The CSOs should have compliance chart ready encompassing ISMS, IT Act, 2000, SEBI, Companies Act and other regulations his organisation is subjected to, says Adv. Prashant Mali, Cyber Law & Cyber Security Expert
From data center to boardroom, how do you see the responsibilities of CSOs evolve?
CISO now shares common responsibility of all cyber crimes committed in his organisation. For example, if an organisation is traced via its IP address for a cognizable offence and the organisation lacks reasonable security practices by not finding the right accused, the CISO is implicated as accused. The dominant trend is to rely on security solutions vendors --to shift the responsibility on the solution offered by vendor, which is a sad state. Security needs holistic approach backed by strong man and machine policies.
In the wake of IT Act 2000 & the Companies Act 2013, has the rule of the game changed for CISOs?
IT Act 2000 & the Companies Act 2013 have made the CISO as statutory designation --designation recognized by law that makes all organisations to hire CISO or designate one for them. They have become important resource in organisation and security has become the board matter.
What’s new when it comes to legal mandates for information security and risk management pros?
The IT Act, 2000 Compliance as mandated by Section 43A and the increasing requirements of electronic evidence storage and management to comply with any legal risks arising out in organisations is really important.
What’s your advice for CSOs to have smooth sailing with regard to implementation of best practices keeping in mind regulations, compliance, etc?
The CSOs should have compliance chart ready encompassing ISMS, IT Act, 2000, SEBI, Companies Act and other rules and regulations his organisation is subjected to. He needs to become "Security Hawk" in the organisation because he has a legal responsibility and he is also responsible for the legal risk his organisation gets exposed.
Till September 2014, 15k sites were reportedly hacked in the country; a majority of the cases have been filed under the IT Act. What’s the message for the CSO from this?
India and Indian organisations are on constant radar of malicious attackers. I advise that every large organisation or large group should have its own CERT . This CERT can have parallel relationships with other CERTs across countries. This brings better resilience to a scenario like "Zero Day Exploit" or mass "Cyber Attacks".
Mr Mali also has research interests in Cyber Warfare