The League of enterprise Defenders

Does thy organization have a Security Strategist? This is a question that enterprises should ask themselves if they intend to stay in business, or else corporate espionage and internal user threats will bring them down if the viruses, worms, and script kiddies don't. Every organization needs its own Security Strategist and we look at the qualities that make one. by Anil Patrick R

Who is a Security Strategist? In a nutshell, a Security Strategist is a visionary and a leader who conceptualizes a comprehensive security strategy for an organization, and has the skills to implement and manage it.
With the above abilities, a Security Strategist supports business strategy, attains competitive advantages through proactive information risk management, and enhances trust between the organization and its stakeholders.

This is why being a Security Strategist entails more attributes than just technology implementation knowledge. After all, security is more about having the right combination of technology, processes, and people.
So what are the distinguishing characteristics of a Security Strategist?

Change manager

First of all, a Security Strategist needs to be comfortable with change. Technology and business requirements change rapidly and so do the security challenges. A Security Strategist has to be aware and able to predict evolving security changes and trends.

Being prepared for change is about building adaptive and modular systems. This helps to effectively manage changing business requirements that bring newer security needs with them.

It is also necessary to have security policies that allow changes to be effected in parts of the policy without affecting others. This is essential to avoid disruption of operations due to change.

So, the Security Strategist has to be aware of the dependencies and possible consequences, to proactively plan, implement, and manage the changes accordingly.

The winning Stragetists

V. K. Ramani President IT, UTI Bank	Rajiv Seoni Assistant VP and Head IT, Hughes Software Systems	V.V.R. Babu CIO, ITC Limited

Understand the business

The CIO needs to be well versed with the business strategy, core elements, and their mutual interactions to understand the information security needs. Designing an effective security strategy and policy are possible only with a thorough understanding of the organization's business.

It is necessary for the Strategist to actively study each department's functions and focus on its interaction with other departments and the external world (customers, suppliers) to draw up a comprehensive security policy. This has to be done on an ongoing basis to stay up to date with the changes and incorporate them into the policy.

Interaction with the top management and the workforce is crucial for alignment between technology and business. This is why a Security Strategist has to be a good communicator with excellent collaboration skills. The Security Strategist also requires competencies in fields like investment appraisal, financial assessment, cost-benefit analysis, and project management.

Get management buy-in

The times of convincing the top management into investing in security by exploiting the Fear, Uncertainty, Doubt (FUD) factor is long past. Instead, today's Security Strategists get the right business buy-in by justifying and 'selling' these concepts.

Security is as much a business risk as any other and needs to be treated like that. The trick is not to overdo it. Successful Security Strategists avoid dwelling too much over losses caused by security breaches. They should adopt structured cases highlighting benefits that security initiatives bring to the organization.
Having a security steering committee consisting of top-level management executives and user representatives also helps get acceptance. It is best to involve this committee in security initiatives right from the security policy's inception.

It is a good practice to have a separate security budget. Usually, security is considered part of the IT budget which can be detrimental during implementation of large scale security initiatives. This is where
management commitment makes the going easier. It is easier for the CIO to justify security investments if there is management involvement.

The Jury Panel

S B Patankar Director-IS, The Stock Exchange	Prof. G Sivakumar Head, Computer Science & Engineering, IIT Bombay	Capt. Felix Mohan CEO, Secure Synergy	Mani Mulki Head-IT, Godrej Industries

Create user awareness

A chain is only as strong as its weakest link and information security is no different. Effective information security is only possible by improving user consciousness. This is why Security Strategists lay great emphasis on people—the commonly overlooked security aspect.

Security has to be ingrained in the user's mind for an organization's security initiatives to be successful, and requires continuous user education. Users have to be trained in security basics and the organization's security policies at the time of joining.

Ongoing security education is the next stage. This can be achieved through regular training sessions. If that is not possible due to reasons like a large user base, the solution is to use automated training methods like popup messages, and online refresher courses. Other methods include poster campaigns and recognition for the most security-conscious users.

Ensure compliance

The Security Strategist should not believe in having comprehensive security policies if they are not followed, and insists on policy enforcement. It ensures that they do not end up as dust-covered manuals on forgotten shelves.
Regular audits and surprise checks are essential to ensure compliance. Punitive measures have to be meted out to errant employees in accordance with the organization's HR department policies. User habit-tracking is another measure to track policy compliance. This will also help identify users who require additional training.
The essential point is that the Security Strategist should enforce policies without creating 'the big brother is watching' syndrome. Although user monitoring is required, users are not to be seen as adversaries.
Regular security policy reviews and proper documentation are equally important. Regular reviews have to be made by the steering committee taking parameters like changing requirements and audit reports as the baseline. Changes have to be incorporated at the earliest to ensure proper security.

SecureSynergy Security Strategist Awards 2004

While we saw the major facets of a Security Strategist, there are many other factors to be considered. This is why Network Magazine decided to evaluate and recognize these exceptional technocrats with the SecureSynergy Security Strategist Awards 2004.

Anil Patrick R can be reached at: anilpatrick@networkmagazineindia.com