About Me

My photo
Mumbai, India
I run an IT Security consulting firm based out of India. We started off from scratch in 2001 when I was 21, and have offices in Mumbai, Bahrain, and UAE. The idea behind the blog is to share the stories of how we run the business, the deals we make, the deals that break, the heartburn, and the sheer joy.

The Ultimate Startup Guide

The Ultimate Startup Guide is an e-book that provides answers to all your questions related to starting and growing a business in India. Everything you wanted to know about entrepreneurship in India from ideation to registration to marketing to hiring. The book contains a large number of practical examples, anecdotes, interviews, and motivational material to help you get started, and to grow rapidly in a booming Indian economy. If you've got the idea, this book will help you through with the execution and realize your dreams. Here are some of the key questions you will find answered in this book:
  • When starting a business, what are the legal issues involved?
  • What form of incorporation is better suited to which type of business?
  • What tax issues are involved?
  • How do I start a business and what are the pitfalls?
  • How do I market my business in the absence of significant funding?
  • How do I get funded?
  • What are the basic accounting concepts I should be aware of?
  • What is a business plan and how should I build one?
The brief table of contents of the book is as follows:
  1. Getting started
  2. Ideation
  3. Forms of Enterprises
  4. Funding
  5. Basic Accounting and Taxation
  6. Import and Export Licensing
  7. Trademark and Patenting
  8. Rules for NRIs and Foreigners
  9. Building a Business Plan
  10. Marketing on a Shoestring
  11. Website and Branding
  12. Women Entrepreneurs
  13. Templates
To order the Ultimate Startup Guide - email me at kkmookhey@gmail.com.

Details of the book are:
Title: The Ultimate Startup Guide
Author: Kanwal Mookhey
Pages: 150
Additional: Companion CD contains numerous templates for building your business plan, calculating cashflow, preparing profit and loss, and balance sheets, preparing invoices, your resume and profile, marketing material, websites, contracts, and many other useful and motivational material.

Monday, December 21, 2009

A new enterprise - part II

The bank account.

With all the KYC norms that exist, opening up a bank account wasn't the easiest thing in the world with the newly formed entity. Among other documents submitted, the key documents were:
1. Copy of the partnership deed
2. Letter from my existing company NII saying that I allow IIS (Institute of Information Security) to function from this office
3. An Airtel bill on my personal name as address proof
4. Copy of the receipt of BMC for registration under Shops & Establishment Act. The actual certificate is another story and will take a week or so (check my next blog post on BMC and Bribery)
5. A couple of other letters that the Bank gave me the format of
6. PAN card copies of both directors
7. Form saying PAN card has been applied for - and the PAN card has also been applied
8. Photos, filled up forms, etc.

The main challenge was with the address proof - since there is no bill or government receipt with the IIS name and my office address. And I couldn't wait for the Shops and Establishment Act certificate to come through.

Anyways, it took a week or so, but it's been done now. And this is a bank I've been banking with for over a decade now. But this laborious process of opening up an account is largely due to the RBI's stress on reducing NPAs, controlling benami accounts, and other anti-money laundering provisions. So well, it's all for a good cause!

Friday, October 30, 2009

A new enterprise - part 1

Taking into consideration the fact that scaling a consulting business is a long-term affair, I've decided to take at least the training component out and make that into a separate enterprise. Since it has been quite some time since I incorporated a business, I thought I'd jot down the brief journey of getting an enterprise up and running here to help budding entrepreneurs see the first few steps at least of getting a business off the ground

The first thing I did was to think up of an impressive enough name for the training business - we came up with Institute of Information Security. I then got my in-house team to get the website done www.iisecurity.in

I tasked one of my team members to experiment with some of the e-learning software, and we narrowed down on eFront. So the eLearning channel is also up and running at http://elearning.iisecurity.in

We've also started doing the SEO for the website, and it already ranks high up when searching for specific terms related to the security training business. I also logged in the business with JustDial (www.justdial.com) and with Google local business search.

Finally, the legal part. In order to incorporate the enterprise, we are doing it as a partnership. So I contacted my CA, gave him the broad terms of the partnership, and he's built all the rest of the legalese around it. The deed will be printed out on Rs. 500 stamp paper and will become a registered deed.

Oh, and of course, the process for trademark registration has already been started through my earlier trademark agent (atozservices.info).

Thursday, January 01, 2009

Principles of Problem-Solving

Over the years I have developed some simple principles that aid me in solving problems. Often times I myself forget some of these, so it is worthwhile putting them down in an email, and I hope all of you will also benefit from these in the years to come.
Principle #1
There is a solution to every problem
Rarely have we faced a problem where a solution cannot be found. So every problem, customer complaint, technical malfunction, configuration issue, whatever it might be - does have a solution. The trick in achieving the solution first lies in believing that one does exist. Once you begin from that premise, there is a higher likelihood that the problem will indeed be solved. In fact, you'll look at the problem as a challenge, and not as a headache.
Principle #2
There will always be problems
Problems are not to be shied away from or to be thought of as PROBLEMS! In the sense, a positive attitude to any problem is more likely to help you get it resolved, than thinking of it as an encumbrance from the more enjoyable things you could be doing with your time. Also, bear in mind that behind every problem is an excellent lesson to be learnt and an opportunity for you to grow as an individual and as a professional.
Principle #3
Get as much data as you can
Corollary: Depend on as few assumptions as possible
The more data that you can get, the more likely it is that you will be able to resolve the problems quicker and better. Getting to the root of the problem requires you to ask as many questions as you can, even though the answers may not be what you would like to hear - especially with non-technical problems. Your most helpful aids here are the questions - Why, What, Where, How, When and Who.
Principle #4
Break down the problem into components
If the problem is too large or too complicated, try to separate the issues, and try to resolve them one at at time. Also, try to focus on the simplest issues to solve, and then move on to the more complicated parts of the problem. Here I am referring to both technical and non-technical problems.
Principle #5
Some problems are also hurdles
Just as in a hurdle race the runner does not try to disassemble each hurdle, but simply jumps up over them. In the same way, not every problem needs to be solved. Some problems can be side-stepped by thinking out of the box. Again if you make fewer assumptions, you'll be able to arrive at unorthodox solutions, one of which is to simply walk around the problem and continue in your path to achieve your goals. At the same time the approach of sidestepping a problem doesn't serve well in most circumstances - then you're simply stalling facing up to the issue. And unresolved problems simply simmer and blow up in your face at some time.
Principle #6
Learn how to Google well
Yes we all know this, and yet we all don't do it well. Let me give you one example. Recently, we had some issues where a user's existing password, which was working earlier suddenly stopped working. The usual attempt would be to reset the password, or recreate the POP account, or recheck the settings. But searching on Google reveals this very simple solution to a problem different from what was originally imagined.
Principle #7
Sometimes the problem isn't the problem
If you keep an open mind and try to question people and get to the root of the problem - the real cause of it - you will sometimes realize that what was originally stated as the problem statement, isn't the real problem at all. And in fact, the real problem is something else altogether. What you are being told is the problem could quite possibly be the symptoms of the problem or only the apparent problem. The trick to getting to the actual root of the problem is to simply keep asking "Why". Why is this a problem, then take the response, and ask why that is a problem and so forth till you reach the real cause of it.
Principle #8
Be open to inputs and flexible to change
If you're stuck with a problem and can't come up with a solution it is most likely because you're on the wrong track. If you let your mind open up to ideas from other people and suggestions that may seem whacky or illogical or off-center it just might end up leading to a solution. Which is why brainstorming is an excellent way to solve a problem - just let all suggestions be presented and come to the table, without discussing any of them at length. Once all the ideas are on the table, then start discussing the merits-demerits of each.
If you have any of your favorite tricks, add to this list...

Infosec Scenario in 2009

1. Business continuity to get focus over disaster recovery
BCM is a process issue related to building the framework to increase business resiliency and restoration capability, while DR is about building redundancy through infrastructure investments. It is quite likely that new DR site investments might happen fewer than they did in 2008. But I would not advise cutting down on building your BCM capability - even if you are an SME. Each one of your people does need to know what needs to be done when things begin to fail. This does not require huge amounts of investment, but does require common sense, risk assessment, and regular training and awareness.
Counter: Focus on an effective Business Continuity Plan that takes into account at least the following - fire, ISP failure, transportation link failure, and yes a terrorist attack as well.

2. Capital expenditure on security technologies likely to be hit
This is one area that has seen the biggest hit and is likely to continue feeling the impact with new investments simply not happening. So fewer firewall upgrades, fewer adoptions of recently introduced solutions such as Data Leakage Prevention (DLP), Network Access Control (NAC), and others.
Counter: Really look for ROI on your capital expenditure on security technologies.

3. Focus on regulatory compliance to increase

Make sure you know very clearly what your responsibilities are towards data protection - not only for the specific industry you are in - but also for the countries that you do business in. I’ll soon be releasing a write-up on the Indian IT Act, and the new amendments recently pushed through in the Parliament, and what these mean for every individual and every business. Essentially, even if you are not ISO 27001 compliant or PCI DSS regulated, you are still very much legally liable to ensure due diligence to protect your customer’s data.
Counter: While cutting budgets on infosec is fine, don’t end up putting the existence of your business at risk due to negligence towards data protection.

4. Scareware, Social Networking Attacks, Phishing, and others

While Phishing attacks rose quite a bit in 2008, it is quite likely they will become more prevalent, more insidious and a huge pain in the wrong places in 2009. Combined with Scareware tactics (http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/), exploitation of social networking sites (http://www.internetnews.com/security/article.php/3789496 and http://news.cnet.com/8301-1009_3-10078353-83.html), and even Google (http://go.theregister.com/feed/www.theregister.co.uk/2008/12/30/google_calendar_phish/ and http://blogs.zdnet.com/Google/?p=1053) is going to ensure attacks are highly smart, effective, and definitely lucrative for the attackers.
Counter: Focus on awareness, not just within your organizations but also within your families and communities.

5. Computer fraud may rise - a lot

Today attackers are not concerned with releasing the latest virus onto unsuspecting Internet users. Do we even remember how long ago it was when CodeRed or Slammer hit us bad? Attackers today - both external and internal - have one simple agenda - making as much money as they can within as short a time as possible. We’re already seeing SAP, Oracle Apps, and business applications becoming the most lucrative target of fraudsters. All they need is the knowledge (if you’re working with 2-3 years on the same system you know its flaws well enough), motive (layoffs, salary cuts, no bonuses), and opportunity.
Counter: Invest in forensic accounting, and keep a panel of experts on standby to be called in when fraud happens. Get advice on a list of red flags to watch out for.

6. Cyberwarfare could become a reality

At least as far as the South East Asian region is concerned, we’ve already seen an increase in the number of cyber attacks on Indian banks and government websites. This trend will get more serious and more malicious with some really sensitive data being targetted in the months to come. The next frontier for terrorism will be digital, and we’re all going to be facing the brunt of professional hacking, espionage, and digital sabotage. We’re already seeing this with the current Israeli war on Gaza (http://blog.wired.com/defense/2008/12/israels-info-wa.html), and the recent attacks by Pakistani hackers on the Eastern Railways site (http://in.news.yahoo.com/241/20081225/1262/twl-pak-hacker-attacks-e-rlys-site-threa.html), and a couple of PSU banks. See this link for in-depth Indo-Pak cyberwar coverage http://intelfusion.net/wordpress/?p=468
Counter: If your organization is governmental, semi-governmental, public sector, or provides a service or utility of national importance, you are pretty much going to be targeted. Focus on securing your external perimeter and get it tested.