Designation: CISO, Essar Group
- Architect of Essar Group’s information security documentation and effective governance initiatives
- Author of BYOD and merger/integration manuals at Essar
- Behind Essar’s massive lineup of security initiatives
- Instrumental in DLP, NAC implementation and Essar’s bid for IDAM by 2013
Manish Dave has a straightforward mantra for security – bring all the stakeholders aboard for every security exercise. Dave is of the opinion that, ultimately, it is the stakeholders who will determine whether a project is successful or not, and security can only be as strong as the weakest link. Dave joined Essar in February 2010 in the capacity of delivery manager for IT security. He took up the mantle of Group CISO in Feb 2011.
Dave’s legacy at Essar began with drafting its information security policy manual, which was adopted by the entire group in May 2010. This was an effort to remediate the lack of documented guidelines and frameworks up until that point at Essar. He found that while the security controls at Essar were more or less in place, governance was missing. Dave carried a control assessment against ISO 27001, COBIT and ITIL, based on which the security policy document was drafted.
Dave has also authored Essar’s mergers and acquisitions integration handbook. He also created a robust exception approval policy, under which the CEO of the respective business vertical has to approve all exceptions. In every case, the CEO is apprised of the risk before he decides. A nominated risk committee member then cross verifies the exception request, before final approval.
2011 saw Essar’s security manual being revised, making it comprehensive by listing out domain-wise roles and responsibilities within the Group. Given that his policies are based on ITIL and ISO 27001, Dave says Essar is at around 70% readiness if a bid were to be made for ISO 27001, which he expects to rise to 90% in the next six months.
The security organization at Essar is complex. Security comes under the CTO’s office, along with several other sub-divisions. Security innovations and projects are covered between two teams in this department, with security operations coming under Essar's Global Shared Service IT Support group. Dave is responsible for complete oversight of security in all divisions. Dave himself reports to the group CIO, with a dotted reporting line to the head of group assurance and cost control. Dave’s function is to identify and highlight risk, propose remediation, and oversee the entire security function. Implementation and operations are carried out by the aforementioned teams, making Dave’s role purely strategic.
Dave has also drafted a BYOD policy for Essar, which is in the process of getting reviewed, bringing in an enterprise-wide provision for one smart device per employee. He will not be rushing through this project, he says, since it comes with a steep learning curve.
Essar’s DLP solution went live in January 2011. Dave has kept his DLP in monitor mode until such time that he can acquire an IDAM solution and integrate it with the DLP. Essar has also successfully implemented a NAC solution for its network.
Among numerous other projects, Essar is in the process of implementing WAN encryption to secure its massive internal network, expected to go live by April 2012. Essar is also rolling out a network change, configuration and compliance management (NCCCM) solution for network device hardening. Dave is looking at deploying an SSL VPN solution for Essar’s global locations soon. For the future, Dave is planning to push through PGP-based email encryption, and is bidding for an IDAM solution in the next financial year in addition to an SIEM based SOC in 2012-13.