Making users aware of info security threats and working out an organization wide security policy are the top challenges for information security professionals
Most CISOs see themselves neither as tech people nor as ‘business enablers’ but as the protector of organizational information, according to a study conducted by CIO&Leader and CSO Forum recently. among senior information security professionals.
When explicitly asked about where they see themselves in the next three years, more than one-third respondents said they envisage themselves as the ‘protector of organizational information and intellectual asset’. The second most popular description was ‘the prime custodian of governance and compliance’. About 21% respondents chose this role description while 18% chose a straight and simple, “organizational risk manager’ as the appropriate description of their role in three years. Interestingly, they were near unanimous in rejecting fancy tags such as “business enablers” and “creators of competitive advantage”.
This is interesting as it is in sharp contrast to the thinking of CIOS, who see themselves as business managers. This finding shows CISOs are far more assured about the contribution that they are making to the organization in their current role and are quite proud of that.
While they do not fancy ‘business’ tags, they do not see themselves as techies either—even though most of them have scores of security certifications and deal with a lot of technology in their average business day.
That is evident from what they see as their top challenges. Despite sustained and complex cyber risks, it is not thwarting attacks (and implementing right solutions) that is bothering CISOs as much as preparing their organizations holistically is. As many as 41% respondents saw creating and/or enforcing an organization wide security policy as the single most important challenge for them while, for another 18% it is ‘convincing top management about the risk potential of information security breaches’. While budget and skilled manpower are still seen as crucial challenges by 10% of respondents, tech challenges such as technology upgradation and vendor management rank far lower in terms of their criticality as challenges.
Another finding from the survey, conducted in May-June 2016, among more than 50 senior information security professionals in the country, only reinforce this thinking. On being asked what will keep them busy in the next 12 months, ‘mobilizing top managers to understand importance of information security’ and ‘meeting compliance requirements’ came out as the top responses, about 14% respondents voting for each. ‘Creating security policies’ is the other thing that will keep most of the information security professionals buys in next 12 months.
It is evident that information security professionals are struggling to bring the senior managers in line with the risks of information security. And that occupies their mind space more than anything else. Asked what could be the one thing that they would like to see changed, most wished to see more aware users.
Most of the CISOs—36%—report to the CIOs, the survey found.
The good news is that Indian information security professionals know exactly what they are supposed to deliver; they are distracted neither by the high decibel vendor talk; nor by the promise of the fancier ‘business’ tags.
The bad news: Indian organizations need to do much more to sensitize their senior managers—not just CEOs and boards—about the risk of information security threats. Interestingly, the Reserve Bank of India, which has come out with a set of guidelines for cyber security framework in banks, has explicitly asked to include the awareness of senior managers as an indicator of security preparedness.