The chief information security officer's (CISO) rolehas come a long way from its erstwhile status of being a mere coordinator, to that of an evangelist of security and risks within
Requires Free Membership to View
the organization. To highlight this transformation, Vishal
Salvi, the CISO of HDFC Bank recently presented a talk on 'Evolving
role of CISO' at an ISACA Mumbai chapter meeting. As part of this session, Salvi explained the
significance of three critical pillars -- technology, business and risk -- and how a CISO can look
forward to align these aspects with the business.Technology has traditionally been the information security department's stronghold. So identifying risk, creating a short term (as well as long term) security strategy, developing security architecture, ensuring planned implementations, and monitoring the state of security will always remain a CISO's key functions.
More CISO role related resources
Salvi feels that the business team's sponsorship and engagement are critical to meet a security
project's intended goals. Hence the CISO must be able to negotiate the extent to which a technology
solution can help. "Even though almost 80% of information security professionals at present come
from a technology background, the trend is rapidly changing," says Salvi. As a result, CISOs now
have an independent reporting line outside technology in business functions like risk and
operations.
CISO and the business
Every CISO needs to remember that business is the main cause behind information security's
existence. Just as you require powerful brakes to control a car's performance, you need a strong
and robust risk assessment team for the business to move faster. At times, the CISO can be
perceived as a hurdle to business innovations or projects. "Instead of being discouraged, the CISO
should think of his job as an important value addition to the business process," explains
Salvi.
As information security gets increasingly aligned with business, there may be several
disagreements. Hence the age old laws of Indian diplomacy, "Saam, Daam, Dand, Bhed", are very
relevant for the CISO's role. It's always good to first try and discuss things out between business
and technology teams. However, certain things are not negotiable. Exceptions to security policy
cannot be frequent in nature. In such cases, there is a need to rethink the policy.
To effectively service business, the CISO must understand business dynamics and nuances. He needs
to communicate the value of security investments to management using the business' language. To
this end, the CISO can also be called a chief information sales officer.
CISOs should articulate and build security metrics which can give quantifiable results. For
example, every CISO should track aspects like the number of virus incidents stopped in a day, or
downtime avoided due to security controls. While doing this, CISOs should balance the value of risk
and cost of control. If business understands the language of cost, productivity and profit, then
the CISO can explain security using that language.
Being agile and adaptable to business imperatives is essential for taking your organization forward in the long run. Sometimes you may have to lose a few battles to win the war.
The CISO must understand that one size does not fit all. So his tactics should be based on a
thorough understanding of the organizational culture. "Being agile and adaptable to business
imperatives is essential for taking your organization forward in the long run. Sometimes you may
have to lose a few battles to win the war," explains Salvi.
Learn to leverage risk
Risk is among a security initiative's critical drivers. So, along with business and technology,
the CISO also needs to develop risk as his core expertise. To a large extent, regulation
and compliance helps organizations to identify and mitigate risk with specified controls. The
CISO needs to ensure that risk and compliance are well aligned; compliance need not be done just
for its sake.
Healthy engagement with regulators (auditors) is essential to explain an enterprise's risk
management and information security strategy. So the CISO should alignrisk
assessment with the efforts of teams that undertake testing of security controls. An integrated
approach to risk will help CIOS properly align compliance enforcement strategy, security controls,
and auditor expectations.
Organizations may have to comply with multiple regulations. According to Salvi, the best approach
is to take into account the requirements of all regulations, prepare a single framework for the
organization, and develop security controls that map these regulations.
While articulating business value, risk should be imbibed in every discussion. Risk assessment and
metrics are developed over time. Continuous improvement in this process brings maturity to how the
organization perceives risk. Today, there are tools which can automate the entire process of risk
assessment — from identification of risk till remediation. So it is very clear that next generation
CISOs are expected to act as business and risk leaders, rather than being mere technology
heads.