SSA 2005

THE LORDS OF SECURITY STRATEGY

India’s top security strategists

Devising strategies to secure an organisation is not an easy task. That’s why it takes an exceptional security strategist to strengthen a business’ security chain. The SecureSynergy Security Strategist Awards 2005 is part of Network Magazine’s ongoing endeavour to honour these architects of trust. by Anil Patrick R.

Visionary, guide, leader, educator, change manager, effective communicator, mitigator of risk, enforcer, technologist. These are just some of the attributes that a security strategist has to have—qualities that help secure India Inc, mindsets that devise all-round security strategies. So who is a security strategist? What distinguishes a good security strategy from the rest?

We need to explore the traits of these outstanding intellects before we examine what constitutes winning security strategies. These are interconnected in nature, and examining one provides insights about the other. First of all, is a security strategist just the CIO/CTO? While this used to be the case in the past, there is a clear shift towards separate IT security teams headed by a Chief Security Officer (CSO).

Organisations in the financial and IT/ITES sectors have had this hierarchy for a while, but now other verticals have also started following this trend. The term ‘security strategist’ is also expanding alongside to involve CSO- level designations.

The Members of the Jury
Capt. Felix Mohan CEO SecureSynergy	Gulshan Rai Director CERT-IN & ERNET	Prasad Natu, GM, Shared Services, ITC

Mark of a strategist

One of the first characteristics of a security strategist is the clear understanding of all business and security threats to his business. This includes current as well as dynamically-evolving threats—technical, business-related, and others.

Security strategies and initiatives are ridden with external and residual risks. There is no initiative which is completely risk-free, and security strategists understand this. This is where an in-depth grasp of security threats comes into play. Risk management, and evaluation or mitigation of residual risks, gets streamlined with a deep understanding of a business and its associated threats.

Apart from this, a security strategist is also an exceptional change manager. This is because security initiatives involve discipline and a considerable amount of change. By change management we mean effecting changes not just in policies, processes and systems but also in mindsets.

For example, putting security policies in place means clamping down on a lot of user rights that might not be gracefully accepted. A case in point is the use of Internet access for checking personal e-mail. Another example is compulsory physical frisking to avoid the use of cell phones or USB drives in high security areas. A security strategist’s skills lie in enforcing these changes with minimal clashes with the user community.

This is where the role of a security strategist as the educator comes into play. Successful security strategists believe in educating users through awareness and ongoing training programmes. After all, security initiatives are only as strong as the weakest link—the user community. Empowering the users with knowledge about the need for security strengthens the entire organisational security initiative.

Winner - BFSI category	Winner - IT & ITES category	Winner - General Industries category
S Krishna Kumar GM & CISO IT Department, SBI	Mitish Chitnavis AVP, Information Security Mphasis	S Narayanan Corporate Information Security Manager, HLL

Cut to the strategy

The organisational security strategy is largely dependent on the security policy; a well-documented security policy is the first step.

Documented policies are not enough if they are not followed. Communicating policies to users and ensuring compliance with the policy are crucial mandates for a successful security strategy. This will involve top-level management commitment as well as strict monitoring. Top management should be the owners of the security policy rather than the security team.

The IT department cannot control organisation-wide information assets. This is why it is important to appoint owners or custodians of information assets across the organisation. Many organisations assign these responsibilities to the individual section or business heads.

Having a security steering committee with representation from top management and business managers to align security functions with business objectives is one way to achieve the goals mentioned above.

The entire user community should sign Non-Disclosure Agreements (NDA) to ensure that they are held responsible for the information that they handle. Punitive measures for non-compliance also have to be in place, which brings the HR department into the picture. NDAs should also be signed with third parties to whom organisational functions (security as well as others) are outsourced.

The role of technology to plug security leaks comes after this. Mechanisms such as multiple levels of antivirus, firewalls, IDS/IPS, patch management, access controls, encryption, and remote user management are standard in today’s organisational security. Certified security professionals should be in charge of the security management functions.

Business continuity and DR mechanisms, along with incident response mechanisms, are also crucial elements of a well-rounded security strategy. DR sites with periodic DR simulations have to be in place.

Security Strategist Awards v3.0

In its third year, the SecureSynergy Security Strategist Awards 2005 (SSA 2005) is an effort to recognise and honour India’s best security strategists. Instituted by Network Magazine in 2003, the awards have become synonymous with recognition for exceptional security strategies in the Indian enterprise.

SSA 2005 was presented for three industry categories. This year the categories were Banking & Financial Services, IT & ITES, and General Industries. A total of 110 applications were received for SSA 2005. The winners were then chosen from shortlisted nominees after an interview with an eminent jury panel of industry experts. (See box,) From the final round, for the list of shortlisted strategists.

The jury panel for SSA 2005 consisted of Prasad Natu, GM, Shared Services, ITC; Gulshan Rai, Director, CERT–IN and ERNET; and Capt. Felix Mohan, CEO, SecureSynergy. The nomination and judging process has been examined in detail in the box, Arriving at the winners.

Security Strategist Class of 2005

As has been the case during the past three years, 2005 also witnessed tough competition among India’s top security strategists. However, there can only be one winner in each category, and the winners of SSA 2005 are as follows.

• Banking & Financial Services

S Krishna Kumar, General Manager & Chief Information Security Officer, Information Technology Department, State Bank of India.

• IT & ITES

Mitish Chitnavis, Associate Vice-president, Information Security, Mphasis.

• General Industries

S Narayanan, Corporate Information Security Manager, Hindustan Lever.

The SSA 2005 Awards were presented to the winners at Technology Senate 2005. The much anticipated presentation ceremony was held on September 16, 2005 at Montien Riverside, Bangkok.

The time for SSA 2006

Over the years we at Network Magazine have proudly witnessed how the Indian organisation has evolved in terms of security. It feels like we are light years away from the time when many an organisation would not even have a basic information security policy—or worse still, not even have heard of one.

With each year the SSA nominations (as a whole) have become better in terms of the strategies and policies. Many of today’s enterprises believe in strong information security policies, and also in enforcing these policies.

The realisation has dawned that there is more to security than just technology. Organisations are slowly getting over the ‘fortress syndrome’ of having firewalls and IDS/IPS in place, and then thinking that their security is up to the mark. Security is more about active involvement from top business and the user community.

Business involvement in information security matters has increased as a result. While a major part of this has to do a lot with regulatory issues as well, it is nevertheless heartening to see active participation from top-level management. At present, most organisations believe in security training and ongoing awareness programmes for employees.

Today, many organisations have a separate IT security team or a dedicated officer who takes care of information security. This is a good sign of increasing security awareness and preparedness for the worst.

Now that 2005 is behind us, the race has started to formulate and strengthen strategies to become the Security Strategist of 2006. The clock is ticking, gentlemen. May the best strategist win.

Other shortlisted nominees
Banking & Financial Services
Murli Nambiar Head, Information Security Group, AGM, ICICI Bank	Sanjay Sharma Head, IT, IDBI Bank
IT & ITES
Ajay Soni Senior Manager, IT-IMD, Patni Computer Systems	Viral Raval Vice-president, Information Technology, Kale Consultants
General Industries
Anil Kumar Kaushik Deputy General Manager, IS Application, Bharat Petroleum	Vijay S Mahajan Head, IT Infrastructure and Facilities