An enabler of business processes
to Captain Felix Mohan, CEO, SecureSynergy, a security strategist is
one who aligns systems with business requirements and creates a process that
is flexible and can be improved.
A good security strategy focuses on protecting and enabling
a business. It maps with an organisations security programme and aims
to help the business gain competitive advantage by leveraging information security
best practices. A good security strategy encompasses governance processes, risk
management, policies and procedures, security architecture, and security operations
involving people, processes and technology to manage existing and emerging threats.
In addition to the various desirable attributes of a good security strategy
mentioned, I personally approve of a security strategy that also aims to raise
the level of organisational security maturity through a formal enterprise-wide
framework of continuous security process improvement.
Information security is a business problem that requires attention as any other
business uncertainty wouldin terms of risk management. However, there
is a marked tendency of focussing largely on technical issues with an inadequate
emphasis on risk management processes and governance. While protecting business
processes, the security strategy should also meet compliance requirements of
the business, and encompass training, metrics and continuity strategies. The
strategy should enable business to gain competitive advantages and help seize
new opportunities by enhancing trust among stakeholders and by facilitating
secure business operations over distributed and virtual environments.
The enforcement of security policy is effective only if employees
perceive that the top management is committed to ensuring its compliance. This
commitment should be delegated to an individual or a team that would own responsibility
and authority for the enforcement process within the organisation.
The policy should clearly spell out the expected behaviour, and the disciplinary
actions depending on the type of violation. Stating consequences of policy violations
serves as a deterrent, and ensures compliance. On the ground, enforcement requires
an organisation-wide monitoring process to detect and investigate security violations.
A big part of enforcement involves effectively disseminating the import
of the policy across the organisation and educating employeesat
the time of induction and periodically thereafteron what the policy means
and requires them to do. Employees must sign off, acknowledging that they have
read and understood the policy.
Within three years, the Security Strategist Awards have become a benchmark for
acknowledging the visionary contributions of top-security professionals in the
country. The award has also played a dominant role in spreading security awareness
in the corporate sector.
This year, all the Security Strategist Award winners had well-defined security
programmes that enlisted active involvement of their companys board and
top management. Their security strategy was clearly risk-based and supportive
of the business processes. They focussed on meeting business challengesway
beyond managing technical issues. They had a comprehensive security
policy and a robust security architecture. On the ground, their strategy implementation
aptly covered both physical and logical controls, providing assurance against
existing and emerging threats.