 |
|
|
| Information Security News: |
|
|
|
|
|
|
|
|
The CISO role's keystones: Technology, business and risk |
 |
By Dhwani Pandya, Principal Correspondent
28 Jan 2010 | SearchSecurity.in |
|
|
The chief information security officer's (CISO) role
has come a long way from its erstwhile status of being a mere
coordinator, to that of an evangelist of security and risks within the
organization. To highlight this transformation, Vishal Salvi, the CISO
of HDFC Bank recently presented a talk on 'Evolving
role of CISO' at an ISACA Mumbai chapter meeting. As part of this
session, Salvi explained the significance of three critical pillars --
technology, business and risk -- and how a CISO can look forward to
align these aspects with the business.
Technology has traditionally been the information security department's
stronghold. So identifying risk, creating a short term (as well as long
term) security strategy, developing security architecture, ensuring
planned implementations, and monitoring the state of security will
always remain a CISO's key functions.
Salvi feels that the business team's sponsorship and engagement are
critical to meet a security project's intended goals. Hence the CISO
must be able to negotiate the extent to which a technology solution can
help. "Even though almost 80% of information security professionals at
present come from a technology background, the trend is rapidly
changing," says Salvi. As a result, CISOs now have an independent
reporting line outside technology in business functions like risk and
operations.
CISO and the business
Every CISO needs to remember that business is the main cause behind
information security's existence. Just as you require powerful brakes
to control a car's performance, you need a strong and robust risk
assessment team for the business to move faster. At times, the CISO can
be perceived as a hurdle to business innovations or projects. "Instead
of being discouraged, the CISO should think of his job as an important
value addition to the business process," explains Salvi.
As information security gets increasingly aligned with business, there
may be several disagreements. Hence the age old laws of Indian
diplomacy, "Saam, Daam, Dand, Bhed", are very relevant for the CISO's
role. It's always good to first try and discuss things out between
business and technology teams. However, certain things are not
negotiable. Exceptions to security policy cannot be frequent in nature.
In such cases, there is a need to rethink the policy.
To effectively service business, the CISO must understand business
dynamics and nuances. He needs to communicate the value of security
investments to management using the business' language. To this end,
the CISO can also be called a chief information sales officer.
CISOs should articulate and build security metrics which can give
quantifiable results. For example, every CISO should track aspects like
the number of virus incidents stopped in a day, or downtime avoided due
to security controls. While doing this, CISOs should balance the value
of risk and cost of control. If business understands the language of
cost, productivity and profit, then the CISO can explain security using
that language.
|
|
|
|
|
Being agile and adaptable to business imperatives is essential for taking your organization forward in the long run. Sometimes you may have to lose a few battles to win the war.
Vishal Salvi
CISO, HDFC Bank
|
|
|
|
|
|
|
|
|
|
The CISO must understand that one size does not fit all. So his tactics
should be based on a thorough understanding of the organizational
culture. "Being agile and adaptable to business imperatives is
essential for taking your organization forward in the long run.
Sometimes you may have to lose a few battles to win the war," explains
Salvi.
Learn to leverage risk
Risk is among a security initiative's critical drivers. So, along
with business and technology, the CISO also needs to develop risk as
his core expertise. To a large extent, regulation
and compliance helps organizations to identify and mitigate risk
with specified controls. The CISO needs to ensure that risk and
compliance are well aligned; compliance need not be done just for its
sake.
Healthy engagement with regulators (auditors) is essential to explain
an enterprise's risk management and information security strategy. So
the CISO should align
risk assessment with the efforts of teams that undertake testing of
security controls. An integrated approach to risk will help CIOS
properly align compliance enforcement strategy, security controls, and
auditor expectations.
Organizations may have to comply with multiple regulations. According
to Salvi, the best approach is to take into account the requirements of
all regulations, prepare a single framework for the organization, and
develop security controls that map these regulations.
While articulating business value, risk should be imbibed in every
discussion. Risk assessment and metrics are developed over time.
Continuous improvement in this process brings maturity to how the
organization perceives risk. Today, there are tools which can automate
the entire process of risk assessment — from identification of risk
till remediation. So it is very clear that next generation CISOs are
expected to act as business and risk leaders, rather than being mere
technology heads.
|
|
|
|
|
|
|
| TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of . |
|
| |
All Rights Reserved, , TechTarget |
|
|
|
|
|
