Building Security Capabilities in Corporations

Siva Sivasubramanian, Global Chief - Security, AirtelIntroduction
With business embracing digitization and automation; Internet of Things (IoT) on the anvil, virtualization and cloudification rampant, the rapid coalescence of the business and technology, fast convergence of IT and network technologies and all of them coupled with a chronic shortage of deployable cybersecurity professionals; the challenge in building a strong security organization is only turning acute.

Studies and surveys in this area tend to call out discreet factors such as the nature of threats faced, lack of budgetary allocations and the reactive ways of working of the security apparatus as those that hamper effective security organizations. These surveys tend to illuminate the facets of the iceberg above the water and fail to illuminate the problem holistically or call out the problems hidden out of sight. Notable among those hidden out of sight factors are: (a) the security culture of the corporation,(b) executive over-dependence on technology and(c)shortage of core security skills in the market.

This article discusses three core factors one must consider in building effective security capabilities in corporations.

Understanding the Security Culture
Security culture is how corporations practice security. One can observe that most business view security as an impediment to businesses agility and a cost to business that is controllable if not avoidable. Security culture of a corporation is very different from the corporate culture or risk appetite or risk tolerance while all of them do have a play on it.

The best place to start would be the Internal Audit reports, especially those relating to security. One is sure to find a few security issues getting fixed as soon as they are raised and quite a few appearing year after year. This analysis will indicate the touch points of the management in responding to security issues. The corporation may readily solve issues that could be addressed through technology and go soft on issues requiring process or people changes. It may be tolerant of particular types of risks or risk consequences; these may be very orthogonal to the stated policies and standards.

When building security organizations, recognizing this corporate mindset is fundamental. Once the mindset is known and understood, one develops a strategy of converting the poachers into game keepers. Such a strategy should be crafted to suit a given situation and executing it is a long-term game play.
Over-dependence on technology
The paradigm that problems are solved through the triangulation of People, Process and Technology has been drilled into the executive psyche, yet when a new problem comes they reach out to technology solutions. It is far easier to defend at the boardroom with a technology strategy than people mindset change or process improvements, for these are not as snazzy as technology. Besides, the technology vendors are doing an excellent sell job in piping the messages of technologies into the ears of the executives that matter and they are amply supported by the youthful techies who love the adrenalin rush the adoption of new technologies provide. Therefore, fighting technology with the process is a sure no-winner.

Since a corporation’s security requirements are constantly changing as per the changing demands of the customer, building effective security capabilities in a corporation is a journey and not a destination

The security organizations must embed process improvements and people education along with technology deployment as a total solution. With systematic process improvements and ground level people education and awareness, security culture and capabilities can be nurtured in the corporation organically. Also, the security organization must know how to position security requirements in business speak as operational and risk items for the business to action. This is an exercise of mindset change among the executive corps of the corporation, a long journey for the security manager in building a robust security organization.

Core Skill Sets
Traditionally experienced IT professionals from domains such as IT Admin, DBA, App Development or Networks moved into security and qualified themselves in security with certifications and on the job training. Such interdisciplinary skill sets will help in understanding the problem contextually and holistically.

Today we get graduates on cybersecurity from both the engineering and science colleges, besides graduates from other disciplines are highly aware of cybersecurity. The main drawback of these graduates is their lack of understanding of groundlevel IT and Networking practices. Since they don’t understand the IT Ecosystem of corporations, they have to be trained on different facets of IT which is a very involved exercise.

To develop skills in a security organization, there has to be a conscious mix of domain experts and pure-play security graduates and both must be encouraged to get educated in the adjunct domains for it is this knowledge that will help troubleshoot problems. The employees must be rotated on the tasks, assigned specially created projects to develop new skills. With the right mix of seasoned experts and hioctane freshers, coupled with special knowledge building projects, a ‘learning’ security organization can be built.

The customers will always move to the future than staying in the past. It is the customer’s choice of the processes to interact and transact business with the company that would determine the security risk the company should manage. Since a corporation’s security requirements are constantly changing as per the changing demands of the customer, building effective security capabilities in a corporation is a journey and not a destination.