Proactiveness And Awareness Is Key To IT Security

There existed a perception that CIOs are responsible only for IT Infrastructure Management, Applications and Software Development Lifecycle (SDLC). However, there is much more to a CIO’s role. With the changing environment and in modern times, IT Risk Management has become an indispensable and inherent aspect of the CIO job responsibility.

The reason why IT risk management is gaining ground is the increasing adoption of cutting-edge technologies such as virtualisation, cloud computing and diminishing geographical boundaries. More and more data is being stored, processed and exchanged over the Internet and the cloud platform. It is therefore utmost import to protect this data - making information security and risk management a duty that the CIO can’t shrug off.

Moreover, with companies jumping on the ‘Consumerisation of IT’ bandwagon, tablets, smartphones and a host of mobile devices are making their way to the workplace. This has its benefits, but has multiple challenges for information security and data theft.

Social media usage also comes with its own set of threats. To avoid them, some companies have put strict governance policies and procedures in place which do not allow logging in to social media sites using the company’s network. On the other end of the spectrum, there are some that do recognise the business relevance of social media and allow complete access for their staff to leverage and capitalise on increasing impact of Social Media.

While managing the external security factors, it is also important to sensitise the company’s ecosystem against potential aggression. Industry reports have found that employees associated with the company or with the vendors partnering the company are responsible for about 60 percent of information theft incidents. This is where IT risk management framework, IT policies and controls, internal audit and control and other available tools can be used to do a proactive assessment of the IT infrastructure. Along with, it is also imperative to continuously plug the gaps identified during the pre-assessment checks.

The role of the CIO, CRO (Chief Risk Officer) will have to take cognisance of the fact that security in this scenario will have to be balanced in terms of what is allowed and what is controlled.

As far as our company is concerned, we have a strong framework, where the Internet access provision is based on the job responsibilities and need based access is provided to the employees. Most of the user-base is allowed access to websites that only relate to their job profile. We have tried and kept a balanced approach where there is access available but its controlled and justified access.

Secondly, we regularly undertake Vulnerability Access and Penetration Testing (VAPT), a simulation testing by engaging a third party partner. This is a robust way to proactively overcome threats from increased dependence on IT and web based applications.

Thirdly, we have a very strong IT framework where the emphasis is on employee awareness. Employees, across functions, are oriented on security through periodical communication in the form of screensavers, mailers asking them not to fall prey to hacking sites, not to click on the mails in the junk folders and so on. User awareness, policy and controls are very important. Taking proactive steps using tools and technologies to identify the gaps and putting in the right controls is a process, which I feel, every CIO should adopt to mitigate risks.