A new enterprise - part II

The bank account.

With all the KYC norms that exist, opening up a bank account wasn't the easiest thing in the world with the newly formed entity. Among other documents submitted, the key documents were:
1. Copy of the partnership deed
2. Letter from my existing company NII saying that I allow IIS (Institute of Information Security) to function from this office
3. An Airtel bill on my personal name as address proof
4. Copy of the receipt of BMC for registration under Shops & Establishment Act. The actual certificate is another story and will take a week or so (check my next blog post on BMC and Bribery)
5. A couple of other letters that the Bank gave me the format of
6. PAN card copies of both directors
7. Form saying PAN card has been applied for - and the PAN card has also been applied
8. Photos, filled up forms, etc.

The main challenge was with the address proof - since there is no bill or government receipt with the IIS name and my office address. And I couldn't wait for the Shops and Establishment Act certificate to come through.

Anyways, it took a week or so, but it's been done now. And this is a bank I've been banking with for over a decade now. But this laborious process of opening up an account is largely due to the RBI's stress on reducing NPAs, controlling benami accounts, and other anti-money laundering provisions. So well, it's all for a good cause!

A new enterprise - part 1

Taking into consideration the fact that scaling a consulting business is a long-term affair, I've decided to take at least the training component out and make that into a separate enterprise. Since it has been quite some time since I incorporated a business, I thought I'd jot down the brief journey of getting an enterprise up and running here to help budding entrepreneurs see the first few steps at least of getting a business off the ground

The first thing I did was to think up of an impressive enough name for the training business - we came up with Institute of Information Security. I then got my in-house team to get the website done www.iisecurity.in

I tasked one of my team members to experiment with some of the e-learning software, and we narrowed down on eFront. So the eLearning channel is also up and running at http://elearning.iisecurity.in

We've also started doing the SEO for the website, and it already ranks high up when searching for specific terms related to the security training business. I also logged in the business with JustDial (www.justdial.com) and with Google local business search.

Finally, the legal part. In order to incorporate the enterprise, we are doing it as a partnership. So I contacted my CA, gave him the broad terms of the partnership, and he's built all the rest of the legalese around it. The deed will be printed out on Rs. 500 stamp paper and will become a registered deed.

Oh, and of course, the process for trademark registration has already been started through my earlier trademark agent (atozservices.info).

Principles of Problem-Solving

Over the years I have developed some simple principles that aid me in solving problems. Often times I myself forget some of these, so it is worthwhile putting them down in an email, and I hope all of you will also benefit from these in the years to come.

Principle #1

There is a solution to every problem

Rarely have we faced a problem where a solution cannot be found. So every problem, customer complaint, technical malfunction, configuration issue, whatever it might be - does have a solution. The trick in achieving the solution first lies in believing that one does exist. Once you begin from that premise, there is a higher likelihood that the problem will indeed be solved. In fact, you'll look at the problem as a challenge, and not as a headache.

Principle #2

There will always be problems

Problems are not to be shied away from or to be thought of as PROBLEMS! In the sense, a positive attitude to any problem is more likely to help you get it resolved, than thinking of it as an encumbrance from the more enjoyable things you could be doing with your time. Also, bear in mind that behind every problem is an excellent lesson to be learnt and an opportunity for you to grow as an individual and as a professional.

Principle #3

Get as much data as you can

Corollary: Depend on as few assumptions as possible

The more data that you can get, the more likely it is that you will be able to resolve the problems quicker and better. Getting to the root of the problem requires you to ask as many questions as you can, even though the answers may not be what you would like to hear - especially with non-technical problems. Your most helpful aids here are the questions - Why, What, Where, How, When and Who.

Principle #4

Break down the problem into components

If the problem is too large or too complicated, try to separate the issues, and try to resolve them one at at time. Also, try to focus on the simplest issues to solve, and then move on to the more complicated parts of the problem. Here I am referring to both technical and non-technical problems.

Principle #5

Some problems are also hurdles

Just as in a hurdle race the runner does not try to disassemble each hurdle, but simply jumps up over them. In the same way, not every problem needs to be solved. Some problems can be side-stepped by thinking out of the box. Again if you make fewer assumptions, you'll be able to arrive at unorthodox solutions, one of which is to simply walk around the problem and continue in your path to achieve your goals. At the same time the approach of sidestepping a problem doesn't serve well in most circumstances - then you're simply stalling facing up to the issue. And unresolved problems simply simmer and blow up in your face at some time.

Principle #6

Learn how to Google well

Yes we all know this, and yet we all don't do it well. Let me give you one example. Recently, we had some issues where a user's existing password, which was working earlier suddenly stopped working. The usual attempt would be to reset the password, or recreate the POP account, or recheck the settings. But searching on Google reveals this very simple solution to a problem different from what was originally imagined.

http://mail.google.com/support/bin/answer.py?answer=14257&topic=12919, which led to this https://www.google.com/a/niiconsulting.com/UnlockCaptcha

Principle #7

Sometimes the problem isn't the problem

If you keep an open mind and try to question people and get to the root of the problem - the real cause of it - you will sometimes realize that what was originally stated as the problem statement, isn't the real problem at all. And in fact, the real problem is something else altogether. What you are being told is the problem could quite possibly be the symptoms of the problem or only the apparent problem. The trick to getting to the actual root of the problem is to simply keep asking "Why". Why is this a problem, then take the response, and ask why that is a problem and so forth till you reach the real cause of it.

Principle #8

Be open to inputs and flexible to change

If you're stuck with a problem and can't come up with a solution it is most likely because you're on the wrong track. If you let your mind open up to ideas from other people and suggestions that may seem whacky or illogical or off-center it just might end up leading to a solution. Which is why brainstorming is an excellent way to solve a problem - just let all suggestions be presented and come to the table, without discussing any of them at length. Once all the ideas are on the table, then start discussing the merits-demerits of each.

If you have any of your favorite tricks, add to this list...

Infosec Scenario in 2009

1. Business continuity to get focus over disaster recovery
BCM is a process issue related to building the framework to increase business resiliency and restoration capability, while DR is about building redundancy through infrastructure investments. It is quite likely that new DR site investments might happen fewer than they did in 2008. But I would not advise cutting down on building your BCM capability - even if you are an SME. Each one of your people does need to know what needs to be done when things begin to fail. This does not require huge amounts of investment, but does require common sense, risk assessment, and regular training and awareness.
Counter: Focus on an effective Business Continuity Plan that takes into account at least the following - fire, ISP failure, transportation link failure, and yes a terrorist attack as well.

2. Capital expenditure on security technologies likely to be hit
This is one area that has seen the biggest hit and is likely to continue feeling the impact with new investments simply not happening. So fewer firewall upgrades, fewer adoptions of recently introduced solutions such as Data Leakage Prevention (DLP), Network Access Control (NAC), and others.
Counter: Really look for ROI on your capital expenditure on security technologies.

3. Focus on regulatory compliance to increase
Make sure you know very clearly what your responsibilities are towards data protection - not only for the specific industry you are in - but also for the countries that you do business in. I’ll soon be releasing a write-up on the Indian IT Act, and the new amendments recently pushed through in the Parliament, and what these mean for every individual and every business. Essentially, even if you are not ISO 27001 compliant or PCI DSS regulated, you are still very much legally liable to ensure due diligence to protect your customer’s data.
Counter: While cutting budgets on infosec is fine, don’t end up putting the existence of your business at risk due to negligence towards data protection.

4. Scareware, Social Networking Attacks, Phishing, and others
While Phishing attacks rose quite a bit in 2008, it is quite likely they will become more prevalent, more insidious and a huge pain in the wrong places in 2009. Combined with Scareware tactics (http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/), exploitation of social networking sites (http://www.internetnews.com/security/article.php/3789496 and http://news.cnet.com/8301-1009_3-10078353-83.html), and even Google (http://go.theregister.com/feed/www.theregister.co.uk/2008/12/30/google_calendar_phish/ and http://blogs.zdnet.com/Google/?p=1053) is going to ensure attacks are highly smart, effective, and definitely lucrative for the attackers.
Counter: Focus on awareness, not just within your organizations but also within your families and communities.

5. Computer fraud may rise - a lot
Today attackers are not concerned with releasing the latest virus onto unsuspecting Internet users. Do we even remember how long ago it was when CodeRed or Slammer hit us bad? Attackers today - both external and internal - have one simple agenda - making as much money as they can within as short a time as possible. We’re already seeing SAP, Oracle Apps, and business applications becoming the most lucrative target of fraudsters. All they need is the knowledge (if you’re working with 2-3 years on the same system you know its flaws well enough), motive (layoffs, salary cuts, no bonuses), and opportunity.
Counter: Invest in forensic accounting, and keep a panel of experts on standby to be called in when fraud happens. Get advice on a list of red flags to watch out for.

6. Cyberwarfare could become a reality
At least as far as the South East Asian region is concerned, we’ve already seen an increase in the number of cyber attacks on Indian banks and government websites. This trend will get more serious and more malicious with some really sensitive data being targetted in the months to come. The next frontier for terrorism will be digital, and we’re all going to be facing the brunt of professional hacking, espionage, and digital sabotage. We’re already seeing this with the current Israeli war on Gaza (http://blog.wired.com/defense/2008/12/israels-info-wa.html), and the recent attacks by Pakistani hackers on the Eastern Railways site (http://in.news.yahoo.com/241/20081225/1262/twl-pak-hacker-attacks-e-rlys-site-threa.html), and a couple of PSU banks. See this link for in-depth Indo-Pak cyberwar coverage http://intelfusion.net/wordpress/?p=468
Counter: If your organization is governmental, semi-governmental, public sector, or provides a service or utility of national importance, you are pretty much going to be targeted. Focus on securing your external perimeter and get it tested.