Jury View

One step at a time

Gulshan Rai, Director, CERT-IN and ERNET, Ministry of Communications & IT, Department of IT, Govt. of India, believes that a comprehensive security strategy cannot be achieved overnight. It has to be planned and deployed systematically .

Planning for information security is a complex task. One has to look at the nature of the work being carried out by the organisation, its prospective plans, information assets to be secured, how long these need to be secured, and what is the content (information) that has to be secured.

A good strategist plans his security strategy after considering all these factors. While performing this task he has to ensure that whatever he plans is carried forward, is compatible, and that the technology is available. He should be able to implement it in a well-defined manner and as soon as possible with the stress on simple operations. These are the principal components of a good strategy. A CIO who plans after taking all these factors into account is a good strategist.

The entire implementation of security strategy is process-oriented. It is not manpower-intensive, but process-intensive. It cannot be done overnight, but has to be planned and performed systematically. This is akin to building a brick wall, one step at a time.

Information security involves more than technology—it is a process. One has to follow the process, and keep the processes and logs intact. This is essential to ensure that you can look back and check later if required. In the case of information security, it happens that most of the time you first see what you have implemented, improve on it, and then proceed.

Along with the technology and the processes, it is important to stress on user education in a good security strategy. User education is an important component in implementing information security. If there is no trained manpower or awareness in the area of information security, then the implementation of security becomes difficult.

Firstly, the manpower needs to be trained to create a mindset oriented towards information security. The need for information security, its implementation and the overall vision have to be emphasised as part of an awareness programme. Other factors to remember when doing this include the integration of information security with e-governance, the organisation’s philosophy, nature of business, as well as future technology and business requirements. Resources must be trained in all these requirements. Training in just one area may not help. Comprehensive integrated training and manpower orientation towards information security is essential.

The state of awareness about information security in India is improving. Today, various requirements are being enforced and organisations are slowly becoming aware of these.

The Security Strategist Awards are creating awareness and competition among organisations to implement security practices. It is a good effort that The Indian Express has undertaken. I appreciate The Indian Express for initiating this kind of an award.

It will go a long way in proving and creating awareness of information security in organisations. Institution of Security Strategist Awards by The Indian Express will accelerate and catalyse the awareness about information security in India.