Maintaining a proactive approach to change
||What makes a Security Strategist? An educator
and enforcer with a proactive attitude to manage change while treading the
fine line of requirements versus costs.
Head, Dept of Computer
Science & Engineering, IIT Bombay
Security is a rapidly changing field. Nothing is permanent in enterprise security
and it is not enough to know just technology. This is why a Security Strategist
also has to be a change management expert.
Enterprise systems have to be designed for change in order to be secure. They
should not be rigid but adaptive in nature. So the security policy or framework
should also have the ability to adapt. It has to be modular in nature for this.
A proactive approach
If changes are made in part of the policy, it should be clearly visible as to
how it affects the other sections. A successful Security Strategist should be
able to anticipate these dependencies diagram and manage changes suitably.
You cannot afford to be reactive in these cases. The need of the hour is to
be proactive and have constant readiness. So you have to be up-to-date and plan
the changes before you do it.
The fine balance
It is necessary to know who are the people with the required cooperation and
skills and keep them ready in advance. This should be done without upsetting
All said and done, security is an overhead for normal companies. It is never
a prime business except for companies who have proprietary intellectual property
at stake. Management will not prefer to spend a lot on security in most cases.
This is why it is necessary for the Strategist to convince the management.
A Security Strategist should have the ability to make the management realize
the importance and value of security and getting things done without scaring
them. This is easy to say, but hard to do.
Up-to-date with knowledge
A Security Strategist has to plan for the worst and keep users informed about
how to deal with them. For this, it is necessary to do dry runs, experiments
and constant drills regularly. These help keep everyone in the organization
aware about what has to be done if things go wrong.
This brings us to the issue of user awareness. Any security system that depends
primarily on the user being secure is not a good one. When you have heterogeneity
among users, you are not going to have common skills or knowledge levels across
However, it is safe to assume that there is a basic minimum skill level in terms
of intent and cooperation. Beyond that, the system should be foolproof or idiot-proof
to some extent.
There should be automated ways of enforcing security. For
example, things like not changing the password and testing password strength.
Auditing user habits is also important. With this the users who are being lax
can be identified and special training can be given to them.
Next is tracing the consciousness levels among users. In many cases, people
do not realize the harm that can be caused by unauthorized access. The consequences
of letting system access fall into the wrong hands can be demonstrated using
demos to drive home the point.