Jury View

An enabler of business processes

According to Captain Felix Mohan, CEO, SecureSynergy, a security strategist is one who aligns infosec systems with business requirements and creates a process that is flexible and can be improved.

A good security strategy focuses on protecting and enabling a business. It maps with an organisation’s security programme and aims to help the business gain competitive advantage by leveraging information security best practices. A good security strategy encompasses governance processes, risk management, policies and procedures, security architecture, and security operations involving people, processes and technology to manage existing and emerging threats.

In addition to the various desirable attributes of a good security strategy mentioned, I personally approve of a security strategy that also aims to raise the level of organisational ‘security maturity’ through a formal enterprise-wide framework of continuous security process improvement.

Information security is a business problem that requires attention as any other business uncertainty would—in terms of risk management. However, there is a marked tendency of focussing largely on technical issues with an inadequate emphasis on risk management processes and governance. While protecting business processes, the security strategy should also meet compliance requirements of the business, and encompass training, metrics and continuity strategies. The strategy should enable business to gain competitive advantages and help seize new opportunities by enhancing trust among stakeholders and by facilitating secure business operations over distributed and virtual environments.

The enforcement of security policy is effective only if employees perceive that the top management is committed to ensuring its compliance. This commitment should be delegated to an individual or a team that would own responsibility and authority for the enforcement process within the organisation.

The policy should clearly spell out the expected behaviour, and the disciplinary actions depending on the type of violation. Stating consequences of policy violations serves as a deterrent, and ensures compliance. On the ground, enforcement requires an organisation-wide monitoring process to detect and investigate security violations.

A big part of enforcement involves effectively disseminating the ‘import of the policy’ across the organisation and educating employees—at the time of induction and periodically thereafter—on what the policy means and requires them to do. Employees must sign off, acknowledging that they have read and understood the policy.

Within three years, the Security Strategist Awards have become a benchmark for acknowledging the visionary contributions of top-security professionals in the country. The award has also played a dominant role in spreading security awareness in the corporate sector.

This year, all the Security Strategist Award winners had well-defined security programmes that enlisted active involvement of their company’s board and top management. Their security strategy was clearly risk-based and supportive of the business processes. They focussed on meeting business challenges—way beyond managing ‘technical issues’. They had a comprehensive security policy and a robust security architecture. On the ground, their strategy implementation aptly covered both physical and logical controls, providing assurance against existing and emerging threats.