/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsIn April this year, Bank of America announced the hiring of a new chief information security officer (CISO). This was part of a drive to boost security at the bank, which had come under several attacks, including one by a group of online activists that had managed to hack their internal email. A month later, a division of Sony reacted to a mammoth breach of the PlayStation network by creating the position of CISO to fortify the protection of the customer data.
In the not so distant past, the recruitment of an executive charged with ensuring information security would never have made headlines. Security was one part of the chief information officers (CIO) many responsibilities. Most CIOs in those days were technology specialists who possessed strong regional knowledge, built over years of experience in a certain geography or institution.
But all that changed dramatically, as progress in technology and its growing influence as a business enabler revamped the CIOs role and required that a person holding that position possess a strong understanding of the business issues.
/dq/media/post_attachments/3af01bafc0beb57a610eb42797a8a39ff230aedd02d469fc6e6595fd5f9360c8.jpg)
At the same time, this advancement gave rise to commensurate risk on business, technological, and operational fronts, which could only be managed by a specialist professional operating at the highest level, or in other words, a CISO.
Differing Roles
As a big user of technology and a prime target of fraud, the financial services industry is understandably among the largest spenders on risk management, compliance, and security solutions. Today, most banks have well defined, independent organization structures to handle technology and technology security issues. The CIO is responsible for the banks technology strategy and reports to the business head, namely the chief executive officer. The CISO is concerned with certain technological aspects, especially those pertaining to risk and compliance, and accordingly reports to the chief risk/ compliance officer.
Like that of the CIO, the role of the CISO has also matured significantly in the last 5 to 7 years; today, the CISO job description transcends the nitty-gritty of firewalls and security administration and calls for looking at the bigger picture of business, operational, and technology risks faced by the bank. The security lexicon has expanded to include disaster recovery, business continuity, and compliance awareness with trends such as outsourcing and cloud computing taking hold, and new threats emerging. Consequently, the present day CISO combines technical qualifications with audit, compliance, and risk management credentials; some even come with experience in intelligence operations! The change in CISO responsibilities marks a strategic shift, which is reflected by other developments, such as the emphasis on CISO compliance in Basel III regulations, and an emerging line of thought on risk and compliance that says that a banks CISO must also be subjected to audit.
Today, both the CIO and CISO can claim an equal place at the table, and are an integral part of the team driving the banks business. Unlike the early days when the lines between pure technology and security often crossed, the 2 functions are now quite streamlined at most banking institutions, especially in the developed world. When technology and security work jointly on a project, such as the deployment of a new system, for example, the roles are well demarcatedthe CIO influences the choice of technology, but implementation falls within the CISOs domain. However both their teams share the responsibility of documenting the associated processes and operations, monitoring them on a regular basis, and eliminating any weaknesses in the system.
The Indian Perspective
But despite the strides it has taken, the security function within the Indian banks still faces many challenges. A report on the data security situation in the banking industry says that a number of CISOs are bogged down by operational issues, and are therefore unable to focus on strategic activities. It also highlights the lack of coordination between the banks fraud management and security functions, weakening their defense against financial fraud. At many banks in India, security is still viewed as an IT function, and draws little participation from the business side.
On the positive side, business, compliance, and audit personnel are beginning to share some of the responsibility for security, which has traditionally been shouldered by the information security team. There is growing recognition of security as a strategic function, and its contribution to the sustenance of smooth business operations.
In its guidelines on information security, electronic banking, technology risk management, and cyber frauds issued in April this year, the Reserve Bank of India (RBI) has emphasized the need for a CIO in every bank, who can take the ownership of the IT function, bring about alignment between business and technology as well as share accountability for data governance. In the same document, the regulator has also recommended that banks appoint a senior level officer as CISO, responsible for developing and implementing policies for protection of information assets as well as overseeing security related issues. Importantly, the guidelines state that the CISO must report directly to the banks head of risk management, and not to the CIO, although the two may work together in areas of IT operations or security.
Future Outlook
With the maturing of their respective roles, the CIO and CISO are now expected to run their domains in CEO-fashion. In other words, they must each expound a vision and mission for their part of the business, and create a set of operating principles, policies, and procedures to ensure effective and efficient operations. The key to managing these complex dynamics is to ensure that the banks CEO, CIO, and CISO have a common vision and goals, and the mission and guiding principles of their respective organizations are neatly aligned.
As the champion of risk management and the owner of the banks security, the CISO must stay abreast of the latest developments in the rapidly evolving security industry. Only by doing so will the CISO be in a position to recommend the right measures for the organization, matching its tolerance for risk, and ability to invest resources. Going forward, the CISO will be expected to play a bigger role in the strategic and operational policymaking and shaping the future of the organization.