The increasing awareness of the vulnerability of organizations to cyber-security risks such as corporate espionage and compromise of intellectual property resulting in service failures and reputational damage, has made visible the gaps in appropriate cyber-protection strategies. At the same time, the growing adoption of cloud and mobility services as essential ingredients for customer outreach or catalysts for employee mobilization has spurred the adoption of new business models and a gradual shift of information from secure internal data-stores to third-party service providers and into employee-owned devices. This has further enhanced the risk organizations face.
Unfortunately, these changes have not yet resulted in raising the visibility of the CISO function or enabling a higher degree of autonomy for the role. Over 60% of today’s CISOs still report to the CIO, and are considered a part of the IT function. In a recent show of hands by the Top 100 Indian CISOs during a panel event I moderated, over 90% voted for a more independent yet empowered structure. Most CISOs felt that the heightened accountability of the function should correspond with increased powers over budget allocations, technology adoption, recruitment decisions and operations.
Security spend is also a victim of recessionary cuts on funding and headcount, often inspite of the deficit of security resources needed to shore up a company’s defenses. To compound the situation, an inability to quantify or directly pin a business loss due to a copycat product from a competitor onto a security breach further reduces the case to spend resources on security. Most CEOs may culturally accept such incidents as part of normal business strategy and do not credit it to the exposure or leak of sensitive information. The limited exposure of the CISO’s role to the organization’s CEO significantly limits the ability of the CISO to articulate such risks in a contextual manner to business, consequently reducing the CEO’s visibility into cyber-security risks that could eventually impact profits & growth.
Involving the CISO in the strategic decision-making process will ensure that security is accorded due priority. The CISO’s inputs can also ensure that business team considers security implications right from the start of a product lifecycle and not as an afterthought or a necessary compliance that can be eventually made to fall in line. In the near future, it is very likely that CISOs will play a strategic role due to the rising cost & impact of cybercrime, and the adoption of business & technical changes due to consumerisation and the cloud.
In a poll which I ran amongst a few members of the ISF (Information Security Forum), the respondents emphatically voted for an independent & empowered CISO function which they felt would make the role more effective and strategic. This result also corresponded with the opinions shared by India’s top CISOs at the recent Top 100 CISO awards in Mumbai.