Security business analyst – a role whose time has come
For effective information security, India Inc requires security business analysts. These should be people who understand security, technology and the business.
In the good old days, just over a decade ago, when mobile phones were a rarity and home computers still an expensive luxury, there also was no such position as “Business Analyst” in the Indian enterprise. The exercise of requirement gathering for development of software was then carried out by technical people – software engineers, system analysts, and such like. This often resulted in a situation where the software developed did not meet business needs. There was a gap between what business wanted and what was delivered by the technical people.
Thus was born the business analyst — a position and role within Indian IT companies as well as user organizations, with the responsibility to bridge the gap between business and IT. Responsibilities of a business analyst include gathering requirements, documentation and devising plans for testing these requirements. The business analyst acts as a liaison between the IT department and user departments.
The time has now come to go beyond this generalized role and create another specialized position – that of a business analyst in the area of information security, a security business analyst. This new security business analyst would exist either within the information security department or as part of a particular business function; liaise between the information security department and other user departments.
Why this recommendation for a security business analyst? This is essentially because information security has failed. Here are the numbers: Global spending on information security is around $60 billion, yet monetary losses due to data breaches still amount to around $1 trillion, according to McAfee. Very clearly, there is a gap between information security and business. Information security is not delivering what the business needs.
Here’s where the security business analyst comes in; someone who understands various information security technologies — firewalls, antivirus, IRM, DLP, DMS, USB protection, and so on — yet is not so bogged down by technology as to not comprehend the business’ information security requirements.
Currently, the gap that exists is huge, often a seemingly uncrossable chasm. For instance, an Indian pharmaceutical company found that the molecules it invented were being manufactured by a competitor. Clearly, somebody was stealing information. It would require a security business analyst to spot such a problem and recommend a solution, which would then be implemented by the information security team. In this case, the pharmaceutical company chose an information rights management (IRM) solution to ensure that new research information remains confidential.
Sometimes, the security solution may not be technological in nature, but process oriented. An important ministry of the Government of India was faced with the possibility of secrets being leaked — perhaps to unfriendly nations, due in some measure to smartphones. While the information security staff came up with great solutions in the area of BYOD, it took an intermediary to point out that there was no way the ministry could permit staff to bring any device, including the simplest mobile phone, into the ministry offices. Here the exigencies of security were so critical, that no available security technology was good enough.
The security business analyst should ideally be a business person in technology, rather than a technical person in business. An understanding of security technology would be essential, but security business analysts would not necessarily have to execute or implement those technologies themselves.
A manufacturing organization was planning to move to cloud computing. Business saw reasons to move, IT found reasons not to. It took an intermediary, admittedly not a called security business analyst, to convince the IT team to slowly, yet steadily move to cloud.
A security business analyst can suggest combinations of various security technologies to enable protection of information, once he/she establishes that a single solution is not adequate. For instance, a financial investing company had to integrate its DLP with an IRM solution. Such out-of-the-box thinking to mix and match solutions is difficult, if not entirely impossible, for people too wrapped up in technology. You need a person with some knowledge of technology and a lot of knowledge of business. A security business analyst, verily!
This new role of security business might well help Indian enterprises save Crores of Rupees in potential losses due to breaches of security. The business analyst has proved to be invaluable; in the days ahead, so too, undoubtedly, will the security business analyst.
About the author: Prabhakar Deshpande is a seasoned IT professional with strengths in project management, business analysis, marketing and journalism. He works for Seclore Technology as a product evangelist.
