Sunday, August 30, 2015

Can You Imagine How the Buddha Played the Flute?




We all know that Lord Krishna played the flute and held the entire world in the sway of its music. One of his several names is Bansidhar, which means the holder of the flute. So it came as a pleasant surprise to me that Buddha, the enlightened one, too, played this divine musical instrument made from the bamboo plant. And oh boy, did he play it beautifully!

The revelation came through the book Old Path White Clouds by revered Vietnamese monk and peace activist Thich Nhat Hanh. The book is a majestic retelling of Buddha’s eighty years of life built on multiple sources and accounts in several languages.

While Nhat Hanh mentions a young Siddhartha (Buddha’s given name) playing the flute serenely under a moonlit sky in the early chapters of the book, to me the real magic and melody of Buddha’s flute came alive in Chapter Twenty-Five, aptly titled Music’s Lofty Peaks.

In the episode, Buddha is said to have met a group of young people in a forest between Varanasi and Rajagriha (written Rajagaha in the book, now the city of Rajgir in Bihar). As the story goes, one of them asked the Buddha to play the flute for them just as some of them burst out laughing, dismissing the idea of a monk playing the flute.

Never the one to be perturbed, the Buddha just smiled.

Now, as the Buddha took a few deep breaths and put the flute to his lips, can you imagine how those young men felt? Can you imagine the music that wafted magically in the wind of that forest? Before he touched the first note, the Buddha reflected on how many, many years ago he played the flute as the Sakya prince in the capital city of Kapilvastu.

I believe it must take the spiritual depth and simplistic genius of a true monk to put forth the description that follows. This is how Thich Nhat describes the Buddha playing the flute in his book:

“The sound was as delicate as a thin strand of smoke curling gently from the roof of a simple dwelling outside Kapilavatthu at the hour of the evening meal. Slowly the thin strand expanded across space like a gathering of clouds which in turn transformed into a thousand-petalled lotus, each petal a different shimmering color. It seemed that one flutist suddenly had become ten thousand flutists, and all the wonders of the universe had been transformed into sounds—sounds of a thousand colors and forms, sounds as light as a breeze and quick as the pattering of rain, clear as a crane flying overhead, intimate as a lullaby, bright as a shining jewel, and subtle as the smile of one who has transcended all thoughts of gain and loss. The birds of the forest stopped singing in order to listen to this sublime music, and even the breezes ceased rustling the leaves. The forest was enveloped in an atmosphere of total peace, serenity, and wonder.”

Can you imagine how the Buddha played the flute?

As I read those lyrical words, I could feel a certain peace within my own self. It is as if you are being transported into another realm of existence on the wings of a swan. As if the gentle embrace of a child is holding you in its inexplicable delight. As if your heart has become so much full of love and divine grace that it is overflowing with joy…As if all the pain of thousands of years buried deep in the multiple births of your existence is melting away into a single note of relief…

Can you, can you imagine how the Buddha played the flute!

Sunday, August 16, 2015

Tackling the People Problem in Security



Security is a constantly moving target, all right. But which of these three pillars—people, process and technology—is the most vexatious issue in hitting the bull’s-eye?

Felix Mohan, one of India’s top experts on information security, addressed this question at the Delhi leg of DynamicCISO Regional Security Summit recently. (The summits are held in multiple cities in India.)

To make the point loud and clear, Mohan used a simple but powerful twin-visual. The first part showed a cube with a small hole on the front side. The revelation came in the second part, which showed a much bigger hole on the back surface (Didn’t want to say “back side”).

Now, here’s the crux: the tiny hole, which covered barely 10% of the surface area, represents security breaches because of technology gaps; the Real McCoy is the people angle to security, the 90% hole in the other side of the cube through which most incidents actually occur.

And yet, startling as it may seem, 80% of the security budget in a typical organization goes toward plugging that small, tech-related hole. Only a disproportionately small portion of the budget (20%) is allocated for addressing the people issues.

That is not to say that all those next-gen firewalls, data leak prevention tools and encryption solutions do not deserve your attention and investment. But the alarming rise of socially engineered attacks, password/identity thefts and advanced persistent threats all point to the dire need for putting people at the very core of your security strategy.

An indication of the people angle’s significance is the new acronym, PCS, coined by Gartner. In a blog post, Gartner analyst Tom Scholtz describes People-Centric Security as “a strategic approach to information security that emphasizes individual accountability and trust, and de-emphasizes restrictive, preventive security controls.”

The growing role of users in InfoSec is also highlighted in several industry studies. For one, according to the recent 2015Black Hat Attendee Survey, 33% of respondents believe that the weakest link in today’s enterprise IT defenses is “end users who violate security policy and are too easily fooled by socially engineered attacks.”

High concern over the people problem in security even prompted one consultant, Peter Thompson, to give this intriguing headline to his article in a newsletter: “Are you patching your people?”! Thompson further quotes the famous US prez Benjamin Franklin as having once remarked: “Three may keep a secret, if two of them are dead.”

The impact of the gallows humor in Franklin’s remark (which was made way back in 1735) should not be lost on today’s CIOs and CISOs.

But far from wishing for grave consequences for people who can’t help sharing passwords with their cats and girlfriends, what today’s IT decision makers require is adoption of constant training and re-training of people in security best practices—beginning with the top management down to the last employee, even if that person is an outsourced “resource” (who, for all you know, could be a good recourse for hackers out there).

The Cisco 2015Annual Security Report makes some interesting observations and raises relevant questions on people-related issues, among other aspects. Let me just pull out an excerpt here:
“With users becoming ever-weaker links in the security chain, enterprises have choices to make when implementing security technologies and policies: As developers try to make applications and software more intuitive and easy to use, do organizations open new loopholes for cybercriminals to exploit? Do enterprises bypass users, assuming they cannot be trusted or taught, and install stricter security controls that impede how users do their jobs? Do they take the time to educate users on why security controls are in place, and clearly explain how users play a vital role in helping the organization achieve dynamic security that supports the business?”

I don’t remember who said it but someone pointed out a very hard-hitting thing about the people problem in security at the DynamicCISO summit. It was about putting an undue burden of remembering multiple passwords, adhering to complex security policies or procedures and doing sundry other things to prevent security breaches on the poor user. As a connected, credit card-wielding (and shielding!) user, I somehow empathize strongly with that comment. And I suspect that a sizable online population would harbor similar sentiments.

The bewildering number of security procedures, the alarming number of online attacks and their ever-rising stakes, and the presence of multiple screens in a user’s life have made it virtually impossible to avoid trouble. If they are asked to do this or that, use this kind of password or that type of key, and comply with a ton of regulation, most of them would soon choose convenience over safety.

So, on the one hand, you have the need to apply multiple layers of security tools and constantly train people; and on the other, there’s the fatigue and unease felt by most users over time. This makes you wonder if there’s some sort of contradiction in terms here. 

On deeper reflection, however, this contradiction gives way to a balancing act. One can perhaps say that the success of a security strategy in today’s increasingly open world would depend on finding the right balance between tools and policies, between people and processes, between training and ease-of-use…in fact, between any two constructs that look diametrically opposite at first but which must be brought together in a continuum of collaborative responsiveness.

[This blog post first appeared on DynamicCISO.com]