Author in this article has expressed the qualities; a CISO should posses in todays most vulnerable and exposed digital business environment to protect organization from unwanted happenings.
As cyber criminals become more proficient and data breaches continue to make headlines, company decision makers are making more of an effort to focus on securing sensitive information. For organizations that have critical information assets such as customer data, intellectual property, trade secrets, and proprietary corporate data, the risk of a data breach is now higher than ever before.
This growth in data breaches should come as no surprise. In a world where data is everywhere, it has become harder than ever for organizations to protect their confidential information. Complex, heterogeneous IT environments make data protection and threat response very difficult. Yet today's businesses depend on their security teams to ensure that collaboration and sharing by an increasingly mobile workforce remains safe and secure.
While the continuing onslaught of data breaches is well documented, what is far less understood is why data breaches happen, what can be done to prevent them and more importantly who can singularly prevent them.
And as more organizations prioritize security investments, new research sheds light on the major factors that lead to better business outcomes related to IT security. One of the main differentiators for companies with the best outcomes in IT security: having a Chief Information Security Officer (CISO).
Cyber attacks are a concern among Indian enterprises
According to the recently released findings of the Symantec Enterprise Security Survey 2010 each of the cyber attacks mounted by Indian enterprises in 2009 had a financial impact, with 100 per cent of the surveyed organizations reporting a loss of revenue and 81 per cent reporting a direct financial cost.
The root of data breaches
In order to prevent a data breach, it is essential to understand why they occur. Essentially data breaches can be traced back to three primary sources: targeted attacks, well-meaning insiders and malicious insiders. In many cases, breaches are caused by a combination of these factors. For example, targeted attacks are often enabled inadvertently by well-meaning insiders who fail to comply with security policies, which can lead to a breach.
The solution to the problem: CISO
According to the IDC study on data loss prevention sponsored by Symantec (2009), over 50 percent of the information in Indian enterprises is classified as confidential. The prioritization of information security was never compromised with in enterprises despite being faced with one of the worst economic downturns in recent history. One case in point is the fact that more organizations than ever before have a Chief Information Security Officer (CISO). Forty-four percent of companies employed a CISO in 2009 compared to 29 percent in 2008, according to a 2010 PriceWaterhouseCoopers survey.1
As stories of data breaches continue to make headlines, more and more organizations now understand the critical need to mitigate security risks. A growing emphasis on security has changed not only the role of the CISO, but also how they are viewed by the organization’s corporate decision makers. Whereas yesterday’s CISOs used to be in charge of day-to-day security operations, today’s CISOs are strategists, partnering in a company’s growth plans.
Companies with a CISO are more Successful
As the trend toward hiring a CISO continues to grow, the benefits of doing so have become more apparent. This is because there is a realization that those with CISOs actually have better outcomes than those without
Today, gradually within the industry it is being proven that companies experiencing the best outcomes manage their information security function through a CISO, who reports into someone senior like the Chief Information Officer (CIO). As a result these enterprises are becoming more competent by implementing standardized procedures based on frameworks (e.g. ISO, HIPAA, CobiT, PCI), automating these procedures and controls, and measuring, assessing and reporting on risk on a regular basis. The final outcome is lower audit spend, reduced data theft and higher customer retention. These organizations also have larger profits, higher revenues and higher levels of business productivity from IT.
CISOs Reduce Risk
A Chief Information Security Officer can help companies be more successful, but it is important to note that the most successful companies are those with a named CISO, not just a manager of information security that performs similar duties. Companies with a named CISO are 10 times more likely to experience the least loss or theft of customer data, the IT Policy Compliance Group found.
In contrast, organizations where the information security function is being managed at lower levels within IT operations by systems and network administrators or by managers in IT operations are 4-to-8 times more likely to be among those with the highest rates of data loss and theft.
In addition, the best performing organizations (with CISOs) manage business productivity and risks by using policies and targets for minimum acceptable downtime and maximum acceptable risks. They also measure, asses and report on risks daily, weekly and monthly. Organizations with the worst business outcomes do not have policies or targets for minimum acceptable downtime and maximum acceptable risks.
CISOs Reduce Cost
Along with reductions in risk, the most successful companies with a named CISO experience less financial exposure from data loss and theft.
One in 10 of the organizations with the best outcomes studied by the IT Policy Compliance Group spend 0.4 percent of revenue on data loss exposure compared to companies with the worst outcomes, which spend 9.6 percent of revenue on costs related to data loss.
CISOs Highlight the Need for More than Just Technology
CISOs reduce risk and cost, but they also highlight the importance of viewing security as part of the business process, rather than just an IT problem.
For organizations that are plagued with the highest rates of data loss and theft, a common management approach to information security is that security is only a technology issue. Here, security is left solely to be managed by IT operations without the proper oversight and control.
Companies that have the best business outcomes are managing information security at a higher level as a quality-controlled function that goes beyond the technologies involved. Automation of policies, procedures and controls is an important part of the equation for those companies with the best outcomes.
Among the organizations with the best outcomes, an average of two-thirds (66 percent) of procedures and controls related to the information security and assurance function are fully automated, according to the IT Policy and Compliance Group. Contrast this with the worst performing organizations, which automate less than one-third (33 percent) of procedures and technical controls.
In addition, the best performing organizations also automate measurement and reporting. These organizations assess and report on key risks, controls and indicators on a daily, weekly and monthly basis versus the worst performing organizations, which assess and report no more than every five months.
Conclusion
Simply put, CISOs contribute to better business results by ensuring security measures are fully implemented, standardizing and automating procedures and by taking a strategic role within the organization to make information security a part of the business process. Now to discuss, whether Indian enterprises need a CISO, findings from the Symantec Enterprises Security Survey 2010 show that the average revenue lost by Indian enterprises due to cyber attacks was INR 58,59,234 in 2009. Surely as the information explosion continues, cyber attacks increase and cases of privacy invasion rise the role of the CISO will become increasingly vital even within Indian enterprises.
1. The Global State of Information Security Survey, 2010, PriceWaterhouseCoopers
—By: Vishal Dhupar, MD, Symantec India |
