The League of enterprise Defenders
Does thy organization have a Security Strategist? This
is a question that enterprises should ask themselves if they intend to stay
in business, or else corporate espionage and internal user threats will bring
them down if the viruses, worms, and script kiddies don't. Every organization
needs its own Security Strategist and we look at the qualities that make one.
by Anil Patrick R
Who is a Security Strategist? In a nutshell, a Security Strategist
is a visionary and a leader who conceptualizes a comprehensive security strategy
for an organization, and has the skills to implement and manage it.
With the above abilities, a Security Strategist supports business strategy,
attains competitive advantages through proactive information risk management,
and enhances trust between the organization and its stakeholders.
This is why being a Security Strategist entails more attributes than just technology
implementation knowledge. After all, security is more about having the right
combination of technology, processes, and people.
So what are the distinguishing characteristics of a Security Strategist?
First of all, a Security Strategist needs to be comfortable
with change. Technology and business requirements change rapidly and so do the
security challenges. A Security Strategist has to be aware and able to predict
evolving security changes and trends.
Being prepared for change is about building adaptive and modular systems. This
helps to effectively manage changing business requirements that bring newer
security needs with them.
It is also necessary to have security policies that allow
changes to be effected in parts of the policy without affecting others. This
is essential to avoid disruption of operations due to change.
So, the Security Strategist has to be aware of the dependencies
and possible consequences, to proactively plan, implement, and manage the changes
The winning Stragetists
Understand the business
The CIO needs to be well versed with the business strategy,
core elements, and their mutual interactions to understand the information security
needs. Designing an effective security strategy and policy are possible only
with a thorough understanding of the organization's business.
It is necessary for the Strategist to actively study each department's functions
and focus on its interaction with other departments and the external world (customers,
suppliers) to draw up a comprehensive security policy. This has to be done on
an ongoing basis to stay up to date with the changes and incorporate them into
Interaction with the top management and the workforce is crucial for alignment
between technology and business. This is why a Security Strategist has to be
a good communicator with excellent collaboration skills. The Security Strategist
also requires competencies in fields like investment appraisal, financial assessment,
cost-benefit analysis, and project management.
Get management buy-in
The times of convincing the top management into investing
in security by exploiting the Fear, Uncertainty, Doubt (FUD) factor is long
past. Instead, today's Security Strategists get the right business buy-in by
justifying and 'selling' these concepts.
Security is as much a business risk as any other and needs to be treated like
that. The trick is not to overdo it. Successful Security Strategists avoid dwelling
too much over losses caused by security breaches. They should adopt structured
cases highlighting benefits that security initiatives bring to the organization.
Having a security steering committee consisting of top-level management executives
and user representatives also helps get acceptance. It is best to involve this
committee in security initiatives right from the security policy's inception.
It is a good practice to have a separate security budget. Usually, security
is considered part of the IT budget which can be detrimental during implementation
of large scale security initiatives. This is where
management commitment makes the going easier. It is easier for the CIO to justify
security investments if there is management involvement.
The Jury Panel
|S B Patankar
Director-IS, The Stock Exchange
|Prof. G Sivakumar
Head, Computer Science & Engineering, IIT Bombay
|Capt. Felix Mohan
CEO, Secure Synergy
Head-IT, Godrej Industries
Create user awareness
A chain is only as strong as its weakest link and information
security is no different. Effective information security is only possible by
improving user consciousness. This is why Security Strategists lay great emphasis
on peoplethe commonly overlooked security aspect.
Security has to be ingrained in the user's mind for an organization's security
initiatives to be successful, and requires continuous user education. Users
have to be trained in security basics and the organization's security policies
at the time of joining.
Ongoing security education is the next stage. This can be achieved through regular
training sessions. If that is not possible due to reasons like a large user
base, the solution is to use automated training methods like popup messages,
and online refresher courses. Other methods include poster campaigns and recognition
for the most security-conscious users.
The Security Strategist should not believe in having comprehensive
security policies if they are not followed, and insists on policy enforcement.
It ensures that they do not end up as dust-covered manuals on forgotten shelves.
Regular audits and surprise checks are essential to ensure compliance. Punitive
measures have to be meted out to errant employees in accordance with the organization's
HR department policies. User habit-tracking is another measure to track policy
compliance. This will also help identify users who require additional training.
The essential point is that the Security Strategist should enforce policies
without creating 'the big brother is watching' syndrome. Although user monitoring
is required, users are not to be seen as adversaries.
Regular security policy reviews and proper documentation are equally important.
Regular reviews have to be made by the steering committee taking parameters
like changing requirements and audit reports as the baseline. Changes have to
be incorporated at the earliest to ensure proper security.
SecureSynergy Security Strategist Awards 2004
While we saw the major facets of a Security Strategist, there
are many other factors to be considered. This is why Network Magazine decided
to evaluate and recognize these exceptional technocrats with the SecureSynergy
Security Strategist Awards 2004.
Anil Patrick R can be reached at: firstname.lastname@example.org
The best time to recognize achievements is at the time of announcing
the achievers. So without any further ado, this year's winners are:
*V K Ramani, President IT, UTI Bank form BFSI
*Rajiv Seoni, Assistant VP and Head IT, Hughes Software Systems in the
IT, ITES, and Telecom category
*V V R Babu, CIO, ITC Limited in the General Industry category
|Network Magazine appointed IMRB as the awards Business
Process Validator (BPV). The BPV ensured that the process undertaken to
arrive at SecureSynergy Security Strategist Awards 2004 is fair and transparent.
Of 135 applications, the top three contenders in each category were interviewed
by the jury panel consisting of academic experts, CIOs, and the security
experts domain. Each categorys winner was selected after interviewing
the top three nominees to analyze the following parameters:
*Security policy and management
*Planning and administration
*Incident response mechanisms
*Contingency planning and disaster recovery
The jury panel rated the winner based on a weighted ranking mechanism developed
by NMs Editorial Team in consultation with IMRB.
|e-Serve International Limited, the BPO arm of Citicorp
deserves a special mention as one of Indias most secure organizations.
For managing its security-related policies and processes, e-Serve has two
officers who manage different aspects of security. One looks into technology
and IT-related issues (Tech ISO), and the other looks after business and
operations information security issues (Business ISO). So why did e-Serve
not win the SecureSynergy Security Strategist Awards?
Two reasons: First, the SecureSynergy Security Strategist Awards is for
initiatives, leadership, vision. At e-Serve the security strategy is clearly
a team effortdriven by two different individualsone managing
the technology and other business processes.
Second, the jury paneleven though extremsely appreciativefound
most of e-Serves policies to be developed (or customized) around Citicorp's