The CISO position is not just evolving, it is in search of an identity. Is the CISO the custodian of organizational information asset? Is he/she the protector of IT systems and assets; Or the chief of compliance; Or the protector of consumer data?
A few weeks after the white paper on data protection framework in India was published, I wanted to know what the CISOs thought about it. In an event, I posed this informally to more than 20 CISOs, many of them from B2C businesses. Only three knew that such a paper existed. Only one of the three—from the telecom industry—had actually seen the whitepaper. By the way, GDPR was already a buzzword by then but since many of them had nothing to do with GDPR, it remained just that—a buzzword—for them.
I am sure, in a matter of a few months, the Personal Data Protection Bill (hopefully Act), will be one of the most discussed topics among Indian CISOs. Many organizations may opt for making the CISOs the Data Protection Officers, as mandated by the draft bill. The same people who had not heard of the legislation will handle the most important responsibility associated with the new regulation.
Many of the CISOs are already overburdened. When I say overburdened, I am not pointing to the quantity of work but to the diversity of responsibility. Diverse responsibility requires a lot of mind space.
Cyber threats are on the rise continuously. The World Economic Forum, in its 2019 annual Global Risk Report has identified two cyber threats—data theft/fraud and cyberattacks—as two of the five most likely risks for the world in 2019.
Yet, many organizations are still to realize the strategic importance of CISOs. Many of the regulated businesses—like banking and insurance—have full-fledged CISOs because the regulators in those sectors mandate the positions. They are at a certain seniority level because regulators mandate that. They are outside the enterprise IT department because the regulators specify that. In many businesses where there is no such mandate, CISOs either do not exist as CISOs or report to CIOs. In many cases, CIOs themselves handle the responsibility.
There is a lot of rethinking needed about the CISO position. The position is not just evolving, it is in search of an identity. Is the CISO the custodian of organizational information asset? Is he/she the protector of IT systems and assets; Or the chief of compliance; Or the protector of consumer data?
It is easy to say—all of the above. But these functions have different objectives and have different strategic significance for different organizations. A serious effort of searching for meaningful CISO role is an imperative.