CISO Transiting From IT Head To Risk Compliance Enabler

by Priyanka Pugaokar    Mar 09, 2017


With the sophistication of cyber crime syndicates touching new heights, it is imperative for organizations think security beyond an IT issue. Unfortunately, many organizations today are not confident about their robustness of their security architecture. Here the Chief Information Security Officer (CISO), comes in a big way. The role of CISOs has evolved in the last five years from an ‘internal auditor’ to an enabler of security policy compliance and risk compliance. Today, CISOs are playing a major role in advising CIOs or CFOs on the deployment of right technologies for a holistic security. Though, the technology deployment is largely driven by the CFOs, CISOs are not only taking stronger and more strategic leadership role but sharing the cyber risk ownershipin the organization.

In an exclusive interaction with CXO Today, Manoj Taskar Country Manager, India & SAARC at Tenable Network Security gives his perspectives on the evolving role of CISOs in India.

CXOToday: How do you see the security preparedness of Indian enterprise in the last one year?

The enterprise security market has evolved a lot in the last one year. Larger enterprises have taken a cognizance of security, moreover an activity to do rather than check box compliance. Earlier, security was largely looked at the audit check box, but that has changed in the recent years. Organizations are increasingly taking a cognizance of the fact that security is something, which needs to be proactively monitored and delivered to both its internal and external consumers. Earlier, companies focused on external security and internal security was largely driven by the trust on the employees. But now they have taken a cognizance of internal security threats that leads to external breaches.

CXOToday: With increasingly sophisticated attacks, security has become a boardroom agenda. How do you see the evolving role of CISOs?

I am very happy to see that CISOs off late are moving up from the IT managers or EDP managers and are actively participating in the security policy documentation, security policy compliance, risk compliance etc. This is a very good sign from the perspective of Indian CISOs. It is important that how IT decision makers drive security policies within their respective organizations and we see the trend where CISOs are talking about these policies very aggressively.  

CXOToday: In the Indian context, do you see CISOs playing major role in the decision making regarding technology deployments?

Well, this is a chicken and the egg story. Every business has an ‘X’ amount of budget to spend on technology deployment and financial decision makers mostly look at it from their budget perspective. The CISO unfortunately is not governed by that perspective. The CISO is governed by what is the best security he can get for the business processes and systems. CISO may not get the choice of the product because of the budget constraint, but he still has a choice to put opinion about best security deployment in the organization. Though decision making from the perspective of financial allocations will be in the hands of business units, but from a perspective of selection of technology CISO has a bigger role to play.

CXOToday: How the factors such as digitization, BYOD, cloud, social and big data are impacting the security landscape in the Corporate environment?

The concepts of BYOD or work from home are evolving in the enterprises, even though there is a huge security risk associated with it. Today, the security posture has changed from the reactive security mechanism to a proactive security mechanism. Today, it is important to ensure that devices are malware free and completely patched up before giving access to the Corporate networks. Gone are the days of point and shoot management. Now enterprises can do an assessment in real time and know their security posture. As per the guidelines organizations need to scan themselves every quarter. The RBI has mandated all the banks to have continuous monitoring and vulnerability management program in place. Similar efforts are needed for other sectors as well. Security is a cumbersome task, but only in the initial phases. Once enterprises set in the reedham of managing and maintaining it, it becomes very easy.

CXOToday: According to you, how the demonetization has impacted the industry in India?

Demonetization has not affected the industry too much and we are not seeing any disruption from a business perspective. Having said that the awareness to get online and cause nuisance value has definitely increased post the currency demonetization. The cyber criminals are finding ways and means of disrupting the digital payment processes. We can say that the disruptive awareness has gone up rather than inceptive awareness.

CXOToday: CIIs and SCADA systems are the new target of cybercrime syndicates? What regulations are needed for industrial security in India?

Industrial security has always been an isolated piece and it is never been in the limelight. But as the technologies have evolved more with industries leveraging industrial automation, we see a lot of exposure of devices that control networking to cybercrime syndicates. Tenable is very uniquely poised to provide SCADA based security. We monitor SCADA base systems for its vulnerabilities and the minute someone tries to disrupt the system we are the first to know. It could be a false positive but at least there is awareness about how industries can improve the security posture from a monitoring perspective.

CXOToday: Do you feel the need for a separate law or an independent body to address the issues related to enterprise security?

The IT Act needs a lot of amendments as it is very difficult to have a very strict control in a country with huge internet usage. But in terms of enterprise security, rather than having separate law or an independent body in place, there is a need for a remediation mechanism to understand the things from a legal perspective and enable the enterprises to come out and report breach incidents. Organizations already have these practises running internally, but there is a need of getting the practice to go from A internal to B external.