By- Dhanya Thakkar, MD-Asia Pacific, Trend Micro
Over the past few years, I’ve been increasingly hearing the opinion being offered that security folks need a seat at the boardroom table. However, more often than not, this discussion usually takes place and is accepted within security circles. In reality, a lot of security specialists and their teams are still people who are hired to meet compliance needs, ensuring that companies do not breach any rules or regulations. To me, as a security practitioner, this situation indicates that a lot of upper management folks still don’t truly understand and appreciate the value of security in today’s changed business landscape.
WHY IS SECURITY SO IMPORTANT?
So then, what has changed that warrants security an elevated position within a company hierarchy? The biggest one over the past few years has to be the digitalization of our lifestyles, which then seeps into the way we do business. Today, as compared to five to ten years ago, almost everything I do involves a digital element. Instead of going to a bank branch, I can now do almost everything via online banking, even to the extent of opening a bank account. eGovernment portals allow me to pay my income tax online as well as access other critical government services without having to make a trip down. All this is great, as it promotes efficiency and cost savings. But for this to happen, the entire operation needs to be digitized.
Companies need more computing power and storage space to ensure that these online services are able to handle the humongous amount of data being exchanged, hence the shift to cloud computing and virtualization. And the integration of services both within and without means that data exchange needs to occur across platforms and silos. Which brings me back to the point about the role of security. In the past, it was relatively simpler to keep your data under lock and key—it was kept within the organization, stored in physical servers, and only exchanged under the strictest circumstances. Today, data is mainly stored in the cloud, giving access to thousands of users. It is precisely this change that makes an organization more vulnerable than ever to cyber criminals and the reason why we’ve seen a sharp spike in the number of high-profile attacks over the past few years.
The reality today is that cybercrime is organized, well-resourced, and agile. The black hats know where your weakest points are and are more than ready to exploit any security gap to steal your most sensitive data. In short, if you don’t have a comprehensive security strategy, you’re leaving yourself open to devastating attacks that can cripple your business. This is why security is now missioncritical.
One of the best ways to truly secure an organization is to offer a strategic security practitioner a seat at the toplevel of decision making. This usually comes in the form of a Chief Information Security Officer (CISO). By giving him or her this capacity, the CISO is able to counsel on how business initiatives can be impacted (in a good or bad way) by security issues. That said, it’s easier said than done to select a CISO as you can’t just pluck one out of thin air! A good CISO would usually possess some of the following capabilities:
- An understanding of how information security is an enabler for the business.
- Knowledge of risk management and compliance.
- Good communication skills and understanding of the language of business.
- Understanding of contracts and their security implications, ie, with cloud service providers, outsourcers, etc. A CISO needs to find security issues during the negotiation process and point them out to key stakeholders such as the legal department.
- Must possess leadership ability and should be able to plan and implement information security projects that are scalable along with the company growth.
- Should be able to identify and foresee new and
emerging threats and understand the key requirements of the technologies needed to deal with these threats.
Of course, hiring the CISO alone isn’t going to ensure that you can solve your security challenges right off the bat. The system and company mindset towards security is just as important in ensuring that security can be the business enabler for any organization that intends to thrive in the digital age.