Relevance of Generalists vs Specialists in Enterprise Security Management

Vishwanath Nair, Head of Information Security and Risk, Western Sydney Local Health District

Vishwanath Nair, Head of Information Security and Risk, Western Sydney Local Health District


Currently, the medical industry is facing a major issue where there are more specialists than general practitioners by a ratio of nearly 2:1.

Below are some impacts due to this issue:

• Absence of Strong Relationships leading to lack of Strong doctor-patient relationship; Comprehensive & Continuous care; Better Management of Chronic conditions; Promotes healthy Lifestyle

• Medical care becomes more extrinsic, tactical and less effective

• Imbalance often devalues the work of family doctors

This leads to more temporary and non-personal medical care which for a patient cannot be sustaining and reduces trust in the services in the long term.

Likening it to a Corporate environment, a business leader could be viewed as the patient. Like the patient, a business leader has multiple inputs from experts including IT Service Management, Cyber Security, Operational and Financial Risk teams. These are in addition to the Demand and Account management functions.

Enterprise Security itself opens multiple discussion lines like Cyber risks, Audit findings, Cyber Security Technology Debt and Resilience. Each of them represent key aspects of the protective and preventative measures essential for effective business operations. Also, they are sources of huge amount of data points and potential points of failures.

This incoherent communication and management leads to potential financial, operational and reputational impacts caused by:

• Misdirected or Failed Strategies

• Loss of Trust across the Organisation

• Lack of Standardization

• Loss of key resources

Needs of the business are truly simple.

• Timely advise on:

1. Applicability and compliance relevant Operational Policies and Regulations

2. Assurance and partnership as new business strategies are launched

3. Assurance and partnership as Mergers and Acquisitions proceed

• Single window of risks and with associated impact in simple business terms and outcomes

• Timely transactional analysis to identify dependencies, critical paths and alternate paths

• Clear, Precise and Unambiguous business reporting with suggestions on mitigating risks with information to support prioritisation

• Early warning signals providing situational awareness and guide planning


To ensure success and effective performance of Enterprise Security and Governance a major change of approach is required. A new function of Trusted Advisors need to be created for this changed approach. These Trusted Advisors could be the bridge between Enterprise Security management and business units.

Key capabilities required for this role are:

• Ability to steer risk based decision making by complementing technical risks with business impacts

• Be able to provide inputs in risk vs. opportunity discussions

• Have an optimum mix of both technical and business knowledge to be able to provide sound recommendations

• Function as an insulating layer between various Enterprise Security and Governance units and the business operations

• Program manage process and technology improvement initiatives to meet quality and budgetary requirements

Value of Trusted Advisor can be explained by the following example.

Consider the scenario when one of your business unit plans for Digital Transformation of their key processes. The Security Trusted Advisor can enable this outcome in the various stages of the program as below.


Outcome delivered

Security Value add

Strategy Conception and Formulation

  • Opportunity
  • Stakeholder expectations
  • Objectives
  • Proof of Concept
  • Security as a USP

Strategic Planning

  • Identify Regulatory Constraints
  • Plan for ROI
  • Scenario Planning
  • Provide inputs on Applicable regulations
  • Inputs on Security trends for Scenario planning and ‘What if?’ discussions

Resource Allocation

  • Resourcing Planning
  • Dependency analysis
  • Cost Analysis
  • Security validation of tools and technology
  • Identify Technology debt for existing solutions

Strategy Implementation

  • Revising Feasibility studies
  • Finalising plans
  • Establish Security and Privacy by Design
  • Establish transactional security and resilience including if required continuous availability
  • Include early warning signs to support agility
  • Translate metrics to business outcomes

Strategy Review and Ongoing Operations


  • Benefit Realization
  • KPI/ KRI Monitoring
  • Continuous Improvements
  • Implementing real time metrics and self-healing measures
  • business outcomes based reporting



A Trusted Advisory can be implemented in one of three ways or a combination.




Groom a Champion from within each business unit

  • Higher business knowledge
  • Better buy-in with business owners
  • More adept to translate in terms of business outcomes
  • May lack technical knowledge and susceptible to be led by tech teams
  • Would need support analyst team forenabling tech details

Trusted Advisor from IT

  • Higher tech knowledge
  • Will be able to articulate Tech Risk more correctly
  • Would need to learn business processes
  • Would need to cultivate relationships across business

Obtain the skills from the market

  • Faster turnaround due to experience
  • Leverage learning and reduce rates of failure
  • Would need to learn business processes
  • Would need to cultivate relationships across business and IT

Each organisation and its dynamics are unique and must adopt the most feasible approach as per its own set up.


In this fast-moving world of agility and close business-IT partnerships, there is more need for a collaborative approach to solve business problems and risks. Establishing a Trusted Advisory function helps deliver below benefits:

• Business Aware Decision Making

• Effective Detection Controls

• Automatic Compliance

• Resource Optimization

• Continuous Improvements

Read Also

Future Of Cyber Security: Responding To Threats With Confidence

Future Of Cyber Security: Responding To Threats With Confidence

Bernard Gavgani, Group CIO, BNP Paribas
Meeting the Cybersecurity Challenge

Meeting the Cybersecurity Challenge

Scott Self, CIo, Tennessee Valley Authority
Navigating the Storm of CVEs

Navigating the Storm of CVEs

Yonesy Núñez, Chief Information Security Officer, Jack Henry & Associates
Building a Comprehensive Industrial Cyber Security Program

Building a Comprehensive Industrial Cyber Security Program

Mohamad Mahjoub, CISO, Veolia Middle East
Building Untrusted Networks to Improve Security

Building Untrusted Networks to Improve Security

Earl Duby, Vice President and CISO, Lear
Security challenges that companies face when implementing telehealth and the solutions and best practices for managing the risks

Security challenges that companies face when implementing...

Stefan Richards, Chief Information Security Officer, CorVel Corporation