely supportive of information security and privacy initiatives. Varkey’s in-house team of five largely functions in a strategic capacity, while operations are handled by IBM, Idea’s strategic outsourcing partner.
Idea Cellular’s infosec policy and configuration are reviewed annually. In addition, sections from the policy are covered at random every quarter. This is possible under the aegis of Idea Cellular’s robust metrics, giving the team a chance to drill down deep into every aspect without having to keep track of the broader picture. An audit team also undertakes a continuous review based on risk. Vulnerability assessments are conducted every month, with penetration testing performed biannually.
Varkey’s approach has been to put very strong metrics and measurements in place. Metrics were partially in place when he joined, and he has helped take the legacy forward. His team is working on enhancing the existing investments, which he believes will give him great insights into the way forward in terms of controls and processes.
Varkey oversees a 24x7 SOC managed by IBM, covering all of Ideas’ critical devices. Events and shortfalls are flagged as they happen, and remedial action is taken. Infrastructure is continuously evaluated to determine where additional controls are required. Idea is in the process of getting ISO 27001 certified; Varkey says that while the organization is already practicing it, they are not yet certified as such. His team oversees around 100 critical applications.
Further, Varkey has put Idea Cellular’s DLP on the drawing board, in the form of a DLP/DRM combination. He is taking time to minutely map this solution to Idea’s needs, since he believes many companies have made the error of jumping onto the DLP bandwagon prematurely. Idea also has an ongoing IDAM implementation, which Varkey is looking to federate into a single entity.
With ample bandwidth now available to the end user, Varkey expects India to start featuring in the news for attacks and botnet traffic in the cellular space. Varkey feels that this will drastically transform the landscape, with the responsibilities and role of the CISO increasing tremendously in the coming years.