Untitled Document
www.expresscomputeronline.com WEEKLY INSIGHT FOR TECHNOLOGY PROFESSIONALS
22 November 2004  
Untitled Document
Sections

Market
Management
Technology
Technology Life
Tech. Senate 2004

Columns

Between The Bytes

Services
Subscribe/Renew
Archives
Search
Contact Us
Network Sites
Network Magazine India
Exp. Hotelier & Caterer
Exp. Travel & Tourism
feBusiness Traveller
Exp. Pharma Pulse
Exp. Healthcare Mgmt.
Exp. Textile
Group Sites
ExpressIndia
Indian Express
Financial Express
Home - Management - Article

CXO Accent

Maintaining a proactive approach to change

Prof Sivakumar

An SS should have the ability to make the management realise the importance and value of security and getting things done without scaring them. This is easy to say, but hard to do What makes a security strategist? He should be an educator and enforcer with a proactive attitude to managing change while treading the fine line between requirements vs costs, says Prof Sivakumar

Security is a rapidly-changing field. Nothing is permanent in enterprise security, and it is not enough to know just technology. This is why a security strategist (SS) also has to be a change management expert. Enterprise systems have to be designed for change in order to be secure. They should not be rigid but adaptive in nature, so the security policy or framework should also have the ability to adapt; it has to be modular in nature for this.

Proactive approach

If changes are made in part of the policy, it should be clearly visible how it affects other sections. A successful SS should be able to anticipate these dependencies, and diagram and manage changes suitably. You cannot afford to be reactive in these cases. The need of the hour is to be proactive and have constant readiness, so you have to be up-to-date and plan the changes before you do it.

Fine balance

It is necessary to identify the people with the required skills, and keep them ready in advance. This should be done without upsetting routine operations.

All said and done, security is an overhead for normal companies. It is never a prime business except for companies which have intellectual property at stake. The management will prefer not to spend a lot on security in most cases. This is why it is necessary for the strategist to convince the management. An SS should have the ability to make the management realise the importance and value of security and getting things done without scaring them. This is easy to say, but hard to do.

Up-to-date with knowledge

An SS has to plan for the worst, and keep users informed about how to deal with such situations. For this, it is necessary to do dry runs, experiments and drills regularly. These help keep everyone in the organisation aware about what has to be done if things go wrong.

This brings us to the issue of user awareness. Any security system that depends primarily on the user being secure is not a good one. When you have heterogeneity among users, you are not going to have common skills or knowledge levels across all users. However, it is safe to assume that there is a basic minimum skill level in terms of intent and cooperation. Beyond that, the system should be foolproof to some extent.

There should be automated ways of enforcing security. For example, things like not changing the password and testing password strength. Auditing user habits is also important. With this, users who are being lax can be identified, and special training can be given to them.

Next is tracing consciousness levels among users. In many cases, people do not realise the harm that can be caused by unauthorised access. The consequences of letting system access fall into the wrong hands can be shown by using demos to drive home the point.

Prof Sivakumar is head of the department of computer science & engineering, IIT (Mumbai)

 


UNSUBSCRIBE HERE
Untitled Document
© Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.