CISOs are best suited to articulate the cyber risks faced by their organization to their leadership and board. Therefore the CISOs need to be positioned at strategic level by the organizational leadership so that all important cyber risks are tabled for discussion with them and the board. Vishal Salvi, CISO, Infosys speaks with EC’s Abhishek Raval and explains how CISOs can take the lead in heading cyber security initiatives for the company
Budgets are a constraint that CISOs face. Do you think, across Industries the amount of money that should be allocated to information security is enough?
Getting budgets is the core issue here. In many organizations the CISOs are best operating at an operational level and hence they are not able to surface the top cyber risks to the leadership and the board. As mentioned earlier, organizations need to invest in CISOs and position them to operate at a strategic level.
In today’s world, you cannot think of any organization without digital push and online presence. The dimension and size of the cyber risk faced by the organizations is based on the nature of their business, their industry and the size and scale of the organization. Large organizations know that managing cyber risks is important and are willing to invest, so long as they are able to understand them better and also know the impact to their business in case they materialize. Proper articulation of cyber risks is an important part of the CISOs role and sets the tone of how cyber security is practiced with an organization.
At Infosys, the CEO is the chair of the Information Security council. You can’t get bigger sponsorship than that. The board regularly reviews data on how cyber security is practiced and implemented. The same was the case with the organizations that I have worked for in past. The board ensures that there is proper visibility, cadence and governance around the cyber security program. The question is, in how many organizations, we have such practices being followed. CISOs should not be mere ceremonial; they should be authoritative and independent voice on cyber security, which reaches the leadership and board.
So, should the CISO position himself or the management should empower him and give the required headroom?
The hiring of the CISO and the positioning can’t be done by the CISO himself. The leadership in the organization has to drive this. If that’s done properly, it’s half job done. The second part is the empowerment of the CISO. The role should be independent of any conflict of interest, should be empowered to raise issues and risks to the leadership and the board. There are a lot of other aspects, such as influencing, change management, technical acumen etc. These are important attributes that every CISO must have.
In short, lack of security budgets is just a symptom. The root cause is, there is nobody senior enough to articulate the seriousness of cyber risk issues to top management, for the money to be allocated.
What techniques would you suggest to CISOs to get their voice across to the top management and be independent to position themselves?
– Articulating the risk and integrating with the risk management framework to provide a convincing business case to get funds
– Quote examples of recent cyber security incidents to explain the risk
– Explain the current cyber security status compared to the peers
– Building a good cyber security strategy
– Stakeholder mapping, engaging with the right stakeholders and regular interactions with them to influence them to support the organization’s cyber security program
– Do internal assessments; identify control failures and gaps and show where we are and where we ought to go. Connect it with risk management in such a way that cyber security doesn’t become a problem but becomes an enabler for business
You have worked in various roles – as a banker and then CISO of large bank, as a Partner in one of the Big4s and now as a CISO and SVP at one of India’s top IT services company, Infosys. Please share the learnings?
The experience at Standard Chartered Bank as Head, Office of Information Technology Services (OITS), exposed me to global perspectives and processes. Being a purist British Bank, cyber security was always high on priority. It particularly helped me to imbibe the best practices on the security side of banking. As the practices learnt at the bank were globally acknowledged for their effectiveness, they came in handy during my stint at HDFC Bank, which is a large local bank in India. It was especially useful at the bank, because I was playing a leadership role and we were setting up and stabilizing the security operations and also simultaneously working on transformation initiatives.
The Information Technology Governance Risk and Compliance (ITGRC) project in HDFC Bank was completed in two years. However, the same project was implemented in just six months at Infosys. It was because of the lessons learnt at HDFC Bank.
At my two-year stint in PwC, I got the opportunity to talk in depth with close to 100 CISOs in their office. This was a totally different experience and knowledge gathering that happened compared to sitting in office and trying to understand what our peers are going through. These meetings help to infer on why the execution of certain aspects of an implementation fails; where organizations fail in delivering certain services.
Having worked in different roles has given me this sense of empathy towards my stakeholders which is so valuable in implementation and execution of our vision.
How do you see the development of the concept of collective effort, and ecosystems coming together to fight cyber crime. For example, life insurance companies have formed a consortium to share threat related incidents. Sectoral CERTs will be formed soon. What’s your view on multilateral arrangements and consortiums to fight cyber crime?
There are established models of information sharing, practices. Financial Services Information Sharing and Analysis Center (FS-ISAC) in the USA is a good example. The organization started off for the financial sector and it has branched out to sectoral ISACs. It was formed in around 1998-99, but it took them about a decade and by 2007-08, they became more effective. They are not-for-profit and funded by various sectors. While there is a body and core committee to run the organizational operations, it’s the member organizations who are contributing to capability building in information sharing.
On the same lines, the Government, under the National Cyber Security Coordinator’s office, had initiated a joint working group, in terms of what needs to be done. I was a part of the joint working group responsible for Information sharing for the financial sector.
Any platform set up for information sharing is always useful to collaborate and act on certain issues, incidents and imminent threats proactively than learn from personal experience. More needs to be done. While there is some progress that has happened but we can do much more than what we have in place right now.
Which are some of the use cases for the application of AI in cyber security?
In some areas AI and ML are already operational. There are use cases for using AI in the Cyber Security Operations Centers (CSOCs). The traditional tools in a typical SOC are currently unable to solve the same problems.
The Security Incident and Event Management (SIEM), security analytic tools have been around for quite a few years. They have delivered well, however, with certain limitations. AI and ML can solve those problems; for example, inputs from threat intelligence and asset inventory, incident management can be consolidated and an AI model can be run over it to make reasonable predictions on certain events that might happen on the network. While a part of it is possible using SIEM, a majority of this problem can be solved by AI.
The issue of false positives has plagued the cyber security world for many years. Infosys is incubating and testing models on how AI can be useful in segregating false positives from the suspicious traffic.