The case for secure strategies
||What are the barriers that
a CIO needs to tide over before he can become a successful Security Strategist?
|Captain Felix Mohan
CEO, SecureSynergy Pvt. Ltd.
A comprehensive security strategy aims at leveraging best
information security practices to improve business performance. People, processes
and technology are the core elements of the strategy.
The security strategy aligns these elements with the business to assure a secure
information environment and provide competitive advantages. And the capability
to successfully structure the policy makes a Security Strategist.
The making of a Security Strategist
The Security Strategist has the vision to conceptualize a comprehensive security
strategy for the organization, and the skill to obtain management buy-in. With
this, the Security Strategist supports business strategy, attains competitive
advantages through proactive information risk management, and enhances trust
relationships between the organization and its stakeholders.
It is important for the Security Strategist to be trained in business and technology
management disciplines, and preferably have an MBA for competencies in fields
like investment appraisal, financial assessment, cost-benefit analysis, project
management, and a security management certification like CISM.
The Security Strategist should be a competent communicator and have good relationship-building
and collaboration skills. He needs a fair understanding of law related to information
security, and HR. And, he should posses integrity and character.
While the Security Strategist is mainly a management catalyst who leverages
information security to gain business objectives, a broad overview and understanding
of the technical aspects of information security as it applies to computer systems,
networking, telecom, cryptography, and software will help formulate and implement
security strategy better.
However, the Security Strategist does not require granular bits-and-bytes or
hands-on knowledge of the technical aspects of information securitythose
skills are ample among subordinate specialists or consultants.
Getting past roadblocks
The biggest challenge for the Security Strategist is obtaining management commitment
and adequate resource allocation for the security program. While it is understood
that improved information security will reduce business risk, to the top management
that is strapped for funds, information security is often 'yet another cost'.
The traditional method of relying on the FUD (Fear, Uncertainty, Doubt) factors
to sell information security to the management will not do. The justification
has to be in terms of the positive value that information security would bring
to the organization, rather than in terms of the negative loss resulting from
The other challenge
The other big challenge for the Security Strategist is the lack of awareness
on matters regarding information security among people (board, management and
employees alike). Since the ultimate owners, custodians, and users of information
are people, they are vital links in success of the organizational security strategy.