Security Is No Longer Just CIOs' Headache

by Priyanka Pugaokar    Nov 18, 2016

Cyber security

Enterprise security is largely considered as the responsibility of the CIO or CISO, the C Suite executive, who defines the security architecture of an organization to ensure a greater level of protection from sophisticated cyber threats. If we look at the security landscape in the past few years, the threat variants are becoming more powerful and complex.

In a scenario, where cyber crooks are not only writing malware to pilfer money, but declaring a cyber-war against establishments and nations, a strong and robust counter attack mechanism is the only way to fight organized cybercrime groups. Security is a vast issue with various critical component of it mingled with each other. Therefore, it has not remained a subject that comes under the CIO’s ambit, but a shared responsibility of all the stakeholders of an organization.

Cyber Security: A Shared Liability 

The recent massive ATM card hacks and serious attacks on critical establishments in the country have prompted enterprises to frame strong security guidelines. Enterprises require to tackle not only with the external threat, but the danger of insiders. It is a fact that humans are the weakest link in security infrastructure. A recent report from security firm Forcepoint states that a large number of enterprises are not even aware of the risks posed by insiders. Hence, it is critical to monitor the online behavior of employees as well as outsiders such as partners and customers to mitigate the risk of penetration of threat variants through the medium of people. 

“Employees are an integral part of an organization and are the key internal users. Our research on security breaches have revealed that many hacks or attacks are known to occur due to negligence by unsuspecting employees, such as opening unknown files from unknown emails. Hence, today it is very important that an organization creates strong policies for employees on IT usage and creates awareness about the preventive methods to keep safe the IT network”, says Govind Rammurthy, MD at eScan.

When it comes to security framework, some of the most critical areas for consideration are policy and information governance. High level decisions on policy and the organization’s approach to information security needs to come from the offices of C-level executives. These are areas where the Board and senior leadership can really make a substantial contribution to an organization’s security. 

“A key function of the Board is to assess risk and make appropriate trade-offs to manage it, while considering the impact across the organization. In conjunction with the CIO/ CISO and the rest of the C-Suite, the Board must consider and proactively manage security versus many other factors, including cost, performance, agility, resource allocation, autonomy and empowerment, strategic initiatives, projects and planning, and go-to-market”, says Rajesh Maurya, Regional Director, India & SAARC, Fortinet.

Awareness is a major component of cyber security policy. Unfortunately, it is the area where majority of Indian enterprises lack behind. Unlike, developed economies such as USA and UK, where there are stringent cyber security laws are in place, it is still not a compliance issue in India. Great security is all about education, awareness and individual responsibility, hence, the role and coordination among various departments in an organization becomes very important for a holistic security framework.

“Cybersecurity is a shared responsibility and each of us has a role to play and everyone should take basic cybersecurity measures that can improve both individual and our collective safety online. CISO designs and executes the strategy to meet this cybersecurity needs and every employee is responsible for ensuring they adopt and follow the required practices”, says Sunil Gupta, president and COO at Paladion Networks. 

Also Read: Are CIOs Ready For Cybersecurity Preparedness?

Evolving Role Of CISOs 

The change in business dynamics combined with the infrastructure modernization, has resulted in the evolution of threat landscape making security is no more a point product and rather an architectural need. Till the past few years, the area of security was largely addressed by CIOs. However, considering the rapidly changing security landscape, security specialist executives called as Chief Information Security Officers (CISOs) are framing organization’s security policies in a big way. 

“CIOs and CISOs now have a responsibility to deliver value and growth to an organization. Today, enterprises need IT teams to be agile, adaptive, and quick to deliver value to the business faster. CIOs need to maintain that agility to match and sustain the technology expectations of employees. As more employees tap into the mobility the cloud offers, IT team would need to match employee expectations of the technology that surrounds them while protecting data in transit”, says Atul Anchan, Director, Systems Engineering, India, Symantec. 

As attacks against businesses hit the headlines with much regularity, it is no more a question of, if or when organizations will be attacked but how often. Hence, security is no more an IT agenda, but the boardroom agenda where the CIO and CISO have crucial roles to play. As more digitization takes place and more broadband becomes available, security becomes more of a challenge and CIOs and CISOs need to ensure that not only are they on top of industry threats and developments, but that they work closely with skilled security professionals, educate staff around the dangers and how to patch systems and remain security wise. 

“Today, specialized targeted attacks have become increasingly more prevalent, and these kinds of specific attacks are much more difficult to prevent. In such a scenario, CIOs, CSO, CISOs and other executives need to take security a lot more seriously. They have a priority role to play in security and they need to understand this role now more than ever”, says Altaf Halde, Managing Director at Kaspersky Lab South Asia.

Not only CISO, even the role of a Chief Finance Offer (CFO) or Chief Protection Officer (CPO) has transformed with respect to security. Cybersecurity potentially puts a company’s finances and value at risk, challenges compliance and regulatory strategies, and increases the need for mature policies and practices that safeguard a company’s data and overall security. Therefore, a CFO, as a strategic business and risk management executive, needs to have significant oversight and guidance in these areas as now he is no longer an “IT only” executive. 

Also Read: Why India Needs More Ethical Hackers In The Cyber Space

Need Of Critical Approach

Business continuity today depends on the robustness of a network to cater to the demand from both internal and external users for facilitating smooth business. Hence, security plays a major role as the corner stone of an IT network. However, it is not just a liability of CIO or CISO to make sure that the network runs seamlessly and safe at all times. Every single employee in an organization needs to ensure that their online behavior will not compromise the security framework designed by the IT team.

A complex approach is essential to secure the company’s IT infrastructure. Similarly, the convergence of five trends, i.e. cloud, mobility, big data, identity (professional and personal) and Internet of Things (IoT) presents a unique opportunity for CIOs and IT teams. Regular security audits and third party security checks, training and education of employees, assessment of endpoint protection and MDM tools are some of the ways to build a robust and unbreakable security architecture. However, people will always remain a critical and sensitive component of such architectures.

(Image Courtesy: