Post image for Business and Security: Two Sides of a Coin – Faraz Ahmed

Business and Security: Two Sides of a Coin – Faraz Ahmed

by tapangarg on June 2, 2011

The author of this article Faraz Ahmed is the CISO & Head- Regional IT at Reliance Life Insurance

With great power comes great responsibility” – this adage rings true for security heads across organizations, big and small. The power to stop business from carrying out activities perceived as business threats, comes with the great responsibility of educating the business with doing things in the right, secure way.

User education has always been a challenging area for security professionals. Organizations use CBTs, games, quizzes, puzzles, prizes, and what have you to keep users in check. However, I believe the best way to bring about user education is to enable them to achieve their goals in a more efficient manner; as a result, they are able to appreciate the value that the security processes add to the organization.

Robust risk assessment and business impact analysis are the stepping stones to having a good security practice. Business users should be deeply involved in both these – this enables them to understand both, business and security concerns; and jointly come up with solutions that meet the business objectives and helps establish a security framework. Infact, these activities should be driven by business, with IT & security being the facilitators and expert solution providers to understand business concerns, optimize processes, and secure the business. After all, you can’t secure what you don’t understand! As information security matures, more and more security professionals realize that they need to change gears from being the techies to being business leaders first – without losing a sight of the people, process and technology framework.

Further, in today’s information age, data is the fodder that fuels the business. Increasingly we have seen that current and up-to-date information helps organizations in decision-making. Business demands that information be made available in real-time, out of the office boundaries, on mobile and hand-held devices. This is one of the most critical elements in today’s economy and is increasingly acknowledged by one and all. Depending on how this is addressed, this could be a security professional’s worst nightmare, or a once-in-a-lifetime opportunity to demonstrate to the business that technology can address their demands, and yet secure corporate data, while complying with regulatory standards.

However, the question still remains – how do you secure access to information that you don’t know will be accessed where and via what medium, and most importantly by whom? Also, to make the matters more difficult, you have a new generation work force, which demands access not only to internet but also to social networking and blogs, which were traditionally blocked by security professionals due to the inherent risks of Web 2.0 and the risk of data leakage.

I strongly believe that the answer lies in keeping it simple and focusing on the root cause – the people and data – and puting in controls where they matter the most. Data should be classified and protected, with an appropriate framework in place for governing who has access to what information and what they can do with that information. Location-based access to data is still on my wish list and I suspect will become increasingly important as the penetration of 3G mobile phones and tablets increase with time.

Having dealt with the issue of data, we come to the more tricky issues of people. And I must admit, there is no one-stop solution for this. You can tell them, till the cows come home, but you cannot control gaming and chatting by families of senior executives. Therefore, building social awareness is an integral part of this job profile and educating your customers in a manner that conveys the responsibility they share, of keeping organizational information safe, will go a long way in achieving the same.

This by no means undermines the importance of traditional security approach of hardening the systems, installing and updating antivirus and patches, firewalls and IPS etc., as they are an important and necessary part of a sane and secure operating environment. After all, security is always multilayered and should cover all systems and networks with data, not withstanding the extended organization boundaries. A good framework not only covers the end-user devices and data centers, but also covers the applications, databases, third-party entities, and individuals who have access to data. This flow should ideally be documented and reviewed periodically to keep a track of any new touch-points that are introduced into the ecosystem by virtue of process change or new relationships.

The ability to continue doing business through incidents/disasters, and the capability of supporting business in such an event, is extremely important today. BCP & DR allow us to do that. Here again, the security team must partner with the business to understand their risk appetite and help implement a framework and solutions that are in line with the business requirements. At the end of the day, security exists for the purpose of supporting business; if business does not exist, security will cease to exist. So, even at the most vulnerable times, rise up to the occasion and bring out the best. Being prepared is the key!

Related Posts:

Previous post:

Next post: