The CISOs role has moved from ‘good to have’ to ‘must have’

With the advancement of technologies and the attackers also getting well-organized, the number of security risks has increased many folds. A report by Assocham says that India may touch a walloping figure of 300,000 attacks in 2015, almost double from 2014. To get a broader perspective on the changing security landscape, Dataquest talks to Nadir Bhalwani, Director - Technology Operations & Information Security, CRISIL. Excerpts

How has security information changed for your company and industry at large?
During the early days, information security was as an IT initiative and there was not much involvement of business teams in information security related activities.  But with growing dependency of business activities on IT, information security has become more and more integrated to the company’s overall environment. It is no more just an IT initiative but has become one of the top priorities in business agenda. Information security has evolved from being just firewall, proxy, antivirus, etc, management to risk management for all business units and enablers. It is not only about IT security but also includes  process governance and human resource security as well.

How different do you think is the level of security you follow from a physical firm? What are the key differentiators?
There is a huge difference between the level of security from a physical firm. The fact the we deal with confidential data our network is logically segregating based on the department. We have  secured remote access via SSL VPN, email communication with clients is via mandatory TLS. The user end point has Anti Malware, DLP, and Disk Encryption to make sure data is not leaked. There is a proxy agent on endpoints which makes sure only legitimate websites are allowed.

How has been the security landscape changing with technologies like ISMAC (Internet-of-things, Social Media, Mobility, Analytics, Cloud)?
With the introduction of technologies like ISMAC, ie, Internet-of-things, social media, mobility, analytics, cloud, the information security is becoming more complex as each day passes. From the time of mainframes which was operated by one user with proper physical security controls to everyone having a smart device without any physical boundaries and connected to the Internet. The number of exposure points has increased tremendously which in turn has increased the kind of security controls to be implemented. Also with advancement of technologies, the attackers are becoming smart with an increase of complicated attack vectors being used for exploitation. All of the best practices should be leveraged while designing new technologies like biometric security, logging and correlation, system hardening, use of secure protocols, timely upgrades, patches and fixes,  etc.

In terms of deployment what kind of tools and solutions do you use to protect your infrastructure?
In terms of deployment in our environment, we have logical perimeter controls like firewalls in 2-tier Architecture, IPS devices in the in-line mode, web proxy for controlled Internet and mail gateway for secured mail. There is a load balancer implemented with reverse proxy services enabled and SSL offloading enabled. For remote access, we have implemented SSL VPN with endpoint controls features and we also have CITRIX xenapp implemented through the SSL VPN. From user environment perspective, we have implemented endpoint protection which also includes virus and spyware protection, proactive threat protection, Network threat protection and Network access controls. All laptops in our environment have endpoint encryption enabled which encrypts the whole hard disk. To counter information leakage events we have implemented DLP solution on endpoint and also integrated it with Web proxy and Mail gateway. We are also implementing Security incidents and Events Monitoring solution to proactively monitor and correlate security incidents & events from different devices and systems. In addition to the above we are in process of deploying privileged identity management solution to monitor and control privileged users across the infrastructure.

How important security is placed in your over all IT spend?
Security is no longer looked at as an additional expense. It has a significant place in the technology budgets. It ranges from 10 to 15% of IT budget depending on the strategic  initiatives in that year.

What are the top three initiatives being taken by organizations to counter security threats?
Among the top three initiatives that we have taken as an organization are:
1.            Implementation of Security incidents and Events Monitoring (SIEM) solution to proactively monitor, log and correlate security logs from different devices, applications, and systems.
2.            Privileged identity management to monitor and control privileged users across the infrastructure.
3.            Up-gradation of current DLP solutions to implement new features and support latest operating systems.

How has CISOs role changed and evolved?
CISOs role has never been more critical to the success of the organization. From a good to have function it has changed to must have function with clear goals. From a technical function to a business enabler giving strategic direction to the Information security program.
The IS teams have grown from being glorified IT security administrators managing firewalls and doing other security ops and investigation to a function which looks at the organizational risks , on strategies for mitigation, Business Continuity , DR,  etc. The CISOs now have a significant role in the organization and have access to the company board.

Leave a Reply

Your email address will not be published. Required fields are marked *