||Both a security strategy as well as a Security
Strategist should rest on a tripod of people, process, and technology. If
the security policy does not have well founded roots in these three fields,
the strategy cannot be complete
Head IT, Godrej Industries Pvt. Ltd.
The Security Strategist is one who can visualize the info-sec requirements
of business. Then align a plan of action, and implement a cohesive solution
that will serve the business with least disruption.
Processes and policies
For example, a security system may include the best e-mail monitoring system.
However, unless it has a process and policies that determine what mails should
be quarantined, the technology is inconsequential.
And processes and policies will fall flat if people don't understand the need
for patch downloading for anti-viruses, for example. Then they may not treat
the process with the required importance.
The Security Strategist has to be well-versed with the technology. For any problem
today there are at least a dozen solutions. The strategist has to identify the
one that nails the business need and provides convenience to the users.
So the typical skill set required by a Security Strategist would be the capability
to pinpoint the loopholes and vulnerabilities of the company and its systems.
The capacity to assess the pros, cons, and viability of solutions is important.
And a sound understanding of the business process is critical.
The catch with IT solutions and more so with security solutions is that the
benefits are indirect. So, the senior management resists investment in them.
There are two factors that sway the management decision: the persuasion capabilities
of the strategist, and his/her credibility.
Convincing the management
Convincing the management is a matter of approach. The Security Strategist should
present the risk analysis instead of technology jargon. The decision-makers
should have a clearly defined view of the loss in business resulting from the
lack of security.
Consider a spam filter. If the management sees it merely as a tool to get less
mail, the management will probably not see value for money. Whereas if the Strategist
can present the total man hours that will be saved if there is less mail, and
the possible filtering out of viruses that could enter the system, then the
investment will make business sense.
As far as credibility is concerned, it cannot be established at the outset.
Credibility is cultivated over time. One way to get it, is to keep a track of
viruses and disasters competitor companies face, and its effects. Then, report
the difference in the wasted time and productivity between the affected company
and yours. The threat perception should be concrete not only in the mind of
the management but also the employees in general.
That's what counted, for me, in the final analysis for this award as well: the
difficulties the Security Strategist faced to convince the management and the
efforts taken to mass-educate the employees. The most difficult part of security
is to coordinate people and process, and a Security Strategist's success lies
in the ability to bring about change in that.
A Word of Caution
Do not treat information security as a technology. A security investment cannot
be weighed like other IT investments. You have to be very well versed with the
threats rather than the advantages, and the threats should be very lucidly presented
to the management.