Cyber Security: Why Firms Need Structured Approach

by Preeti S    Jan 30, 2015


Less than a year after taking charge as the ISACA International President Robert E Stroud has been creating awareness about security challenges faced by enterprises. Terming cyber security as the foremost emerging risk for businesses, Robert, who was the vice president of strategy and innovation at CA Technologies before joining ISACA, underlines the need for the right structure and governance models. Now in its 45th year, ISACA develops international standards, frameworks and guidance to help enterprises optimize the value of their information and systems and ensure that technology is fully integrated with the business. 

Stroud spent more than 15 years in the finance industry successfully managing multiple initiatives in both the IT and retail banking sectors related to IT service management and process governance. In an exclusive interview with CXOToday in Bengaluru, he deliberates on the changing role of CISOs and the need for businesses to adopt the right security architecture.

You recently mentioned that organisations must have a structured approach towards security. What exactly does it mean?

For a long time enterprises have had business strategies that keep changing. Now they are far more regulated, but they don’t remain constant. That is the challenge. The problem is that the business strategy must be pushed down to IT and then use IT to deliver a solution. Every time a business strategy changes, it affects IT planning. There is a disconnect. If I have a strategy I go out and do it, but when that changes, it affects other decisions. The right structure an organisation can adopt would be to align business goals with IT and then adopt the right solutions.

With evolving security concerns, how is the role of CISOs changing in organisations?

In the past, CISOs were busy building the rings of protection. The assumption was that they would protect organisation so well that none will get into it. It was a good assumption and in the past it was a good tactic. That tactic shouldn’t go away. Now it is to be supplemented by new risk and recovery management tactics whenever the situation is violated. The real difference today is that the world has changed because everything is connected. The number of threats have increased and threat volume is big and the ways to manipulate have gone up manifold. The role of a CISO now is to build a defence structure, monitor changes, investigate potential violations and then put in place a plan to tackle the situation. They need to adopt a tactical posture and build a protection layer. Essentially, they should work with peers and partners in management and ensure effective communication.

As wearable computing and IoT become part of every business, what is the best strategy a company can adopt for information security?

Everything in future will be connected and everything will change. Think of my shoes communicating with my phone to tell me what distance I have covered while running or wearable devices letting know my heart beat or blood pressure. They are positive indications. One thing is for sure that the bad guys can try any trick, but they can’t take the game. They can do their absolute best, but there are so many components that we have that help us prevent them. We have the skills to be proactive, not just reactive. Nothing can beat good security architecture. We need to think of it, we need to embed it in organisations. That fundamentally changes technology delivery.

Generally, we are wary of change in our environs. Big data plays a vital role in creating situational awareness and planning security management. Companies need to do risk assessment and protect core systems and data. They must diligently look at security needs and understand industry vulnerability and then build appropriate architecture.

There is a skill gap. Basically, the organisations need to identify their requirements. There will be people with business knowledge, those good in building resiliency or technology. Bring them into the chain and then train them.

US President Barack Obama has called for a 30-day breach notification policy for hacked companies. How can companies cope with it while keeping their reputation at stake?

Having worked in IT security industry, I know that managing reputation is the biggest challenge for businesses. The concept of breach recovery is not to affect businesses but to inform the market or the industry so that they can act appropriately. Businesses have a duty towards customer. It depends on how we implement or execute the breach process. I may not want to know if the organisation is breached or not, but I would want to know which technology, process or tool was compromised so that I can be more careful. The biggest problem is that we have many breach legislations that change with geography, every industry or sector. The legislation should be fair, responsible and shouldn’t be heavy administration on the organisation. A formal notification will help the industry.

What are the new trends you foresee in the security arena?

One thing that will change is the authentication process. The authentication behaviour will change. Passwords will become more complex. There will be more gesture authentications. Secondly, big data will bring in many changes to analytics.