QUESTION & ANSWER

CISO career 101: Chief Information Security Officer route basics

By Dhwani Pandya, Principal Correspondent 11 Dec 2009 | SearchSecurity.in

Enterprise IT tips and expert advice Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.in: How would you define the CISO's role in enhancing an organization's overall information security levels?
Pawan Kumar Singh: IT is a small factor in the whole scheme of information security. The person in charge of information security should understand every business aspect [like human resources (HR), administration and legal operations]. We need to convert technical lingo into financial risks for the management's understanding. CISO's role is to guide the management when it comes to risk aligned with the line of business. So CISOs can be viewed as consultants. A CISO faces various organizational bottlenecks, since you basically police every individual's activities and find loopholes in business functions. Buy-in for security initiatives come only when top management is committed to security.

SearchSecurity.in: Can you give some tips for infosec professionals on how to groom themselves to become CISOs?
Singh: Security per say cannot be taught. It is a mindset which you develop over a period of time. A security professional should have a mindset which is always be able to detect risk aligned with processes.

To build a career in infosec, you should thoroughly understand three aspects: security operations (IT network), processes and compliance. A thorough knowledge of technology is necessary, although you may not need to know every product. Also you should understand the difference between policy, processes, procedure and guidelines. These are often used interchangeably.

SearchSecurity.in: How far has your role as a CISO changed over the years?
Singh: Seven years back, I was quite hands-on with technology. After I moved to Bharti Airtel, I was responsible for establishment of the information security team and audit function. Internal audit is critical, as it helps the organization to understand third party performance. These audits face resistance, and third parties often hide information. We started seeing IT audit alignment after a few audit cycles.

With each passing day, we are getting more process oriented at Tulip Telecom. My first priority is to align three critical functions — administrative, HR and IT. Pawan Singh CISO, Tulip Telecom

When I joined to Tulip as the CISO, there was a larger change in my role. It required me to get out of operational mindsets and adopt a strategic outlook. The only way to learn was through observation and interaction. I had the right people around me. You should interact with the C-level to understand business objectives and how they perceive risk. Infosec is a field where you need to learn constantly.

SearchSecurity.in: Can you tell us about the infosec landscape at Tulip and your priorities for 2010?
Singh: At Tulip, security measures are being implemented a bit slowly but strategically. In the past, there were bottlenecks due to change of management, but things are stable now. I am seeing a positive change in the management's mindset; they are realizing that security should be imbibed in the organizational DNA. It will take a while to change a 12 year old organization.

With each passing day, we are getting more process oriented. My first priority is to align three critical functions — administrative, HR and IT. If you can get this alignment, you can be assured that 70% of your infosec requirements are complete. Although I am not making any specific demands in the 2010 security budget, I will ask for budgets to increase automation in the administrative and HR functions. We want to bring more control in these functions. I also take care of ISO certification for Tulip, which includes ISO 27001, ISO 9000, ISO 20000.

In 2010, I plan to deploy an end point security solution for our laptop and desktop users. We will further strengthen our perimeter security and audit functions. There will also be an increase in employee training and awareness session investments to change user mindsets.

Tags: Information security certifications and professional training,  Enterprise risk management strategies,  Business compliance management,  Information security policies and end-user awareness training,  Information Security Career Advisor,  Risk Management Strategies,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security certifications and professional training PCI-DSS compliance best practices SAS 70 not a certification for security in cloud: Gartner When to leave a job: Deciding to look for a new job in IT security An ethical hacker career : Tips to gear up for this option ISO 27001 certification helps e-care India address customer security concerns CISSP preparation basics in a nutshell The CISA program preparation 101 Information Security Forum (ISF) to increase Indian membership base PCI tokenization guidance could benefit payment processors Has IT Amendment Act 2008 created a new audit domain? Enterprise risk management strategies Tools aim to help banks and others tackle insider fraud Buying an IPS: Determine your performance requirements WNS' SIEM tool boosts inhouse incident management capabilities Demystifying WAF solutions: A Web application firewall evaluation guide How to use a PDF redaction tool with a redacted document policy How to foil ATM card skimming Man in the middle attack prevention strategies PCI-DSS compliance best practices Effective security incident handling : A quick guide SAS 70 not a certification for security in cloud: Gartner Business compliance management Tools aim to help banks and others tackle insider fraud WNS' SIEM tool boosts inhouse incident management capabilities PCI-DSS compliance best practices SAS 70 not a certification for security in cloud: Gartner Seven considerations when evaluating automated GRC tools IT Amendment Act 2008 compliance guidelines for India.org 10 internal security audit guidelines Looking to better manage insider security risks? Try compliance Risk management in information technology IP based CCTVs = Better RoI on security compared to analog

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary knowledge process outsourcing (KPO)  (SearchSecurityIN.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary