Indias top security strategists
Devising strategies to secure an organisation is not an easy
task. Thats why it takes an exceptional security strategist to strengthen
a business security chain. The SecureSynergy Security Strategist Awards
2005 is part of Network Magazines ongoing endeavour to honour these architects
of trust. by Anil Patrick R.
guide, leader, educator, change manager, effective communicator, mitigator of
risk, enforcer, technologist. These are just some of the attributes that a security
strategist has to havequalities that help secure India Inc, mindsets that
devise all-round security strategies. So who is a security strategist? What
distinguishes a good security strategy from the rest?
We need to explore the traits of these outstanding intellects
before we examine what constitutes winning security strategies. These are interconnected
in nature, and examining one provides insights about the other. First of all,
is a security strategist just the CIO/CTO? While this used to be the case in
the past, there is a clear shift towards separate IT security teams headed by
a Chief Security Officer (CSO).
Organisations in the financial and IT/ITES sectors have had
this hierarchy for a while, but now other verticals have also started following
this trend. The term security strategist is also expanding alongside
to involve CSO- level designations.
Capt. Felix Mohan
CERT-IN & ERNET
Prasad Natu, GM, Shared Services, ITC
|Arriving at the winners
To determine the winners
of SecureSynergy Security Strategist Awards 2005, Network Magazine appointed
IMRB as the award's Business Process Validator (BPV). The BPV ensured
that the process undertaken to arrive at the SecureSynergy Security Strategist
Awards 2005 was fair and transparent.
Of the 110 applications
received, the top three contenders in each category were interviewed by
the jury panel consisting of a CIO and experts from the information security
domain. Each category's winner was selected after interviewing the top
three nominees to analyse the following parameters:
- Security policy
- Planning and
- Incident response
planning and disaster recovery
- Future vision
The jury panel rated the
winner based on a weighted ranking mechanism developed by NM's editorial
team in consultation with IMRB.
Mark of a strategist
One of the first characteristics of a security strategist
is the clear understanding of all business and security threats to his business.
This includes current as well as dynamically-evolving threatstechnical,
business-related, and others.
Security strategies and initiatives are ridden with external
and residual risks. There is no initiative which is completely risk-free, and
security strategists understand this. This is where an in-depth grasp of security
threats comes into play. Risk management, and evaluation or mitigation of residual
risks, gets streamlined with a deep understanding of a business and its associated
Apart from this, a security strategist is also an exceptional
change manager. This is because security initiatives involve discipline and
a considerable amount of change. By change management we mean effecting changes
not just in policies, processes and systems but also in mindsets.
For example, putting security policies in place means clamping
down on a lot of user rights that might not be gracefully accepted. A case in
point is the use of Internet access for checking personal e-mail. Another example
is compulsory physical frisking to avoid the use of cell phones or USB drives
in high security areas. A security strategists skills lie in enforcing
these changes with minimal clashes with the user community.
This is where the role of a security strategist as the educator
comes into play. Successful security strategists believe in educating users
through awareness and ongoing training programmes. After all, security initiatives
are only as strong as the weakest linkthe user community. Empowering the
users with knowledge about the need for security strengthens the entire organisational
Winner - IT & ITES category
General Industries category
S Krishna Kumar
GM & CISO
IT Department, SBI
AVP, Information Security Mphasis
Corporate Information Security Manager, HLL
Cut to the strategy
The organisational security strategy is largely dependent
on the security policy; a well-documented security policy is the first step.
Documented policies are not enough if they are not followed.
Communicating policies to users and ensuring compliance with the policy are
crucial mandates for a successful security strategy. This will involve top-level
management commitment as well as strict monitoring. Top management should be
the owners of the security policy rather than the security team.
The IT department cannot control organisation-wide information
assets. This is why it is important to appoint owners or custodians of information
assets across the organisation. Many organisations assign these responsibilities
to the individual section or business heads.
Having a security steering committee with representation
from top management and business managers to align security functions with business
objectives is one way to achieve the goals mentioned above.
The entire user community should sign Non-Disclosure Agreements
(NDA) to ensure that they are held responsible for the information that they
handle. Punitive measures for non-compliance also have to be in place, which
brings the HR department into the picture. NDAs should also be signed with third
parties to whom organisational functions (security as well as others) are outsourced.
The role of technology to plug security leaks comes after
this. Mechanisms such as multiple levels of antivirus, firewalls, IDS/IPS, patch
management, access controls, encryption, and remote user management are standard
in todays organisational security. Certified security professionals should
be in charge of the security management functions.
Business continuity and DR mechanisms, along with incident
response mechanisms, are also crucial elements of a well-rounded security strategy.
DR sites with periodic DR simulations have to be in place.
Security Strategist Awards v3.0
In its third year, the SecureSynergy Security Strategist
Awards 2005 (SSA 2005) is an effort to recognise and honour Indias best
security strategists. Instituted by Network Magazine in 2003, the awards have
become synonymous with recognition for exceptional security strategies in the
SSA 2005 was presented for three industry categories. This
year the categories were Banking & Financial Services, IT & ITES, and
General Industries. A total of 110 applications were received for SSA 2005.
The winners were then chosen from shortlisted nominees after an interview with
an eminent jury panel of industry experts. (See box,) From the final round,
for the list of shortlisted strategists.
The jury panel for SSA 2005 consisted of Prasad Natu, GM,
Shared Services, ITC; Gulshan Rai, Director, CERTIN and ERNET; and Capt.
Felix Mohan, CEO, SecureSynergy. The nomination and judging process has been
examined in detail in the box, Arriving at the winners.
Security Strategist Class of 2005
As has been the case during the past three years, 2005 also
witnessed tough competition among Indias top security strategists. However,
there can only be one winner in each category, and the winners of SSA 2005 are
- Banking & Financial Services
S Krishna Kumar, General Manager & Chief Information Security
Officer, Information Technology Department, State Bank of India.
Mitish Chitnavis, Associate Vice-president, Information Security,
S Narayanan, Corporate Information Security Manager, Hindustan
The SSA 2005 Awards were presented to the winners at Technology
Senate 2005. The much anticipated presentation ceremony was held on September
16, 2005 at Montien Riverside, Bangkok.
The time for SSA 2006
Over the years we at Network Magazine have proudly witnessed
how the Indian organisation has evolved in terms of security. It feels like
we are light years away from the time when many an organisation would not even
have a basic information security policyor worse still, not even have
heard of one.
With each year the SSA nominations (as a whole) have become
better in terms of the strategies and policies. Many of todays enterprises
believe in strong information security policies, and also in enforcing these
The realisation has dawned that there is more to security
than just technology. Organisations are slowly getting over the fortress
syndrome of having firewalls and IDS/IPS in place, and then thinking that
their security is up to the mark. Security is more about active involvement
from top business and the user community.
Business involvement in information security matters has
increased as a result. While a major part of this has to do a lot with regulatory
issues as well, it is nevertheless heartening to see active participation from
top-level management. At present, most organisations believe in security training
and ongoing awareness programmes for employees.
Today, many organisations have a separate IT security team
or a dedicated officer who takes care of information security. This is a good
sign of increasing security awareness and preparedness for the worst.
Now that 2005 is behind us, the race has started to formulate
and strengthen strategies to become the Security Strategist of 2006. The clock
is ticking, gentlemen. May the best strategist win.
Banking & Financial Services
Head, Information Security Group, AGM, ICICI Bank
IT & ITES
Senior Manager, IT-IMD, Patni Computer Systems
Vice-president, Information Technology, Kale Consultants
Anil Kumar Kaushik Deputy General Manager, IS
Application, Bharat Petroleum
Vijay S Mahajan
Head, IT Infrastructure and Facilities