As we see more and more complexity of security within an enterprise, a new
section of security professionals has evolved. The role of the CISO has evolved
to become more strategic within the enterprise rather than being just a mere
security professional figure. In industries such as banking and insurance, we
find that the trend has shifted and many of the top IT managers have opted for
security as a career.
Security Challenges
Some of the most pertinent security challenges that financial and insurance
sectors have been facing in the past include identity theft and phishing,
threats related to Internet banking, regulatory compliance, internal and
external threats monitoring, the need for an information security framework and
finally, securing financial applications and network perimeter.
According to Kamal Sharma, CIO, Mindlance, "In BFSI, IT security has been
very critical and sensitive. Apart from this, in other verticals also where data
transactions and business process attributes are high in volume, information
security has emerged as a vital function."
Says HK Mahindru, CISO, Punjab National Bank, "Till recently the emphasis for
IT was to implement the functionality and automate the manual process involving
the information. Business management was interested in the MIS and the decisions
were based on how early the information was made available. A famous example is
the Internet. The Internet was designed for communication and exchanging
information through mails, and no security feature was envisaged in its
development. He adds that with the unearthing of security issues and emerging
threat vectors, however, managing and maintaining the current systems have
become a major challenge. He adds, "The CIOs now see good career prospects in
securing the information rather than maintaining the information. The three
pillars of information securityCIA (Confidentiality, Integrity, Availability)
is seen a must for any IT application."
Apart from the security challenges one key challenge and a trend that has
been found specially in the banking and insurance sector is that most CISOs do
not report directly to the top management, and that different levels of
hierarchies continue to interfere with a CISOs efforts. That is one key concern
which needs a lot of consideration and attention.
Says Patrick Kishore, general manager, IT, and CISO (Information Security
Department), State Bank of India, "In banking and insurance there is greater
awareness of information security and this probably is the reason for IT
managers to branch off into this area. The increasing threat landscape also is
sensitizing IT managers to take up the role of information security. He also
adds that IS audit also should be kept apart from CISOs role as well as IT
operations, and provide independent assurance to management.
In banking and insurance there is greater awareness of Information Security, and this probably is the reason for IT managers to branch off into this area Patrick Kishore, general |
Verticals where data transactions and business process attributes are high in volume, information security has emerged as a vital function Kamal Sharma, CIO, Mindlance |
The three pillars of information securityCIA (Confidentiality , Integrity , Availability) is seen as a must for any IT application HK Mahindru, CISO, Punjab National Bank |
Banking on a CISO?
Most of the CISO believe that information security is not just an IT issue
anymore but more a business issue. A CISO needs to work closely with business
unit leaders, legal, HR, Internal Audit, Compliance, Physical Security, Privacy
Officers, and other risk managers to develop a comprehensive approach to manage
risks associated with the information assets of the enterprise. The CISO has to
ensure that organizational security is being implemented. He would also be
involved with critical decisions affecting all things related to security. Says
Kamal, "Along with IT infrastructure, information security is in innovation
phase too, where CISOs and CIO are curbing challenges and bringing in more
sophisticated systems in place. We will also see the time shortly where we will
talk about information security and business integration on corporate levels
becoming more precise and need of the hour. Trend is also supported by CIOs/IT
Managers exposure to IT security in current model where they are executors to
the policies, hence it comes easy for them to switch into CISO role
dedicatedly."
Adds Patrick, "CISO must have functional independence from IT, otherwise
business and time-to-market will always defeat security, since CIOs are more
business-oriented. As a best practice, Information Security should be part of
the organizations Risk Management process. However, since Risk is still an
emerging area, Information Security can be part of the IT department to enable
and implement Security but distinct and functionally independent of IT
Operations."
Pros and Cons for a CISO |
|
Pros |
Cons |
Risk management and Information security become core competency. |
Increased budget and perimeter model focused more on restricted business operations. |
Centralization and participation at organizational level for information security department. |
Not integrated often with CIOs. Many CISOs struggle to talk "business". |
Says HK Mahindru, CISO, Punjab National Bank, "A key role for a CISO in the
organization is to approve and monitor projects very proactively for security
issues, review and approve sourcing strategies for select or all IT activities
including in-sourcing and outsourcing, review adequacy of resources and
allocation in terms of time, personnel and equipment, ensure roles and
responsibilities including IT management in all activities, and provide
oversight of all process assurance functions and plans for integration."
Pros and Cons for CIO doubling up as a CISO |
|
Pros |
Cons |
Efficient budget and easy deployment of information security process into IT management since CIO controls both. |
CIOs doubled up as CISO would require to develop lateral mindset unlike just traditional focus on technology and operations. |
CIOs being doubled up as CISO will assist in better foresight over investments, strategy and vision for integrated information security and IT management. |
Non-compliance to the trend of being specialized C level executive. Increased complexity to CIO role might lead to not up to the mark decisions. Overburdened CIO. |
To that Mahindru adds, "CIO doubling up as CISO will be violating the
segregation of duties as one has to make the information available as well as
devise processes to secure them to. He will act as maker and the checker thus
may lead to compromising the security aspects in order to make the information
workable."
What Explains the Trend?
Says Mahindru, "IT should not only help to achieve but extend organizations
strategy and objectives. It should help by efficiently and effectively deploying
secure, reliable information and applied technology. It should help in applying
best practices to embed accountability into the enterprise, leading to the
achievement of the business value. Says Kamal, "A clear picture of CISO has
evolved more seeing increasing need for the development of comprehensive
programmes on information security. Today business face a huge challenge with
respect to data security which has created CISO role a key in organization."
The CIOs Vs CISOs
Says Mahindru, "CIOs need to monitor performance and institute appropriate
action to achieve desired results as far as Information is considered. CIO
should receive the appropriate management information from IT department, user
department and the audit to coordinate and monitor the organizations
information resources effectively. CIOs should institute processes to integrate
Information with business objectives, review long and short range plans of the
organization and how the information could leverage it. Adds Kamal, "there are a
lot of pros and cons for a CISO and a CIO doubling up the role of a CISO. While
risk management and information security becomes a core competency for a CISO,
we also see a trend where there is and increased budget and perimeter model that
focuses more on restricted business operations." While CIOs being doubled up as
CISO will assist in better foresight over investments, strategy and vision for
Integrated info sec and IT management, they would also require to develop
lateral mindset unlike just traditional focus on technology and operations.
A Strategist
CISOs will not be only able thinkers but right strategists, and will implement
what is needed. A CISO aligns the information security strategy of an
organization with its business goals and initiatives. That makes the CISOs
function more strategic. The role of a CISO has to go beyond being an IT
security policy leader.
Conclusion
A large part of the enterprise world and specially the banking and insurance
sector has either appointed or in a process of appointing a CISO who will have
lesser liability of day-to-day security operations and a superior role of making
strategic business decisions. The role of a CISO would vary in different
organizations, however he would be ultimately responsible for setting the
strategic direction of the organizations information security. In an industry
such as banking and insurance The role of a CISO would be to educate the entire
C-level corporate executives to help ensure adequate funding for information
security. Interestingly, it is argued by a lot of CISOs that as the threat of
information security arises and data storage proliferates, the role of a CISO
would evolve and become more important in an organization.
Onkar Sharma
onkars@cybermedia.co.in