WHY WE NEED THE CISO?

With or­ga­ni­za­tions’ grow­ing vul­ner­a­bil­ity to cy­ber threats, se­cu­rity is crit­i­cal and de­mands the pres­ence of pro­fes­sion­als and a C-level ex­ec­u­tive at the front who knows what it takes to be the ‘agents of shield’ for their or­ga­ni­za­tion

Dataquest - - FRONT PAGE -

As data breaches get big­ger and messier than ever, se­cu­rity is no longer just an­other func­tion that can be put on the back burner. With the ex­plo­sion of dig­i­tal de­vices, cy­ber threat looms large not just out­side the en­ter­prise premises but very much within it.

Mas­sive se­cu­rity mishaps like the re­cent Sony hack and Tar­get cy­ber attack have star­tled and shaken up many or­ga­ni­za­tions once again to take a re­al­ity check on their own se­cu­rity strate­gies. “Cy­ber at­tacks are mov­ing to or­ga­nized crimes and those backed by na­tion-states. The threat is more real and closer than it was four-five years ago,” says Deven­dra Parulekar, Part­ner Risk Ad­vi­sory Ser­vices and In­dia Head of Cy­ber Se­cu­rity, Ernst & Young. It is in­ter­est­ing to see that such in­stances are trig­ger­ing a tremen­dous in­ter­est around the whole is­sue and the peo­ple re­spon­si­ble for the se­cu­rity func­tion are get­ting

un­der the scan­ner. Of all things, there is a sig­nif­i­cant change tak­ing place. The head of in­for­ma­tion se­cu­rity, most of­ten called ‘the CISO’ is now a very im­por­tant guy, one who is be­ing heard and in­creas­ingly sought af­ter, more than ever.

Se­cu­rity un­til now has been more of an af­ter­thought and strate­gies have been re­ac­tive. But the ris­ing in­stances of data threats and leakages have ex­posed or­ga­ni­za­tions’ grow­ing vul­ner­a­bil­ity to se­cu­rity is­sues and are forc­ing them to take se­ri­ous mea­sures. Cy­ber se­cu­rity is hence be­ing pushed to the cor­po­rate agenda. Ac­cord­ing to PWC’s Global State of In­for­ma­tion Se­cu­rity Sur­vey 2014, ex­ec­u­tives are el­e­vat­ing the im­por­tance of se­cu­rity and are heed­ing the need to fund en­hanced se­cu­rity ac­tiv­i­ties.

The threat land­scape is chang­ing rapidly and a lot of fo­cus is on en­sur­ing in­for­ma­tion se­cu­rity com­pli­ance and build­ing and en­hanc­ing se­cu­rity poli­cies in line with new kinds of threats. “Is­sues arise not just from threat of ex­ter­nal at­tacks but also se­cu­rity and pri­vacy con­cerns that arise from busi­ness ini­tia­tives such as big data, cloud, etc and em­ployee be­hav­iours (for ex­am­ple, us­ing per­sonal de­vices or con­sumer cloud ser­vices for work pur­poses), says Heidi Shey, An­a­lyst Serv­ing Se­cu­rity & Risk Pro­fes­sion­als, For­rester Re­search.

It is also be­ing ac­knowl­edged that data se­cu­rity has be­come too com­plex and evolved to be con­strained within the IT depart­ment and re­quires ded­i­cated re­sources. “With in­creas­ing pres­sure to se­cure data and keep the cy­ber at­tacks at the bay, it is now im­per­a­tive for a com­pany to take in­for­ma­tion se­cu­rity out from the limited scope of IT depart­ment to the board level, says Ra­jeev Su­man, Pierre Au­doin Con­sul­tants (PAC), a global mar­ket re­search and strate­gic con­sult­ing firm for the soft­ware and IT ser­vices in­dus­try.

As se­cu­rity be­comes a core agenda and gets more aligned to busi­ness ob­jec­tives, the need for C-level se­cu­rity ex­ec­u­tives at the board is be­ing ac­cepted. “Se­cu­rity is gen­er­ally an af­ter­thought, but it is ex­tremely im­por­tant for CISOs to be in­volved from the early stages in the busi­ness strat­egy, in­for­ma­tion sys­tems ar­chi­tec­ture and all projects, sug­gests Parag Deod­har, Chief risk of­fi­cer and se­nior vice pres­i­dent, Bharti AXA Gen­eral In­sur­ance.

To­day en­ter­prises are data-driven and any kind of out­age or threat can re­sult in huge losses and at times can even de­stroy busi­nesses. If some­thing goes wrong, peo­ple at the top will be an­swer­able. Alan Rodger, Se­nior An­a­lyst, En­ter­prise ICT Man­age­ment and In­fra­struc­ture So­lu­tions, Ovum, points out, “To­day, com­pany board­rooms are de­bat­ing and ask­ing to be in­formed about se­cu­rity ex­ploits on a regular ba­sis. When ma­jor se­cu­rity breaches do hap­pen, CEOs may get fired due to the dam­age to busi­ness rep­u­ta­tion”.

On a brighter note, CISOs’ role is be­com­ing more strate­gic and their opin­ions are be­ing heard. He is no longer viewed as the tech­nol­ogy guy. “The CISO is seen as a leader se­cur­ing or­ga­ni­za­tions in­for­ma­tion as­sets from known and un­known threats, says, Si­varama Kr­ish­nan, part­ner, IT risks and con­trols, PWC In­dia. They are also

part of strate­gic ini­tia­tives and have a say in de­ci­sions im­pact­ing over­all busi­ness. They are also equipped to drive larger re­sources. This has re­flected in the se­cu­rity bud­gets be­ing al­lo­cated by or­ga­ni­za­tions world­wide. The PWC se­cu­rity sur­vey states that se­cu­rity bud­gets av­er­aged $4.3mn in 2014, go­ing up 51% from 2012.

Till some time back, the se­cu­rity func­tion was more of­ten clubbed in the CIO’s role and was treated as an ad­di­tional re­spon­si­bil­ity for him. This is chang­ing as or­ga­ni­za­tions re­al­ize that se­cu­rity func­tion is too vast and needs to be looked at dif­fer­ently. Shey says, “The CIO and CTO each have their own agen­das to sup­port the busi­ness, and to ask them to also be re­spon­si­ble for se­cu­rity on top of their other re­spon­si­bil­i­ties is ask­ing for trou­ble.” More­over man­ag­ing se­cu­rity is a big, full time job. Un­for­tu­nately, this re­al­iza­tion comes mostly af­ter the dam­age is done. “Of­ten fol­low­ing a ma­jor data breach, we hear that the breached or­ga­ni­za­tion did not have a CISO and that they are cre­at­ing it as a new role post-breach,” adds Shey. Even tech­nol­ogy heads or CIOs ap­pre­ci­ate the pres­ence of

CISOs and find their roles com­pli­ment­ing each other. “The CIO re­lies upon the CISO for ad­vice and guid­ance, while the CISO de­pends upon the CIO for sup­port, re­sources, and pri­or­i­ties. This is a key con­nec­tion that’s vi­tal to the suc­cess of the firm,” be­lieves Kalyan Ku­mar, SVP & Chief Tech­nol­o­gist, In­fra­struc­ture ser­vices, HCL Tech­nolo­gies.

In many or­ga­ni­za­tions in­for­ma­tion se­cu­rity is con­sid­ered part of IT, and CISOs re­port to the CIOs, while it is also be­ing ar­gued that in­for­ma­tion se­cu­rity ac­tu­ally goes be­yond ‘IT’ and in­cludes other as­pects like phys­i­cal in­for­ma­tion as­sets, out­sourced part­ners etc. There­fore re­port­ing line should be dif­fer­ent. “Ide­ally CISOs must be part of the sec­ond line of de­fence, that is risk man­age­ment func­tion. In my opin­ion, this will en­sure that there is no con­flict of in­ter­est,” opines, Deod­har.

De­spite the grow­ing thrust on se­cu­rity, the CISO’s role is still not un­der­stood clearly most of the times. It is a daunt­ing task to con­vince or­ga­ni­za­tions to adopt strin­gent se­cu­rity prac­tices. In most cases, the se­cu­rity func­tion is seen as some­thing de­ter­ring or in­hibit­ing busi­ness growth.

Here the CISOs’ have a chal­leng­ing and im­por­tant role to play in terms of demon­strat­ing the value of strong se­cu­rity strate­gies as well as in strik­ing the right bal­ance be­tween se­cur­ing busi­ness and al­low­ing the de­sired level of flex­i­bil­ity. “In or­der to achieve this del­i­cate bal­ance, CISOs need to fo­cus more on form (out­comes) rather than struc­ture. They need to en­sure agility and com­pli­ance while es­tab­lish­ing se­cu­rity so­lu­tions,” ad­vices, Kr­ish­nan.

It is im­por­tant for or­ga­ni­za­tions to know and the se­cu­rity lead­ers to demon­strate that data pro­tec­tion is in­evitable to busi­ness growth and sus­te­nance. It will also re­quire deep busi­ness acu­men, un­der­stand­ing of the risk ap­petite and over­all busi­ness ob­jec­tives on the part of CISOs to prove that se­cu­rity is more of an en­abler and not an in­hibitor. Like Parulekar says, “While driv­ing a car, it is the pres­ence of brakes that al­lows you to ac­cel­er­ate. Sim­i­larly, strong se­cu­rity sys­tems al­low busi­nesses to ac­cel­er­ate the pace of growth.” In the event of some­thing go­ing wrong you know some­one is there to pre­vent, de­tect and cor­rect it.

The CIO and CTO each have their own agen­das to sup­port the busi­ness. To­gether, the CIO, CTO, and CISO can make bet­ter de­ci­sions about tech­nol­ogy, se­cu­rity, and risk for the busi­ness

—Heidi Shey An­a­lyst Serv­ing Se­cu­rity & Risk Pro­fes­sion­als | For­rester Re­search

In to­day’s age, In­for­ma­tion se­cu­rity re­quires CISO to have di­rect ac­cess to the board and C level ex­ec­u­tives to align the need of in­for­ma­tion se­cu­rity to over­all cor­po­rate strat­egy

—Ra­jeev Su­man Se­nior An­a­lyst, Pierre Au­doin Con­sul­tants (PAC), a global mar­ket re­search and strate­gic con­sult­ing firm for the soft­ware and IT ser­vices in­dus­try

The CISO role is needed in or­der to in­form board-level dis­cus­sions about se­cu­rity, and take a lead in im­ple­ment­ing a busi­ness-ori­ented ap­proach to se­cu­rity and risk man­age­ment

—Alan Rodger Se­nior An­a­lyst, En­ter­prise ICT Man­age­ment and In­fra­struc­ture So­lu­tions, Ovum

Many or­ga­ni­za­tions equate in­for­ma­tion se­cu­rity with IT se­cu­rity and hence CISOs are part of IT team and re­port to CIOs. How­ever IT se­cu­rity is only a sub­set of In­for­ma­tion Se­cu­rity

— Parag Deod­har Chief risk of­fi­cer & Se­nior Vice Pres­i­dent, Bharti AXA Gen­eral In­sur­ance

The CISOs, part of the or­ga­ni­za­tional C-suite, are to­day in­volved in strate­gic plan­ning and dis­cus­sions and mea­sured on or­ga­ni­za­tion level out­comes and not tech­nol­ogy linked out­comes alone

—Si­varama Kr­ish­nan

part­ner, IT Risks & Con­trols, PwC In­dia

Most large or­ga­ni­za­tions have ded­i­cated CISOs, smaller ones will have to take a call on whether they need a full time CISO or not. We have seen or­ga­ni­za­tions out­sourc­ing se­cu­rity func­tion as well

—Deven­dra Parulekar Part­ner Risk Ad­vi­sory Ser­vices and In­dia head of Cy­ber Se­cu­rity, Ernst & Young

The job re­spon­si­bil­ity of CIO and CISO makes them strate­gic part­ners re­spon­si­ble for achiev­ing or­ga­ni­za­tional mission and strate­gies

—Kalyan Ku­mar SVP & Chief Tech­nol­o­gist, In­fra­struc­ture ser­vices, HCL Tech­nolo­gies

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.