Post image for Jaankari se jaagruti tak  – from awareness to alertness

Jaankari se jaagruti tak – from awareness to alertness

by amarinder on September 10, 2011

An article by Shobitha Hariharan, CCA and CISO, Shoppers Stop

Often, regulatory compliance fuels information security (info-sec) practices in organizations. In the absence of external pressures, the triggers could include – questions raised by internal/external auditors; client requirement; and quick fixes or inadequate, case-specific, one-time resolutions. These make it necessary to introduce global information security best practices into the organization.

Recently, a few enterprises faced info-sec breaches. The reputational and financial damage they suffered highlights the need to focus on information security as an essential part of business. There is a need to stitch together a security approach and policy, which can be applied across enterprise functions. For large organizations, a common baseline for all the different business verticals is a good starting point.

For a comprehensive info-sec implementation, people, process, and technology need to be aligned. People are the weakest link – not because they are unaware of data security requirements in general, but because of the gap between ‘jaankaari’ [awareness] and ‘jagruti’ [alertness]. An engaging and sustained awareness program helps them understand the need for appropriate security measures. However, this necessitates consistent effort over the long term.

The reference point for security implementation is usually a suitable ISO standard/a more stringent set of controls. While these standards provide a list of ‘good to haves’, the rigidity in enforcement or the ‘must haves’ are industry-specific.

Regulatory compulsion and the need to get and remain certified are business continuity requirements and mandate all recommended controls. Therefore, it is vital to take a hard look at the business goals and the existing business processes before undertaking the actual implementation. Further, streamlining the critical processes across a few locations and teams helps define the ‘scope’ for applying the controls. This contains the flow of critical information, and facilitates concise documentation and review practices that are essential for evidencing the existence of periodic checks and balances.

Security standards typically specify threshold levels for certification. Smaller companies, where certification may not be mandatory, need to diligently carry out periodic self-assessments and take remediation measures where
required. Moreover, in the absence of external pressures, organizations may tilt more towards bringing about discipline and efficiencies in business processes and ensuring a high level of awareness of info-sec policies. 

Key learnings from my experience

Engage expert consultants. At the onset, the right kind of assistance is crucial. A consultant who brings in domain-expertise and best practices, and blends them with the organizational culture, is essential for the success of the initiative. The Information Security leader is but a project coordinator across business verticals/functions. Of course, the security officer continues to drive the security program as part of the internal team.

Engage with business users and application owners at the ground level. The implementations on the ground help the organization’s DNA imbibe info-sec best practices. Wherever possible, information security should be built into business processes. Making efforts to understand and appreciate the business users’ work encourages consultative interaction and keeps the security team informed. This in turn can infuse acceptable practices into the process.

Compliance versus risk reduction. The information security function is regarded as the ‘enforcer’ who tells people what they ‘can’t’ do and is often viewed as an ‘auditor’ who is out of sync with the mundane requirements of running a business. It is important to communicate to business users and technology teams alike, and explain that adhering to globally-accepted norms is less about compliance and more about reduction of avoidable risk. Collaboration between business users, the functional leads, and the technology team, enables user-friendly business processes that are less person dependent. Technology thus becomes the enabler of a well-integrated environment. 

Insecurity. Coordination between the technology and business operations teams, mediated by functional experts who are fully aligned to info-sec practices, helps bring down feelings of irritation and insecurity. Regular open dialogues and participation in business processes eliminate unnecessary restrictions under the guise of security best practices; this goes a long way in creating a better working environment for employees. Elucidating the value/benefit of the risk mitigation steps helps drive this home.

As in any business process reengineering exercise, information gathering is an extremely crucial step here, which leads to informed decision-making. Also, intuitively, one needs to know when to hold fast and when to let go, and have the conviction to see the program through. Winning friends and influencing people helps in building better collaborative relationships.

Communicate…engage…communicate is the mantra!

Related Posts:

Previous post:

Next post: