Cos Beyond Certain Size And Complexity Need A Full-Time CISO

Security is a full-time role, says Sundar Ram Gopalakrishnan, VP- Technology, APAC and Japan, Oracle. He advises that as organisations grow beyond a certain size and level of complexity it demands a full-time CISO, someone who understands security with all its ramifications and not just someone promoted from another domain to fill in the shoes. In conversation with Biztech2.com, he delves on the criteria for selecting the CISO, and also explains why CEOs need to start worrying about IT risk and governance.

Some golden rules from a security policy perspective.

An organisation needs to identify what is it that it really wants to protect – is it the data, the applications, access to resources, or whatever is most critical in their case. I would argue that most often it would be access to the database, because that’s really where the crown jewels are, though it could vary in specific situations. Having identified that, do a heat chart wherein you have different color signals for the portions of data and infrastructure at the highest risk and lowest risk. Make an assessment of where your highest risks are, and what is the downside if something goes wrong there. And, then make informed choices around that.

More from Biztech

Future Group - Reliance Retail Deal approved by CCI RBI ban on cryptocurrencies takes effect; prohibition could force investors to tap the black market

Besides the heat charting, you also need to define the governance model. A governance model, for instance, defines if a new application is being introduced into the infrastructure then what is the criteria that needs to be satisfied before those applications can be introduced, what are some of the security rules that this application must adhere to in order to ensure that it doesn’t violate the principle of let’s say abstracting out into different layers. Those are some of the things that go into the governance model.

It is important to consider here that a unified security policy which covers both structured and unstructured information is going to hold the key. Lastly, but most importantly, its not enough to define a policy as a one-time activity, as every few months things change. Hence, define the frequency with which you will do the re-assessments. As part of an overall architecture review board having a security review on a periodic basis becomes critical.

What is the key to a successful security review?

Organisations need to think in terms of a sort of scenario building – for instance, if something specific happens then what would need to be done. Thinking through the scenarios helps you crystallise your thinking. Give yourself an exercise – if another organisation in the industry had a problem recently, then try to think through and find answers to the following questions: what would we do if we had this problem, are we prepared, do we know who is going to be affected, do we know how we are going to inform them? Your security review should take into account these things as well. Going a step further, the organisations can also leverage the knowledge base derived from the experience of what the other enterprises have tried in the specific scenarios. These are all documented and somewhere or the other on the web, and just need to be dug out.

What are some of the misses that enterprises make on the security front?

There are several key misses, like not having a full-time CISO, not having a defined security policy, or the policy is something written on paper and reviewed once in two years, and not doing an independent audit from time-to-time for assessment of security.

Why do you think a CISO needs to be brought on board?

Security is a full time role. Ultimately it depends on the complexity of the organisation. Once the organisation has grown beyond a certain size, where the number of applications, the different ways by which people access those applications, the number of vendors involved in the infrastructure, etc. crosses a certain limit, it just becomes impossible for one person, who is also doing other things, to take care of security as a role. It, then, absolutely has to become a full-time dedicated role. Whether the person reports to the CIO or the COO/CEO is just a matter of detail.

What should be the parameters for shortlisting the CISO?

A CISO needs to be a full-time security officer, who is not just someone from within the organisation promoted to that role, but someone who understands security with all its ramifications. Again, it should be someone who has worked with multiple security domains. There have been cases where the CISOs were good programmers or DBAs who were promoted into that role. While they understand the domain they came from very well but they are quite weak on the other domains. And, a lot of their focus continues to be on what they are comfortable with rather than taking a more holistic view of security.

Do areas like IT risks and governance need to come under the CEO’s purview?

Increasingly in our discussions with customers they refer to the fact that there are more people outside IT asking these questions around IT risk and governance. Sometimes that comes because of compliance, sometimes that comes because of an audit report, or it could even be that the CEO in a networking event heard about a problem which some other CEO had and he just wants to know how they were prepared if something like that were to hit them. The awareness around IT risks is definitely increasing, and with that the seriousness around it. As IT becomes more and more central to the business, the risks associated with IT are also becoming central to the organisation. As a result, compliance and risks are areas that the CEOs need to bring under their purview.

Your suggestions on how the enterprises need to approach IT governance and risk compliance?

Firstly, its important to recognise that this is something that requires board level attention or the CEO’s attention, and sending the message clearly down to the employees so that they start thinking on these terms.

Thereafter, the first step is that while assessing the business risks that the organisation is exposed to it needs to include the component of IT risks. Then its imperative to empower somebody in the organisation, ideally somebody who would be designated as the CISO, to then conduct periodic assessment and report back either to the CEO directly or through somebody. The assessment should capture where the organisation currently stands in terms of risks and what it needs to do over the next six months, failing which there will be adverse implications.

Like any other investment then it becomes a question of where the priorities lie. If the particular risk highlighted is something serious, then obviously the CEO has to take put some extra investments behind it.