Posted by: S R Balasubramanian
Chief Information Security Officer (CISO), information security, role of the CISO
I recently attended a seminar organized by a media house titled, ‘The CISO Summit’, and this was the fifth edition of the seminar series. The reason why this seminar stands out is that it was exclusively for CISOs and devoted only to the subject of security. The organizers had also instituted awards honoring CISOs who had done outstanding work in various areas. I was one of the jury members to decide on the awards and also got drawn as a panelist for one of the sessions.
The seminar was well-attended and had people drawn out from different cities. The event was well-organized. The two days of discussions proved very useful and there were quite a few takeaways for the participants. It was refreshing to see the subject of ‘security’ being given full coverage befitting its importance in today’s world of computing and connectivity. A few aspects of the seminar I thought were eye openers and they deserve a mention here.
There was good participation comprising mainly information security heads from various organizations. This was the fifth event in the series and I remember attending the first one five years ago. Most of the participants then were CIOs and therefore the change in the composition of the people over the years clearly indicates that Chief Information Security Officers (CISOs) have assumed a certain level of importance in their organizations and that information security as a function is receiving the desired attention.
The survey findings
The organizers presented the findings of a survey they had conducted on various aspects of security in organizations across industry segments and companies of various sizes. An important aspect of the survey was that the responses were taken not only from CISOs but also from business heads and CEOs which gave a wider view of the subject. When compared with previous years the results showed improvement in CISOs levels, in their interaction with the Board and C levels, in the strategic alignment with business, in the scope, and in the number of people directly reporting to the CEO or COO. Responses from CEOs and CXOs also indicated an improvement in their perception and their willingness to directly participate in defining good security standards.
The seminar covered a wide variety of topics and it was heartening to see that the subject had enough breadth to fill in for two days content. The sessions carried presentations and discussions on the new age threats, about third party risk management, on private public partnership in Cyber Security, on data privacy in enterprises, on Governance, Risk and Compliance and about the Cyber Laws in India etc. Speakers and panelists were drawn from companies (CISOs), experts, vendor representatives, heads of Industry bodies like CERT and a lawyer specializing in Cyber Laws. We also heard of government initiatives in dealing with cyber crimes and about increasing public-private partnership on various projects. The discussions were rich and may have enhanced the knowledge levels of the participants. In short the subject of information security was very comprehensively dealt with, laying emphasis on the fact that this discipline has matured in India and deserved a pride of place not only in organizations but on the national scene as well.
Emphasis on strategic fit
Deliberations in the seminars and a reading of the projects submitted for the awards were a clear pointer to the fact that information security is today considered an integral part of Corporate Governance. I found that the security measures in many of the organizations were taken up as projects which had the blessings of the management. They were in line with the organizations’ overall plans and therefore strategically aligned.
While the event had good participation, they covered only a sample of organizations in India, yet the lessons drawn are significant. Information security is being considered important in this age of all pervasive connectivity and the consequent threats posed by many a hacker, other rogue elements on the net and from bad elements within. Rather than being considered a mere IT measure, it is now part of risk management and governance and CISOs are measuring up to the task.