Please share your comments; critics make life meaningful!

Monday, July 11, 2011

Emergence of Information Security & the role of CISO

In the last decade or so, Information Security has emerged from within the IT function as an important element with business critical and even strategic ramifications. The emerging direct business relevance of IS has created a leadership role which has come to be known as the CISO. International standards, IT frameworks and several regulations have also sanctified the criticality of IS and thus made the role of CISO even more relevant and legitimate.


In India, IS compliance had been almost non existent prior to 1990s. With opening of Indian markets and development of intimate global market connect, IS found it's place first in the BFSI sector and then in the IT/ITES sectors. Business and operational needs for security drove the next wave of IS-isation in India which saw home grown sectors like Telecom, Pharma, Manufactuing, Retail etc create IS teams, primarily to protect IP and safeguard operations.

The current drive of IS is mostly powered by regulations/laws as Indian Govt is carving out several laws/regulations with IS intent and content in it's march to join the big league of powerful nations. However, all along IS has not been treated as a core business need; rather as reactive measures to meet business realities (such as IT/ITES companies providing assurance to their international customers) or in response to high impact incidents (loss of business plan etc) or to comply with a law/regulation. While IS think-tanks like ISACA and ISC2 forecast the emergence of IS as a strategic function and the move of CISO into the Corporate Boardroom, the scene in India is a little different with lack of clear management understanding of the business value of IS and it's strategic impact. There are also numerous other related/relevant functions (such as Risk Management, BCP, Privacy, Physical Security, Intellectual Property etc) some with different international standard for them which are vying for management attention and organisational acceptance.

The contributing factors to this situation are:
1. Lack of a Security conscious and compliant culture in India.
2. Low levels of legal/regulatory enforcement.
3. Varying Security requirements and postures across different industry sectors.

In light of the above, it may be worthwhile to deliberate on the nuances of the CISO's role in an Indian enterprise and suggest measures to bring it at par with global standards and provide higher business value. It is also recommended to study industry/sector specific security requirements and suggest a sectoral security model as a best practice for adoption by Indian enterprises Pan-India.

No comments: