Relevance of Generalists vs Specialists in Enterprise Security Management

By Vishwanath Nair, Head of Information Security and Risk, Western Sydney Local Health District

Vishwanath Nair, Head of Information Security and Risk, Western Sydney Local Health District

WHY:

Currently, the medical industry is facing a major issue where there are more specialists than general practitioners by a ratio of nearly 2:1.

Below are some impacts due to this issue:

• Absence of Strong Relationships leading to lack of Strong doctor-patient relationship; Comprehensive & Continuous care; Better Management of Chronic conditions; Promotes healthy Lifestyle

• Medical care becomes more extrinsic, tactical and less effective

• Imbalance often devalues the work of family doctors

This leads to more temporary and non-personal medical care which for a patient cannot be sustaining and reduces trust in the services in the long term.

Likening it to a Corporate environment, a business leader could be viewed as the patient. Like the patient, a business leader has multiple inputs from experts including IT Service Management, Cyber Security, Operational and Financial Risk teams. These are in addition to the Demand and Account management functions.

Enterprise Security itself opens multiple discussion lines like Cyber risks, Audit findings, Cyber Security Technology Debt and Resilience. Each of them represent key aspects of the protective and preventative measures essential for effective business operations. Also, they are sources of huge amount of data points and potential points of failures.

This incoherent communication and management leads to potential financial, operational and reputational impacts caused by:

• Misdirected or Failed Strategies

• Loss of Trust across the Organisation

• Lack of Standardization

• Loss of key resources

Needs of the business are truly simple.

• Timely advise on:

1. Applicability and compliance relevant Operational Policies and Regulations

2. Assurance and partnership as new business strategies are launched

3. Assurance and partnership as Mergers and Acquisitions proceed

• Single window of risks and with associated impact in simple business terms and outcomes

• Timely transactional analysis to identify dependencies, critical paths and alternate paths

• Clear, Precise and Unambiguous business reporting with suggestions on mitigating risks with information to support prioritisation

• Early warning signals providing situational awareness and guide planning

WHAT:

To ensure success and effective performance of Enterprise Security and Governance a major change of approach is required. A new function of Trusted Advisors need to be created for this changed approach. These Trusted Advisors could be the bridge between Enterprise Security management and business units.

Key capabilities required for this role are:

• Ability to steer risk based decision making by complementing technical risks with business impacts

• Be able to provide inputs in risk vs. opportunity discussions

• Have an optimum mix of both technical and business knowledge to be able to provide sound recommendations

• Function as an insulating layer between various Enterprise Security and Governance units and the business operations

• Program manage process and technology improvement initiatives to meet quality and budgetary requirements

Value of Trusted Advisor can be explained by the following example.

Consider the scenario when one of your business unit plans for Digital Transformation of their key processes. The Security Trusted Advisor can enable this outcome in the various stages of the program as below.

Phase	Outcome delivered	Security Value add
Strategy Conception and Formulation	Opportunity Stakeholder expectations Objectives Proof of Concept	Security as a USP
Strategic Planning	Identify Regulatory Constraints Plan for ROI Scenario Planning	Provide inputs on Applicable regulations Inputs on Security trends for Scenario planning and ‘What if?’ discussions
Resource Allocation	Resourcing Planning Dependency analysis Cost Analysis	Security validation of tools and technology Identify Technology debt for existing solutions
Strategy Implementation	Revising Feasibility studies Finalising plans	Establish Security and Privacy by Design Establish transactional security and resilience including if required continuous availability Include early warning signs to support agility Translate metrics to business outcomes
Strategy Review and Ongoing Operations	Benefit Realization KPI/ KRI Monitoring Continuous Improvements	Implementing real time metrics and self-healing measures business outcomes based reporting

HOW:

A Trusted Advisory can be implemented in one of three ways or a combination.

Options	Benefits	Drawbacks
Groom a Champion from within each business unit	Higher business knowledge Better buy-in with business owners More adept to translate in terms of business outcomes	May lack technical knowledge and susceptible to be led by tech teams Would need support analyst team forenabling tech details
Trusted Advisor from IT	Higher tech knowledge Will be able to articulate Tech Risk more correctly	Would need to learn business processes Would need to cultivate relationships across business
Obtain the skills from the market	Faster turnaround due to experience Leverage learning and reduce rates of failure	Would need to learn business processes Would need to cultivate relationships across business and IT

Each organisation and its dynamics are unique and must adopt the most feasible approach as per its own set up.

CONCLUSION:

In this fast-moving world of agility and close business-IT partnerships, there is more need for a collaborative approach to solve business problems and risks. Establishing a Trusted Advisory function helps deliver below benefits:

• Business Aware Decision Making

• Effective Detection Controls

• Automatic Compliance

• Resource Optimization

• Continuous Improvements