How has the role of a CISO evolved over the years?
The role of a CISO has evolved over time from an IT specialist to a management advisory role which includes business aspects, HR, physical security, vendor and partner management, regulatory compliance and also into a client facing role.
What kind of relation should a CISO share with a CIO?
The CIO and CISO need to work together very closely as every project of the CIO has an aspect which requires the CISO. They complement each other at the same time they should challenge each other. In many organizations CISO reports to the CIO, which results in CIOs overriding some of the controls due to conflict of interest. In my opinion CISO should be an independent position in the second line of defense, whereas the CIO role is in the first line.
From managing IT security to managing the provider of that security, please share some tips on effectively managing vendor relationship?
Choosing the right vendor is extremely important; cost should not be the only factor to consider. CISOs need to conduct a thorough due diligence and risk assessment before signing the agreement. The vendor should be able to demonstrate effective measures to control the risks. Proper governance through regular audits and reviews on the vendor are equally important. The vendors should be treated as partners for maintaining a win-win relationship.
What are the present challenges confronting CISOs?
The rapid changes in business, regulatory and IT landscape bring about multiple challenges for the CISO. The business and IT teams need to change the processes and technology to keep up with the market requirements and many a times risks are either not assessed or overlooked, resulting in business losses. CISOs need to keep pace with the changes and provide practical solutions to the business. In the current economic scenario, budget and resource constraints pose a major challenge as well.
How do you measure acceptable and unacceptable risk? And how do you balance it against each other?
Each organization has its own risk appetite, which the management needs to arrive at. The CISO’s role is to assess the risk and present the clear picture to the management and enable them to take a decision on accepting or not accepting the risk. Risk Measurement is an art and a science – some risks can be quantified, whereas some risks can only be measured in qualitative terms.
From prohibiting to policy making, key ingredients to create the right policy?
The policy should be created with keeping the business objective in mind, short and simple, easy to understand and practical and cost effective to implement. Otherwise it will remain just another piece of paper which no one reads and follows.
Add new comment