Why do we need the CISO?

As data breaches get bigger and messier than ever, security is no longer just another function that can be put on the back burner. With the explosion of digital devices, cyber threat looms large not just outside the enterprise premises but very much within it.

Massive security mishaps like the recent Sony hack and Target cyber attack have startled and shaken up many organizations once again to take a reality check on their own security strategies. “Cyber attacks are moving to organized crimes and those backed by nation-states. The threat is more real and closer than it was four-five years ago,” says, Devendra Parulekar, Partner Risk Advisory Services and India head of Cyber Security, Ernst & Young. It is interesting to see that such instances are triggering a tremendous interest around the whole issue and the people responsible for the security function are getting under the scanner. Of all things, there is a significant change taking place. The head of information security, most often called ‘the CISO’ is now a very important guy, one who is being heard and increasingly sought after, more than ever.

Security until now has been more of an afterthought and strategies have been reactive. But the rising instances of data threats and leakages have exposed organizations’ growing vulnerability to security issues and are forcing them to take serious measures. Cyber security is hence being pushed to the corporate agenda. According to PWC’s Global State of Information Security Survey 2014, executives are elevating the importance of security and are heeding the need to fund enhanced security activities.

The threat landscape is changing rapidly and a lot of focus is on ensuring information security compliance and building and enhancing security policies in line with new kinds of threats. “Issues arise not just from threat of external attacks but also security and privacy concerns that arise from business initiatives such as big data, cloud, etc and employee behaviours (for example, using personal devices or consumer cloud services for work purposes), says, Heidi Shey, Analyst Serving Security & Risk Professionals, Forrester Research.

It is also being acknowledged that data Security has become too complex and evolved to be constrained within the IT department and requires dedicated resources. “With increasing pressure to secure data and keep the cyber attacks at the bay, it is now imperative for a company to take information security out from the limited scope of IT department to the board level, says Rajeev Suman, Pierre Audoin Consultants (PAC), a global market research and strategic consulting firm for the software and IT services industry.

As security becomes a core agenda and gets more aligned to business objectives, the need for C-level security executives at the board is being accepted. “Security is generally an afterthought, but it is extremely important for CISOs to be involved from the early stages in the business strategy, information systems architecture and all projects, suggests, Parag Deodhar,Chief Risk Officer and Senior Vice President, Bharti AXA General Insurance.

Today enterprises are data-driven and any kind of outage or threat can result in huge losses and at times can even destroy businesses. If something goes wrong, people at the top will be answerable. Alan Rodger, Senior Analyst, Enterprise ICT Management and Infrastructure Solutions, Ovum, points out, “Today, company boardrooms are debating and asking to be informed about security exploits on a regular basis. When major security breaches do happen, CEOs may get fired due to the damage to business reputation”.

On a brighter note, CISOs’ role is becoming more strategic and their opinions are being heard. He is no longer viewed as the technology guy. “ The CISO is seen as a leader securing organizations information assets from known and unknown threats, says, Sivarama Krishnan, partner, IT risks and controls, PWC India. They are also part of strategic initiatives and have a say in decisions impacting overall business. They are also equipped to drive larger resources. This has also reflected in the security budgets being allocated by organizations worldwide. The PWC security survey states that security budgets averaged $4.3M in 2014, going up 51 percent from 2012.

Till some time back, the security function was more often clubbed in the CIO’s role and was treated as an additional responsibility for him. This is changing as organizations realize that security function is too vast and needs to be looked at differently. Shey says, “The CIO and CTO each have their own agendas to support the business, and to ask them to also be responsible for security on top of their other responsibilities is asking for trouble.” Moreover managing security is a big, full time job. Unfortunately, this realization comes mostly after the damage is done. “Often following a major data breach, we hear that the breached organization did not have a CISO and that they are creating it as a new role post-breach,” adds, Shey. Even technology heads or CIOs appreciate the presence of CISOs and find their roles complimenting each other. “The CIO relies upon the CISO for advice and guidance, while the CISO depends upon the CIO for support, resources, and priorities. This is a key connection that's vital to the success of the firm,” believes Kalyan Kumar, SVP & Chief Technologist, Infrastructure services, HCL Technologies.

In many organizations information security is considered part of IT, and CISOs report to the CIOs, while it is also being argued that information security actually goes beyond ‘IT’ and includes other aspects like physical information assets, outsourced partners etc. Therefore reporting line should be different. “Ideally CISOs must be part of the second line of defence, that is risk management function. In my opinion, this will ensure that there is no conflict of interest,” opines, Deodhar.

Despite the growing thrust on security, the CISO’s role is still not understood clearly most of the times. It is a daunting task to convince organizations to adopt stringent security practices. In most cases, the security function is seen as something deterring or inhibiting business growth. Here the CISOs’ have a challenging and important role to play in terms of demonstrating the value of strong security strategies as well as in striking the right balance between securing business and allowing the desired level of flexibility. “In order to achieve this delicate balance, CISOs need to focus more on form (outcomes) rather than structure. They need to ensure agility and compliance while establishing security solutions,” advices, Krishnan.

It is important for organizations to know and the security leaders to demonstrate that data protection is inevitable to business growth and sustenance. It will also require deep business acumen, understanding of the risk appetite and overall business objectives on the part of CISOs to prove that security is more of an enabler and not an inhibitor. Like Parulekar says, “While driving a car, it is the presence of brakes that allows you to accelerate. Similarly, strong security system allows businesses to accelerate.” In the event of something going wrong you know someone is there prevent, detect and correct it.