What best practices should CISOs adopt to balance business growth and security threats arising from now technology models?
Speaker 1 : Rakhi R Wadhwani, CISC, CPFA, InfoSec Author| Auditor
Awareness, we have to have strong awareness across the organization because without awareness, everything fails. you know.
Even if I have the world class technology, if there is lack of awareness among the employees, things would just fail across.
Speaker 2 : Nader Henein, Research Director, Data Protection & Privacy, Gartner.
The best thing CISOs can do is introduce a risk assess assessment when it comes to introduction of new technologies. They shouldn’t just adopt new technologies because of the hype or because it’s the new shiny object that’s on the market.
They should look at the cost benefit analysis. What is the benefit? The true benefit this technology brings to my enterprise. Does it address a challenge we currently face or are we just adopting it because that’s what other organizations are doing. So, CISOs when they’re adopting new technologies, they need to look at the benefits of those new technologies and balance that against the risk these new technologies bring into the equation.
Speaker 3 : Prateek Bhajanka, Principal Analyst, Security Risk Management, Gartner.
They don’t have to be the defenders, but they can play a role where they strike a good balance between security and how the business wants to operate. So, CISOs can definitely play a player role where they are communicating the right security metrics to the board of directors so that they can get the buying from the management and how security is enabling the business operation. If the communication is done well, then if the right metrics are being used, that will be very beneficial.
Speaker 4: Narendra Sahoo, Director, Vista Infosec.
It depends actually on the maturity level. The organizations, like in most of the companies that you get to see down here, CISOs are more like figureheads.
You know that they might be having some political connections or they might have some minimal experience and the company wants to keep a CISO just to fulfil some regulatory requirements. What CISOs need to do again, they cannot do anything until the senior management support is also there. And the CISO really need to be able to convince to the senior management about the relevance of their own functions.
Many a time, Information security is seen as a hindrance.
In one line, if I can give an advice to my dear friends is that don’t just play over, just a role whenever any other senior management says and you need to say yes to yes to everything that is being said, assert yourself, give objective evidence. I’m sure that most of the management in companies are not only interested in getting their systems compromised and if a proper presentation is made on the threats being faced on the enterprise. I’m sure that many organizations would be willing to listen to you.
Speaker 5 : Darshan Shanthamurthy, CEO, SISA Information Security.
CISOs have a daunting task. I should admit that it not easy at this point in time with technology going beyond the traditional, physical perimeters.
Having said that, the need for CISOs there’s the five key learnings.
One is intelligent monitoring. The key thing is most organizations today have to understand that you cannot prevent all beaches or all incidents from happening.
They have to monitor and you have to monitor effectively. Effective and intelligent monitoring is the number one point.
Second is know where the data is in their environment. Data discovery processes is absolutely necessary.
And third, of course, is proper security hygiene like vulnerability management, data discovery, risk assessments and so on so.
Speaker 6 : Alhad Oak, Founder, YNZ LEGAL.
Essentially, when you’re balancing a business growth versus risk element, the CISOs should also propagate that it is not just business growth, but there is also inherent risk to the data of the client. Suppose there is a possibility of having a good business growth, but there is also a possibility of compromising data of your clients. It is extremely critical that we adhere to those regulations. Currently, privacy law and these regulations are very stage in India but once it will come down, there will be heavy penalties, higher penalties for data related pilferage.
But then those kind of cultures need to be implemented today so that at future date, these kind of incidents are not happening and the business risk versus risk to information will be evaluated at power level.