Home > Cover Story
 Print Friendly Page ||  Email this story

The League of enterprise Defenders

Does thy organization have a Security Strategist? This is a question that enterprises should ask themselves if they intend to stay in business, or else corporate espionage and internal user threats will bring them down if the viruses, worms, and script kiddies don't. Every organization needs its own Security Strategist and we look at the qualities that make one. by Anil Patrick R

Who is a Security Strategist? In a nutshell, a Security Strategist is a visionary and a leader who conceptualizes a comprehensive security strategy for an organization, and has the skills to implement and manage it.
With the above abilities, a Security Strategist supports business strategy, attains competitive advantages through proactive information risk management, and enhances trust between the organization and its stakeholders.

This is why being a Security Strategist entails more attributes than just technology implementation knowledge. After all, security is more about having the right combination of technology, processes, and people.
So what are the distinguishing characteristics of a Security Strategist?

Change manager

First of all, a Security Strategist needs to be comfortable with change. Technology and business requirements change rapidly and so do the security challenges. A Security Strategist has to be aware and able to predict evolving security changes and trends.

Being prepared for change is about building adaptive and modular systems. This helps to effectively manage changing business requirements that bring newer security needs with them.

It is also necessary to have security policies that allow changes to be effected in parts of the policy without affecting others. This is essential to avoid disruption of operations due to change.

So, the Security Strategist has to be aware of the dependencies and possible consequences, to proactively plan, implement, and manage the changes accordingly.

The winning Stragetists

V. K. Ramani
President IT,
UTI Bank

Rajiv Seoni
Assistant VP and Head IT, Hughes Software Systems
V.V.R. Babu
CIO, ITC Limited

Understand the business

The CIO needs to be well versed with the business strategy, core elements, and their mutual interactions to understand the information security needs. Designing an effective security strategy and policy are possible only with a thorough understanding of the organization's business.

It is necessary for the Strategist to actively study each department's functions and focus on its interaction with other departments and the external world (customers, suppliers) to draw up a comprehensive security policy. This has to be done on an ongoing basis to stay up to date with the changes and incorporate them into the policy.

Interaction with the top management and the workforce is crucial for alignment between technology and business. This is why a Security Strategist has to be a good communicator with excellent collaboration skills. The Security Strategist also requires competencies in fields like investment appraisal, financial assessment, cost-benefit analysis, and project management.

Get management buy-in

The times of convincing the top management into investing in security by exploiting the Fear, Uncertainty, Doubt (FUD) factor is long past. Instead, today's Security Strategists get the right business buy-in by justifying and 'selling' these concepts.

Security is as much a business risk as any other and needs to be treated like that. The trick is not to overdo it. Successful Security Strategists avoid dwelling too much over losses caused by security breaches. They should adopt structured cases highlighting benefits that security initiatives bring to the organization.
Having a security steering committee consisting of top-level management executives and user representatives also helps get acceptance. It is best to involve this committee in security initiatives right from the security policy's inception.

It is a good practice to have a separate security budget. Usually, security is considered part of the IT budget which can be detrimental during implementation of large scale security initiatives. This is where
management commitment makes the going easier. It is easier for the CIO to justify security investments if there is management involvement.

The Jury Panel

S B Patankar
Director-IS, The Stock Exchange
Prof. G Sivakumar
Head, Computer Science & Engineering, IIT Bombay
Capt. Felix Mohan
CEO, Secure Synergy
Mani Mulki
Head-IT, Godrej Industries

Create user awareness

A chain is only as strong as its weakest link and information security is no different. Effective information security is only possible by improving user consciousness. This is why Security Strategists lay great emphasis on people—the commonly overlooked security aspect.

Security has to be ingrained in the user's mind for an organization's security initiatives to be successful, and requires continuous user education. Users have to be trained in security basics and the organization's security policies at the time of joining.

Ongoing security education is the next stage. This can be achieved through regular training sessions. If that is not possible due to reasons like a large user base, the solution is to use automated training methods like popup messages, and online refresher courses. Other methods include poster campaigns and recognition for the most security-conscious users.

Ensure compliance

The Security Strategist should not believe in having comprehensive security policies if they are not followed, and insists on policy enforcement. It ensures that they do not end up as dust-covered manuals on forgotten shelves.
Regular audits and surprise checks are essential to ensure compliance. Punitive measures have to be meted out to errant employees in accordance with the organization's HR department policies. User habit-tracking is another measure to track policy compliance. This will also help identify users who require additional training.
The essential point is that the Security Strategist should enforce policies without creating 'the big brother is watching' syndrome. Although user monitoring is required, users are not to be seen as adversaries.
Regular security policy reviews and proper documentation are equally important. Regular reviews have to be made by the steering committee taking parameters like changing requirements and audit reports as the baseline. Changes have to be incorporated at the earliest to ensure proper security.

SecureSynergy Security Strategist Awards 2004

While we saw the major facets of a Security Strategist, there are many other factors to be considered. This is why Network Magazine decided to evaluate and recognize these exceptional technocrats with the SecureSynergy Security Strategist Awards 2004.

Anil Patrick R can be reached at: anilpatrick@networkmagazineindia.com

SecureSynergy Security Strategist 2004 winners

The best time to recognize achievements is at the time of announcing the achievers. So without any further ado, this year's winners are:

*V K Ramani, President IT, UTI Bank form BFSI
*Rajiv Seoni, Assistant VP and Head IT, Hughes Software Systems in the IT, ITES, and Telecom category
*V V R Babu, CIO, ITC Limited in the General Industry category

The selection process
Network Magazine appointed IMRB as the award’s Business Process Validator (BPV). The BPV ensured that the process undertaken to arrive at SecureSynergy Security Strategist Awards 2004 is fair and transparent.

Of 135 applications, the top three contenders in each category were interviewed by the jury panel consisting of academic experts, CIOs, and the security experts domain. Each category’s winner was selected after interviewing the top three nominees to analyze the following parameters:

*Security policy and management
*Planning and administration
*Incident response mechanisms
*Contingency planning and disaster recovery
*Future vision

The jury panel rated the winner based on a weighted ranking mechanism developed by NM’s Editorial Team in consultation with IMRB.

India's Most Secure Company: e-Serve International
e-Serve International Limited, the BPO arm of Citicorp deserves a special mention as one of India’s most secure organizations.

For managing its security-related policies and processes, e-Serve has two officers who manage different aspects of security. One looks into technology and IT-related issues (Tech ISO), and the other looks after business and operations information security issues (Business ISO). So why did e-Serve not win the SecureSynergy Security Strategist Awards?

Two reasons: First, the SecureSynergy Security Strategist Awards is for individual achievement—
initiatives, leadership, vision. At e-Serve the security strategy is clearly a team effort—driven by two different individuals—one managing the technology and other business processes.

Second, the jury panel—even though extremsely appreciative—found most of e-Serve’s policies to be developed (or customized) around Citicorp's worldwide policies.