Synergizing security

	Both a security strategy as well as a Security Strategist should rest on a tripod of people, process, and technology. If the security policy does not have well founded roots in these three fields, the strategy cannot be complete
Mani Mulki Head IT, Godrej Industries Pvt. Ltd.

The Security Strategist is one who can visualize the info-sec requirements of business. Then align a plan of action, and implement a cohesive solution that will serve the business with least disruption.

Processes and policies

For example, a security system may include the best e-mail monitoring system. However, unless it has a process and policies that determine what mails should be quarantined, the technology is inconsequential.

And processes and policies will fall flat if people don't understand the need for patch downloading for anti-viruses, for example. Then they may not treat the process with the required importance.

The Security Strategist has to be well-versed with the technology. For any problem today there are at least a dozen solutions. The strategist has to identify the one that nails the business need and provides convenience to the users.

Typical skills

So the typical skill set required by a Security Strategist would be the capability to pinpoint the loopholes and vulnerabilities of the company and its systems. The capacity to assess the pros, cons, and viability of solutions is important. And a sound understanding of the business process is critical.

The catch with IT solutions and more so with security solutions is that the benefits are indirect. So, the senior management resists investment in them. There are two factors that sway the management decision: the persuasion capabilities of the strategist, and his/her credibility.

Convincing the management

Convincing the management is a matter of approach. The Security Strategist should present the risk analysis instead of technology jargon. The decision-makers should have a clearly defined view of the loss in business resulting from the lack of security.

Consider a spam filter. If the management sees it merely as a tool to get less mail, the management will probably not see value for money. Whereas if the Strategist can present the total man hours that will be saved if there is less mail, and the possible filtering out of viruses that could enter the system, then the investment will make business sense.

As far as credibility is concerned, it cannot be established at the outset. Credibility is cultivated over time. One way to get it, is to keep a track of viruses and disasters competitor companies face, and its effects. Then, report the difference in the wasted time and productivity between the affected company and yours. The threat perception should be concrete not only in the mind of the management but also the employees in general.

That's what counted, for me, in the final analysis for this award as well: the difficulties the Security Strategist faced to convince the management and the efforts taken to mass-educate the employees. The most difficult part of security is to coordinate people and process, and a Security Strategist's success lies in the ability to bring about change in that.

A Word of Caution

Do not treat information security as a technology. A security investment cannot be weighed like other IT investments. You have to be very well versed with the threats rather than the advantages, and the threats should be very lucidly presented to the management.