Archives ||About Us || Advertise || Feedback || Subscribe-
Issue of November 2004 

[an error occurred while processing this directive]

 Home > Security Strategist 2004
 Print Friendly Page ||  Email this story

Maintaining a proactive approach to change

What makes a Security Strategist? An educator and enforcer with a proactive attitude to manage change while treading the fine line of requirements versus costs.
Professor Sivakumar
Head, Dept of Computer
Science & Engineering, IIT Bombay

Security is a rapidly changing field. Nothing is permanent in enterprise security and it is not enough to know just technology. This is why a Security Strategist also has to be a change management expert.

Enterprise systems have to be designed for change in order to be secure. They should not be rigid but adaptive in nature. So the security policy or framework should also have the ability to adapt. It has to be modular in nature for this.

A proactive approach

If changes are made in part of the policy, it should be clearly visible as to how it affects the other sections. A successful Security Strategist should be able to anticipate these dependencies diagram and manage changes suitably.

You cannot afford to be reactive in these cases. The need of the hour is to be proactive and have constant readiness. So you have to be up-to-date and plan the changes before you do it.

The fine balance

It is necessary to know who are the people with the required cooperation and skills and keep them ready in advance. This should be done without upsetting routine operations.

All said and done, security is an overhead for normal companies. It is never a prime business except for companies who have proprietary intellectual property at stake. Management will not prefer to spend a lot on security in most cases. This is why it is necessary for the Strategist to convince the management.

A Security Strategist should have the ability to make the management realize the importance and value of security and getting things done without scaring them. This is easy to say, but hard to do.

Up-to-date with knowledge

A Security Strategist has to plan for the worst and keep users informed about how to deal with them. For this, it is necessary to do dry runs, experiments and constant drills regularly. These help keep everyone in the organization aware about what has to be done if things go wrong.

This brings us to the issue of user awareness. Any security system that depends primarily on the user being secure is not a good one. When you have heterogeneity among users, you are not going to have common skills or knowledge levels across all users.

However, it is safe to assume that there is a basic minimum skill level in terms of intent and cooperation. Beyond that, the system should be foolproof or idiot-proof to some extent.

There should be automated ways of enforcing security. For example, things like not changing the password and testing password strength. Auditing user habits is also important. With this the users who are being lax can be identified and special training can be given to them.

Next is tracing the consciousness levels among users. In many cases, people do not realize the harm that can be caused by unauthorized access. The consequences of letting system access fall into the wrong hands can be demonstrated using demos to drive home the point.

- <Back to Top>-  

Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.