With increased cyber attacks and newer incidents being reported regularly, C-level executives and board members are increasingly getting concerned about protecting their company’s valuable assets. Express Computer’s Ankush Kumar puts spotlight on the evolving role of CISOs with respect to ever increasing cyber threats. The story comprises inputs from key information security heads and industry experts.
As businesses continue to adopt newer technologies, they are also exposing themselves to several types of cyber security threats. Enterprises across the world are finding it challenging in getting resilient against such increased vulnerabilities. C-level executives and board members are naturally worried about the newly reported cyber attacks and incidents. For example, Target’s CEO resigned, after a massive credit card security breach that affected more than 40 million customers. Cyber security, hence, is not the responsibility of the IT department alone. If a big security breach leads to loss of valuable corporate data, and can lead to violation of privacy laws, then it puts every executive board member equally responsible.
According to ‘The Global State of Information Security Survey 2016’ report, released by PwC , the average number of information security incidents detected by respondents increased by 117 per cent over the previous year, up from 2,895 last year to 6,284 this year. In such a scenario, the role of the CISO (Chief Information Security Officer) becomes even more important in ensuring that the company’s defence system is strong enough to combat such a menace. CISOs are now approaching the top management and making them aware about the threat level so that they are proactive in taking informed decisions.
Evolving Role of CISOs
Over the past decade, the very nature of cyber security as well as the role of CISO has evolved to focus on value driven protection, business enablement and digital presence enhancement. “CISOs earlier reported to CIOs and CTOs in an organization. This is set to change in the near future as many CISOs now function outside the purview of CIOs/ CTOs and report to heads of risk, who have a share of voice in the board. Their stake in defining the organization’s IT strategy is also set to increase as security is increasingly being incorporated at the ‘design’ stage,” says Sivarama Krishnan, partner and leader , Cyber Security, PwC India.
Krishnan believes that, over the years the CISO role has transformed and is no more limited to addressing security concerns of an organization. “The CISO of today needs to not only focus on the agenda to protect the enterprise information, but also need to be innovative in digital enhancement and adding value to the business. Over the last decade, the threats were limited to virus and worm infections, but now they have taken the form of advanced persistent threats (APTs), backed by incidents of corporate espionage. More funds are available to CISOs who are now responsible for managing ‘cyber risks’ for the enterprise, and not only IT security. The share of cyber security, as a percentage of IT spend, has also seen an increase over the past few years.”
A recent study of PwC reveals that there has been a shift in the attitude of top management towards cyber security. Increasing involvement of the board and the C-Suite has served as a big boost to security programs and has made it easier for CISOs to obtain funds.
In large conglomerates, it can be noticed that the role of the CISO has moved from managing simple operations oriented projects to proposing and leading ‘transformational’ cyber security projects or even in strengthening the cyber defence postures of companies.
Presenting a business case to the CEO/ Board members
As cyber security is now being treated as one of the most important factors in business expansion and mitigating risks, a business case for getting funds for information security solutions becomes a crucial source of security strategy for the top management. For any CISO, getting the approval of the board for a cyber security project can be a tough task. But there are certain ways to make a business case more effective. There are some logical tricks that CISOs can always utilize. Having a clear cut understanding of what makes it business oriented, and the way in which it can be presented to the board can help in getting a project across the line.
Express Computer spoke to two prominent CISOs, who share key points to keep in mind when presenting a business case to the CEO/ Board:
Venkatesh Subramaniam, CISO (Chief Information Security officer), Idea Cellular
– Do adequate research and have all required data points ready
– The business case should provide objective data (either on the benefits of doing the proposal or the impact of not doing it)
– It has to be non-technical and bring out the impact to the business – (highlight specific use cases it will address for the business)
– Presentation has to be crisp (not more than 8-10 slides) and preferably visual
– Lastly, be honest. Sell the case only if you very strongly believe in it. You need to be perceived as a trusted aide.
Uday Deshpande, CISO (Chief Information Security officer), Tata Motors
Information Security is usually an investment for data protection. Every organization has to create basic tools and best practices to calculate their Return on Security Investment (ROSI). The organization needs to calculate the cost of an incident by taking into account all the relevant costs if an incident occurs (reputational costs, loss of customers, data records cost) and the probability of incident occurrence. It also needs to measure cost of security measures/controls, and the level to which the risk of this incident would decrease because of such mitigation.
So security investment is judged to be profitable if the risk mitigation effect is greater than the expected costs. For every tool or technology, the above exercise needs to be conducted and it is often better to extrapolate from the organization’s historical data on incidents so that future requirements are taken care of.
Also, the senior management needs to be made aware that the average time to resolve a cyber-attack is around one month, with an average cost to organizations estimated to be approximately 150K$ over this period. Results show that malicious insider attacks can take more than 50 days on average to detect and contain. Depending on the type of incident, damages can grow exponentially over time. So earlier the investments, lesser are the losses.
Security Posture of C-suite and Board Members
Hacking and data theft from American organizations, Target and Ashley Madison, where millions of customers’ personal data were stolen, has resulted in the resignation of their CEOs and posed a severe security threat. “The shift and rise of the security expert as a C-level person has increased after the recent high profile breaches, which not only cost those companies and their partners millions of dollars, but also cost top executives their jobs. Hence, with a security expert in the board, the security leader can be detail oriented, logical, and sequential and think like a ‘hacker’”, informs Burgess Cooper, Partner Information & Cyber Security, Ernst & Young.
In a modern enterprise, all C-suite and board member executives are responsible for their cyber security posture, even though they have no role in managing the company’s security posture. For instance, chief marketing officers are generally focused on the efficient use of the social media and web for various activities like email campaigns, website updates, mobile app development, blogs and search engine optimization. Even though these seem to be strictly promotional endeavors, but they can easily leave the door open for malware or other cyber attacks against unsuspecting customer’s systems.
Cyber security threats are rapidly changing, says Brijesh Datta, Senior VP- CISO, Reliance Jio Infocomm Limited. “About 7-8 years back, hackers were targeting mostly consumers or firms dealing with consumer information or finances. Hence, the key management or the board in such firms providing financial services, Telco’s or online eCommerce services or those acquiring customers privacy data, were always conscious about their cyber security responsibilities. However, with changing nature of attacks like “Ransomware” and “Business Email Compromise”, even ordinary firms are getting targeted and these attacks are being widely reported in business newspapers. We now see boards of ordinary businesses also being aware and concerned about cyber security.” Datta states that while it is not necessary that the C-level person in the corporate board needs to be a security expert, they should be aware of cyber security basics at the very least.
Tackling risks arising from Social Media and Mobility
As per the findings from Symantec’s Internet Security Threat Report-volume 21, India ranks 3rd globally and 2nd in the APJ region for source of overall malicious activity. Every 6th social media scam impacts an Indian. Last year, the country witnessed one of the biggest cyber crimes in Mumbai. According to press reports, the Oil and Natural Gas Corporation Limited (ONGC) lost around Rs 197 crore as cyber criminals duplicated the company’s official e-mail address with minor changes and used it to convince a Saudi Arabia-based client to transfer payments to their account.
“Applications exposed to the Internet should be monitored and secured to the extent possible. Cyber threats will continue to remain a challenge for companies and security teams as they will continue to grow in complexity. The basic expectation of data availability anytime and anywhere for a mobile workforce on multiple devices and platform all put together makes securing the data very difficult,” opines Veneeth Purushotaman, CIO, Fortis Healthcare.
Besides ensuring that the security systems are updated, it is also equally important to sensitize employees. Hence, employees must be given training on how to handle critical data with care.
Use of social media by employees does pose a potential risk for the organization due to hacking and spyware, states Himanshu Verma, Chief Technology Officer, Yatra.com. “As employees use the same laptops/ desktops/ mobiles to access social media and company’s infrastructure, they can become an inadvertent conduit to mount an attack on the company’s infrastructure. A fair amount of spyware and malware can potentially make its way into an organization via social media usage, especially via content sharing.”
Verma is of the view that organizations need to protect their IT assets from such risks by creating a clear separation between systems directly used by employees and production systems so that a compromised laptop or mobile does not harm the production systems in anyway. “We don’t have a well defined BYOD policy as yet as we don’t normally allow employees use their own laptops in the office. However, they are allowed to use their own mobiles, but only for accessing their emails.”
Security has a direct and tangible correlation to the company’s financial health, thus making it an important aspect that the leadership team needs to focus on. Erosion of customer trust due to a security breach can be catastrophic and almost irrecoverable, and therefore, enterprise security has indeed become a boardroom agenda.
If you like the above feature ? Feel free to share your opinion or idea in the comment section below or [email protected]. The article also appeared in print edition of the June 2016 issue of The Express Computer Magazine.