One step at a time
Rai, Director, CERT-IN and ERNET, Ministry of Communications & IT, Department
of IT, Govt. of India, believes that a comprehensive security strategy cannot
be achieved overnight. It has to be planned and deployed systematically .
Planning for information security is a complex task. One has
to look at the nature of the work being carried out by the organisation, its
prospective plans, information assets to be secured, how long these need to
be secured, and what is the content (information) that has to be secured.
A good strategist plans his security strategy after considering
all these factors. While performing this task he has to ensure that whatever
he plans is carried forward, is compatible, and that the technology is available.
He should be able to implement it in a well-defined manner and as soon as possible
with the stress on simple operations. These are the principal components of
a good strategy. A CIO who plans after taking all these factors into account
is a good strategist.
The entire implementation of security strategy is process-oriented.
It is not manpower-intensive, but process-intensive. It cannot be done overnight,
but has to be planned and performed systematically. This is akin to building
a brick wall, one step at a time.
Information security involves more than technologyit
is a process. One has to follow the process, and keep the processes and logs
intact. This is essential to ensure that you can look back and check later if
required. In the case of information security, it happens that most of the time
you first see what you have implemented, improve on it, and then proceed.
Along with the technology and the processes, it is important
to stress on user education in a good security strategy. User education is an
important component in implementing information security. If there is no trained
manpower or awareness in the area of information security, then the implementation
of security becomes difficult.
Firstly, the manpower needs to be trained to create a mindset
oriented towards information security. The need for information security, its
implementation and the overall vision have to be emphasised as part of an awareness
programme. Other factors to remember when doing this include the integration
of information security with e-governance, the organisations philosophy,
nature of business, as well as future technology and business requirements.
Resources must be trained in all these requirements. Training in just one area
may not help. Comprehensive integrated training and manpower orientation towards
information security is essential.
The state of awareness about information security in India
is improving. Today, various requirements are being enforced and organisations
are slowly becoming aware of these.
The Security Strategist Awards are creating awareness and
competition among organisations to implement security practices. It is a good
effort that The Indian Express has undertaken. I appreciate The Indian Express
for initiating this kind of an award.
It will go a long way in proving and creating awareness of
information security in organisations. Institution of Security Strategist Awards
by The Indian Express will accelerate and catalyse the awareness about information
security in India.