What are the challenges faced by CISOs on the InfoSec front?
While the specifics will vary by industry and company, the CISO role is multi-dimensional, having aspects spanning strategy, operations and execution, risk management and regulatory compliance. CISOs have to understand an organisation’s business objectives and imperatives, its risk appetite and threat and regulatory landscape, and accordingly build and run a program, which involves influencing and orchestrating a number of moving parts across the enterprise – all in an environment of rapidly evolving threats, technological changes and ever increasing digitisation. Additionally, having core internal security capabilities is a requirement for most organisations, and in the current situation with demand far outstripping supply, getting and keeping the right talent is a big challenge.
On one hand when the wave of digitisation is shaping the future of businesses, it’s also bringing along the challenge to robustly secure the very critical customer facing and the native IT infrastructure. How do you see this challenge?
Security is foundational and is a key enabler for digitisation and helping organisations build digital trust with their customers. First, core hygiene practices e.g. vulnerability management, identity and access management are critical and are baseline measures. Second, security controls specific to cloud hosting (configuration management and visibility), and digital asset security (dynamic and static testing) need be in place. Finally, newer concepts relevant to cloud and digitisation (containers, DevOps, IoT) need to be understood and appropriate security controls designed and integrated.
Please share some best practices to be followed to maintain a robust IT security posture.
There is no silver bullet. While the latest advanced technologies and tools get a lot of attention and are required in some cases, there is no shortcut to following the basic principles and getting core hygiene in place across the key pillars of security – people, process, technologies, and partnerships. Also, while there is a lot of focus on acquiring security technologies, deploying them optimally and utilising their capabilities well is essential to realising the benefits. Security is also a risk management function, and it’s imperative to have the lens of risk and weave that into security processes.
How important is awareness as a good number of breaches happen either due to the insiders not following the security hygiene practices?
Again, a foundational element of security is people. There is also a distinction between being aware and a true behaviour or culture change – e.g. one might be aware of good practices yet not follow it if it is too difficult or they have not fully internalised the risk. Thus organisations should look beyond just awareness as in broadcasting good practices. Good design of systems and security controls and usage of “nudges” (concepts from behavioural economics) are examples of how an organisation can be more effective in this area.
What is your view on IT budgets? Are CISOs getting enough?
With the increasing broader awareness of the threat environment, impact of breaches and destructive attacks, and penalties under laws and regulations, I would think most organisations would understand the criticality of information security and support it with appropriate funding. Getting funding is only one dimension though, if, for example the technologies procured are not adequately utilised, the desired outcomes will not be met. Also, integrating security into processes and creating a security culture are all other critical aspects which must be addressed to get security right, so aside from funding, management needs to ensure there is broader overall support and sponsorship for the program.
Do CISOs have a say in board meetings?
Given its criticality to businesses, information security is definitely an area for Board oversight, and while the specifics of which Committee(s), topics covered, frequency, etc., will vary by organisation, the CISO has an important role in ensuring the Board is apprised of the company’s infosec posture and addressing questions they have.