The new normal has given a rise to the new CISO (Chief Information Security Officer), whose key responsibilities are to manage organization-wide security issues & risks and bridge the gap between human error and innovation. This C-suite executive is expected to demonstrate foresight and an ability to step beyond the technical framework and work towards building a culture of ownership within the organization.
The seemingly good part of being a CISO is to obtain a greater allocation of budget and more importantly, speak his/her mind. While most CISOs have what it takes to ensure that security remains a priority, in today’s day and age, they are expected to manage workforce behavior and bring business innovation. Here are key insights for CISOs from the CISO - Amit Jaokar, Chief Digital Officer & Chief Information Security Officer, NKGSB BANK.
- Shifting from a No-to-Yes function
To be able to deliver security at speed, the CISO must understand what drives the organization’s business. Without a deeper understanding of how all other functions are run and what triggers the stakeholder, the CISO is likely to keep the role limited to only software applications rather than embedding security into the processes. But this can be changed.
“As the world is embryonic around technological advancements; anything and everything requires technology to stay competitive. This surely brings in a lot of benefits albeit one can’t avoid the risks coming along with it. CISO needs to have 360-degree acumen of the entire organization, and its processes & functions to be on top of the risk landscape. Having an enterprise-level risk appetite and leveraging it appropriately as per business strategies and risk limits is vital,” said Jaokar.
- Aligning risk metrics with business challenges
While many may have strong risk management processes in place for specific risks, they struggle to develop a robust organization-wide process that is transparent and all-encompassing. Most often, over 90% of cyber-attacks involve some form of human error. In many organizations, decisions are made on the basis of different parameters for IT and other teams. Bridging these silos is one of the challenges to deploying effective cyber security. CISOs certainly need board-level support to establish control, but should never underestimate the power of their role.
- Addressing talent shortage and skill development concerns
The expansion of the cybersecurity landscape has raised a demand for a skilled workforce, that can secure today's systems, networks, and data against cyber-attacks. However, there is a constant shortage of talent all thanks to unrealistic expectations and burnout. CISOs must draw up a plan to upskill the employees and retain existing talent to manage their security operations efficiently.
In Jaokar’s opinion, getting the right fit, especially in the Security domain is a tough ask, and retaining it is the next challenge. “We need to create a good pool of technical (Infosec) recruiters who will keep tracking for appropriate talent. RBI is embarking on training & awareness which is mostly client-centric, however, it is equally important to train, upskill Infosec talent within the organization by giving them an opportunity to upgrade themselves with appropriate courses to learn.
- Staying resilient and contributing to business continuity
Security strategy for an organization keeps evolving and so should the CISOs. CISOS can help identify a range of cyber risks and think about preventing or mitigating incidents and contribute to business resiliency. According to Jaokar, the security strategy should revolve around five things that shall give a comprehensive understanding of the security posture of an enterprise - Monitoring all layers, knowing the whereabouts of the organization, implementing security controls & solutions, and managing risks, compliance & regulatory requirements.
Conclusion
Embracing the trifecta of intelligence, experience, and technology is what makes the modern CISO successful in building a culture of security today. While most CISOs rely on a range of technical skills to navigate the risk landscape, it is critical to pay attention to strengthening each layer of security to gain the maximum advantage.
