The case for secure strategies

	What are the barriers that a CIO needs to tide over before he can become a successful Security Strategist?
Captain Felix Mohan CEO, SecureSynergy Pvt. Ltd.

A comprehensive security strategy aims at leveraging best information security practices to improve business performance. People, processes and technology are the core elements of the strategy.

The security strategy aligns these elements with the business to assure a secure information environment and provide competitive advantages. And the capability to successfully structure the policy makes a Security Strategist.

The making of a Security Strategist

The Security Strategist has the vision to conceptualize a comprehensive security strategy for the organization, and the skill to obtain management buy-in. With this, the Security Strategist supports business strategy, attains competitive advantages through proactive information risk management, and enhances trust relationships between the organization and its stakeholders.

It is important for the Security Strategist to be trained in business and technology management disciplines, and preferably have an MBA for competencies in fields like investment appraisal, financial assessment, cost-benefit analysis, project management, and a security management certification like CISM.

The Security Strategist should be a competent communicator and have good relationship-building and collaboration skills. He needs a fair understanding of law related to information security, and HR. And, he should posses integrity and character.

Technology knowledge

While the Security Strategist is mainly a management catalyst who leverages information security to gain business objectives, a broad overview and understanding of the technical aspects of information security as it applies to computer systems, networking, telecom, cryptography, and software will help formulate and implement security strategy better.

However, the Security Strategist does not require granular bits-and-bytes or hands-on knowledge of the technical aspects of information security—those skills are ample among subordinate specialists or consultants.

Getting past roadblocks

The biggest challenge for the Security Strategist is obtaining management commitment and adequate resource allocation for the security program. While it is understood that improved information security will reduce business risk, to the top management that is strapped for funds, information security is often 'yet another cost'.

The traditional method of relying on the FUD (Fear, Uncertainty, Doubt) factors to sell information security to the management will not do. The justification has to be in terms of the positive value that information security would bring to the organization, rather than in terms of the negative loss resulting from security incidents.

The other challenge

The other big challenge for the Security Strategist is the lack of awareness on matters regarding information security among people (board, management and employees alike). Since the ultimate owners, custodians, and users of information are people, they are vital links in success of the organizational security strategy.