In today’s hyper-connected world, information security has become a vital aspect of business processes. However, in the context of changing business environments and advanced networks, security threats loom large. The use of sophisticated and advanced techniques by hackers is a reality that has caused the role of a Chief Information Security Officer (CISO) to become more strategic and nuanced than ever before.
In the past, CISOs came from varied backgrounds and moved up the ladder through IT or business ranks. This has changed considerably and CISOs today are expected to be deeply entrenched in their domain in addition to laying out the IT framework of an organization. Their remit now is to place information security high up in the strategic agenda vis-a-vis treating it as a mere compliance requirement. The role demands translation of complex information security concerns into easily understandable solutions, in addition to driving engagement across the organization in an effort to manage risks.
The role of a CISO varies in different organizations, but in essence they are responsible for the following:
- Defining the strategic direction of the organization’s information security programs while simultaneously developing security policies and procedures that provide adequate business application protection, without interfering with the core business requirements.
- Managing security, risk and compliance matters centrally
- Balancing security needs with the organization’s business priorities, identifying risk factors, and determining solutions for both
- Designing the security awareness program focused on changing behaviors and monitoring trends
- Establishing the corporate investigations program including computer and mobile forensics, loss prevention, fraud risk management, and privacy issues
- Owning crisis management and centrally coordinating the business continuity plan for the organization
Types of CISOs
The role of a CISO depends on the internal dynamics of the organization. Depending on the size and culture of the organization and the perceived importance of security, CISOs have different areas they could specialize in; though some organizations have CISOs performing all the roles
- A Technical Information Security Officer specializes in resolving technical security issues, operations and monitoring. He also coordinates and manages technical policies, control and assessment activities
- A Business Information Security Officer specializes in information security issues related to the business, such as how to securely implement customer-facing technologies and how to appropriately protect customer data. His main role is to ensure that the business unit understands that information security is a business requirement like any other
- A Strategic Information Security Officer specializes in translating high-level business requirements into enterprise security initiatives and programs that must be implemented to achieve the organization’s mission, goals and objectives. He is also responsible for metrics, dashboards and executive reports, and for presenting assessments of the state of security in the enterprise to the board of directors.
A significant part of an ongoing requirement for new-age CISOs is to stay updated with the latest trends in information technology. These include:
- Data Security: This is a main concern for organizations given the imperious growth of enterprise mobility, collaboration technologies and social media; data security threats are poised to grow in the years to come. The CISO will constantly be surrounded with the concerns of protecting the network and infrastructure from both external and internal threats
- Mobility: Mobile technology and application development are the fastest growing segments in the IT space and hold enormous potential for the future. The CISO will be tasked with the enormous yet very pertinent task of verifying device vulnerability, presence of malwares, access control to avoid data leakage, remote wipe of company data for lost or stolen devices, etc. to ensure BYOD does not stand for Bring Your Own Disaster
- Social Media: Social Media consists of various user-driven (inbound marketing) channels and poses a huge risk to the organization’s infrastructure, intellectual property and government regulations. The onus lies on the CISO to quickly identify and capitalize on the emerging opportunities presented by social media while appropriately managing the associated risks
- Cloud Computing: The new computing paradigm brings with it grave challenges for the CISO. Before implementing a cloud based environment, he has to primarily perform thorough due diligence. For example, clear visibility of where the data is and how it is separated from other data, choosing a service provider, where the service provider will process and store the data, and who will have access to it, what data to move to the cloud and what data to keep on-premises, for audit, assessment, and verification
- Big Data: Collection of sensitive and mostly unstructured data-sets by the organization, more commonly known as big data, and managing security of this big data is a CISO’s responsibility. Specific aspects of this include granular access control, real-time monitoring, privacy-preserving data mining and analytics among others.
In essence, against the background that security is fast becoming an issue that cannot be ignored, the CISO has to constantly re-invent himself and cultivate nuances that navigate the complex IT environment he is operating within. If organizations are to up the ante in terms of the technologies they are deploying, the role of CISOs will need to be expanded to manage the related risks as well.
Ashish Chandra Mishra is CISO, Tesco HSC