CISOs Should Act As Chief Information Security Selling Officers

Implementing effective security in a dynamic threat scenario is becoming a growing concern for the CIOs and CISOs, sometimes requiring strategically different perspectives towards security than the current.

Information security is always at the forefront of items that organisations need to keep monitoring on a regular basis, and it’s the responsibility of the CISOs to keep the topic always alive in the management’s mindscape. Swinging in the CISO’s favour are the recent spate of information security breaches at major corporations and government agencies.

While this has, in a way, made the CISO’s job much easier to bring to the management’s notice the extent of damage a breach event can inflict on the company’s reputation, on the other hand managing the increasingly complex threat landscape has become all the more challenging. And, to top it, the irreversible explosion of both structured and unstructured data in the enterprise has unfolded a whole set of issues to keep a tab on.

“The recent string of hacking events has tremendously changed the dimension of implementing information security,” says Lucius Lobo, VP - Security Services- TechMahindra. Implementing effective security in such a scenario is becoming a growing concern for the CIOs and CISOs, sometimes requiring strategically different perspectives towards security than the current.

Spectrum Of Challenges

Among the growing spectrum of issues to be dealt with is the changing nature of cyber attacks due to unsecure storage of data by the enterprises. According to ISACA 2011 Risk Reward Barometer Survey, 48 percent of the respondents believe that the riskiest behaviour could be storing data in an unsecured manner. “It’s been experienced that the database is the most targeted location of the information infrastructure, where the objective is not only to steal the data but also the source code of the solution. Thus, it is very important to secure data logs,” notes Burgess Cooper, CISO- Vodafone.

Another issue is in terms of how new security deployments are perceived and also how the security policy violators are dealt with. A major challenge with regards to new security deployments is the conventional thought of ‘the current security is good’ and that there is no need to add to the current security solution portfolio.

“A major concern that is overlooked is to ‘let go’ the security policy violator because he/she is an excellent performer and the company doesn’t want to loose them. They are let off with a warning,” says SR. Warrier, CISO- Godrej Industries

Managing Security Expectations

The top management’s version of information security should synchronise with the CISO’s. For that, it’s important that business leaders have reliable information on the nature, probability and impact of information risks across the enterprise. Usually the urgency among the top management about security has been well found but it’s not backed by action.

“There is a sense of urgency in the top management about Information Security however when it’s time to deliver and allocate budgets, they back away,” explains Lobo. Nerurkar agrees, “The top management commitment exists but getting budgets is still an issue.”

While top management commitment is important, its imperative that CISOs should also take the onus upon themselves. “In case of an absence of any sort of seriousness from the business, CISOs should act as Chief Information Security Selling Officers and conduct a thorough dialogue for putting their point through,” suggests Cooper.

Cooper further stresses on the importance of raising the bar of the InfoSec team in terms of acquisition of skillsets especially because the hackers are always found having the edge over their enterprise professionals as they are consciously hunting for vulnerabilities in the system. “Hackers are very powerful and they are constantly raising the bar and pushing enterprises to the limit to tighten up their information security framework. Hence companies should be proactive on handling information security,” says Cooper.

Exercises like ethical hacking and similar test activities should be regularly conducted to keep a check on the IT infrastructure for any undetected vulnerabilities. A proactive approach to information security sums up the baseline strategy for any enterprise.