Role, Responsibilities and Role, Responsibilities and Methodologies Methodologies

in the Next Decadein the Next Decade

• Word "security” - the passion-killer.Word "security” - the passion-killer.

• Talk about "risk" and "compliance" Talk about "risk" and "compliance" and "governance" and the view is that and "governance" and the view is that it's much easier to get business buy-it's much easier to get business buy-in. in.

• Talk about "security" and it is Talk about "security" and it is considered to belong in the small considered to belong in the small security cabins or having people security cabins or having people involved in checking passes at the involved in checking passes at the main entrance. main entrance.

Wrong Impression about Wrong Impression about SecuritySecurity

• Most companies today continue Most companies today continue to think that the role of security is to think that the role of security is primarily to protect against primarily to protect against threats, not to help facilitate threats, not to help facilitate business and stimulate growth. business and stimulate growth.

• Simply put, companies continue Simply put, companies continue to think of security initiatives as to think of security initiatives as "how to keep out the bad guys" "how to keep out the bad guys" rather than "how to let in the rather than "how to let in the good guys." But the good guys good guys." But the good guys must be allowed in for any must be allowed in for any business to thrive. business to thrive.

Wrong Impression about Wrong Impression about SecuritySecurity

Paradigm Shift in a DecadeParadigm Shift in a Decade

• There is a change from security There is a change from security being viewed as a nuisance to being viewed as a nuisance to being viewed as an enabler. being viewed as an enabler.

• Those companies that do security well will Those companies that do security well will be the organizations people choose to do be the organizations people choose to do business with.”business with.”

Is security really a business Is security really a business enabler?enabler?

• You can’t go far in the security You can’t go far in the security profession these days without profession these days without hearing about it. hearing about it.

• This idea appears to some as This idea appears to some as nothing more than the “concept nothing more than the “concept de jour.” de jour.”

• Their argument: for a function to Their argument: for a function to be a “business enabler” it be a “business enabler” it should directly contribute to the should directly contribute to the revenue stream of the business, revenue stream of the business, not indirectly participate as part not indirectly participate as part of the total business.of the total business.

• Security is business enabler as Security is business enabler as much as every other function much as every other function within an organization. within an organization.

• Security is more enabling than Security is more enabling than if compared with a healthy, if compared with a healthy, clean work environment as a clean work environment as a productivity issue. productivity issue.

• It is not to be taken as if it was It is not to be taken as if it was created as a sales tool by created as a sales tool by security product vendors, security product vendors, consultants, or the large consultants, or the large security magazines.  security magazines. 

Is security really a business Is security really a business enabler?enabler?

• Security is inextricably linked to Security is inextricably linked to innovation in the business world which innovation in the business world which requires understanding risk, and requires understanding risk, and security initiatives to support business.security initiatives to support business.

• Security should encourage people’s Security should encourage people’s confidence that they can take a risk, confidence that they can take a risk, and the way to do that is to understand and the way to do that is to understand the risk of any initiative … in the the risk of any initiative … in the context of what the vulnerability might context of what the vulnerability might be [caused].”be [caused].”

• So it's about understanding So it's about understanding vulnerability up front, understanding vulnerability up front, understanding the probability that that vulnerability the probability that that vulnerability will be somehow exploited, and we will be somehow exploited, and we need to mitigate it while understanding need to mitigate it while understanding what the consequence might be. what the consequence might be.

Is security really a business Is security really a business enabler?enabler?

New Look –New Look –

• So it's just a different way of So it's just a different way of thinking about security where thinking about security where you have a problem, you react you have a problem, you react and you fix it. and you fix it.

• It causes a spiraling effect, and It causes a spiraling effect, and you're always attempting to solve you're always attempting to solve yesterday's problem. yesterday's problem.

• So if you get ahead of it, you So if you get ahead of it, you understand the risk up front and understand the risk up front and you can take that risk with a lot you can take that risk with a lot more confidence because you've more confidence because you've done things to mitigate it. done things to mitigate it.

Is security really a business Is security really a business enabler?enabler?

Advise to Security Advise to Security ManagersManagers

• Nothing wrong in admitting that we "do Nothing wrong in admitting that we "do security" because we have to. Too often security" because we have to. Too often security professionals try to justify costs security professionals try to justify costs by presenting vague ROI figures or by presenting vague ROI figures or metrics. The problem with this is that the metrics. The problem with this is that the finance director will laugh your ROI data finance director will laugh your ROI data out of his office! If you want to convince out of his office! If you want to convince your management then you have to cut out your management then you have to cut out the techie chat. the techie chat.

The key points are that we need to -The key points are that we need to -Take a risk based approachTake a risk based approachFocus on business needsFocus on business needsTalk the language of the businessTalk the language of the businessDon’t make wild statement about cost savings and ROIDon’t make wild statement about cost savings and ROIWork to reduce costsWork to reduce costsPut risk assessments into contextPut risk assessments into contextPresent a decent set of meaningful security metricsPresent a decent set of meaningful security metrics

• Security’s strategic Security’s strategic alliances within the alliances within the organizationorganization

• Boundary Management - Boundary Management - develop relations with the develop relations with the media, public, law media, public, law enforcement, fire enforcement, fire departments, and other departments, and other security organizations.security organizations.

The Range of Security Duties - Next The Range of Security Duties - Next DecadeDecade

• Conceptual Planning - Security Conceptual Planning - Security analysts interface with architects to analysts interface with architects to ensure security features, such as ensure security features, such as electronic surveillance system, electronic surveillance system, access control system etc. in the access control system etc. in the design stage itself. design stage itself.

• Management of Risks, Emergencies Management of Risks, Emergencies & Disasters - these tasks include risk & Disasters - these tasks include risk identification, risk analysis, risk identification, risk analysis, risk reduction, and program evaluation reduction, and program evaluation

The Range of Security Duties - Next The Range of Security Duties - Next DecadeDecade

• Security is to make functionality Security is to make functionality possible inline with our possible inline with our compliance requirements and to compliance requirements and to reduce risk to an acceptable reduce risk to an acceptable level … level …

• … … thereby 'enabling' the thereby 'enabling' the business units to do business business units to do business in a more controlled fashion. in a more controlled fashion.

The PrognosisThe Prognosis

By: Capt S B TyagiBy: Capt S B Tyagi

For copy of this presentation, write to -For copy of this presentation, write to -

sbtyagi@gail.co.insbtyagi@gail.co.in