Being a CISO…and after

We, at ITNEXT, have been running the NEXT100 program for ten years now. Every year, a batch of 100 winners—dubbed as future CIOs—are identified. Many of them have already become CIOs. This is the only program of its kind, which goes beyond the existing set of CIOs to identify the next generation who have the potential to be CIOs. From executives who are below one level of the CIO to who are below five levels, do apply for the awards. While requirements of doing certain kinds of tasks and handling certain kind of challenges means that people with too little experience rarely make it to the top grade, the winner lists every year typically have few bright guys with just 8-10 years of experience. Caliber and talent apart, these are the guys who are aspiring to be CIOs at that age. “Not surprisingly, we get very large number of applications for the NEXT100 awards—of course, with varying degree of experience and competence”.

Encouraged by the enthusiasm, we started the NEXTCSO awards. While the CISO community—struggling for talent—welcomed it whole-heartedly and participated as jury members enthusiastically, the response from the applicants was nowhere as enthusiastic. The number of applications is still a healthy 5-6 times that of the winners, but that pales in comparison to the enthusiastic response we get for NEXT100.

Why? Does that mean there is lesser interest for security as a career?

Far from it. Going by certifications and skills upgradations, there is every reason to think that ‘security’ is the only specialized stream within IT that many professionals can think of.

In the community platforms, security is the only traditional IT area that shares the limelight with the likes of IoT, AI and machine learning.

What explains this paradox? A discussion with a group of young security professionals provided the writer some cue. Admittedly, the idea of the story came from there.

The younger security professionals do not fancy themselves as CISOs. Almost one in every two professionals said that he/she would like to be a security consultant—either independent or join the consulting firms like EY, PwC or KPMG. When specifically asked about CISO, only a handful were excited about the opportunity. In fact, a few of them—the comparatively experienced ones—dreaded the CISO job fearing it would bring to an end their challenging, exciting work and would mean ‘running after compliance deadlines.’

In short, far fewer enterprise security professionals dream of becoming CISOs than enterprise IT professionals dream of becoming CIOs. Just 10-12 professionals are too small a sample to draw conclusions from. But it is a pointer to the thinking of these professionals.

The Importance of being a CISO

One of the reasons why CISO is not such a fancied position is not that people do not like the position or job profile, but there is no clear career path to be a CISO. Consequently, there is very little awareness about the position.

In many organizations, there is no designated CISO. There is one Head of Security in the enterprise IT team reporting to the CIO. He/she is a techie familiar with IT security. In some slightly larger organization, the person is actually called a CISO though he/she still reports to the CIO.

It is only with regulated industries like banking and insurance that a designated CISO is mandated by regulation. The regulations further require that a CISO should not report to the CIO because of conflict of interest.

The reason RBI directed that CISOs “should not have a direct reporting relationship with the CIO” is clearly because there is an inherent conflict of interest. The CIO, based on business needs, would like to accelerate the project. The CISO’s job would be to ensure that proper security, checks and balances are in place.

Interestingly, this logic does apply to almost all businesses. In any business, the business guys—helped by internal IT—would like to quickly roll out a service or provide extra features to the customers; the CISO’s job is to ensure that it is done securely even if it takes a few extra days or one of the features is not available. It is a continuous trade-off leading to conflict situations between the business/IT team and the security team.

Yet, in most businesses, the Head of Security does report to the CIO. It is not that organizations do not know that the inherent conflict exists. It is a classic case of convenience winning in the convenience-rightness trade-off.

Going forward—does the balance change? That is a question each organization must answer for itself. Interestingly, the various structures that exist for organizational information/cybersecurity are directly derived from examination of this question. Needless to point, some of them are transitionary structures.

The Fauji CISOs

Unlike CIOs who almost always grow in enterprise IT or come from IT industry, a lot of CISOs come from others areas—the principal being defense and government. Defense is the single-most source of industry CISOs beyond internal IT.

Read Top CISO Movements in India in 2018 

The Many CISOs…

The raisons d'être of a CISO post often decides the responsibility handled and power enjoyed by the occupant.

Broadly, the CISOs can be divided into two classes: Industries where the position is needed for a business acquisition/regulatory reason and industries where there is no explicit requirement/mandate for a CISO.

Regulation/Customer acquisition demands it

1. Mandated by regulation: There are some businesses where a CISO post is mandated by the regulation. Often, the minimum level of CISO is defined too by regulation. These businesses have no option but to appoint a CISO. The major examples of these industries are banking and insurance. In both, it is also mandated that the CISO should not have a direct reporting relationship with the CIO. Naturally, each of the banks and insurance companies have a full-fledged CISO and they report to organizational risk function.
2. Not mandated by regulation but stringent compliance requirements: There are other industries where a CISO position is not mandated by regulations, but the industries are fairly regulated, and compliance is a big task. These businesses too have usually full-fledged CISOs with certain power. The examples include telecom, non-banking financial services, and pharma. In Reliance Jio, the CISO reports to the board. 
3. Competitive requirements: In some businesses, there may not be any regulatory requirements, but basic business models demand that you should have a CISO. The most prominent example of this type of business is IT/ITES industry. Any company worth its name in this industry would have a senior level person serving as CISOs. During due diligence and even vendor evaluation, many of the clients insist on talking to the CISO, among others to ensure that the processes or IT work that they outsource, are fully secure. Interestingly, with GDPR coming in many markets, the need for personal data protection is becoming important, especially for BPO companies dealing with European citizen’s personal data. Often, the GDPR rollout and the responsibility of personal data protection is the CISO’s responsibility.

No mandate/No need of parading

Most of the other industries do not have to appoint a CISO for satisfying a regulator or a client but increasingly a CISO position is becoming imperative. One of the top reasons is compliance—not just with regulations but also with numerous organizational governance requirements.

However, in these industries too, various structures exist:

1. Independent CISO/Reporting to risk: Some businesses do recognize the role of an independent CISO and have appointed independent CISOs. Outside the industries mentioned above, this kind of positions is still relatively rarer.
2. CISO reports to CIO: In some organizations, there is a designated CISO, who reports to the CIO. We believe most of these are interim arrangements. These are in a transition phase from model C.
3. No CISO, an Information Security Head, reports to CIO: This is the model that exists in most of the Indian companies that do not belong to the above-mentioned industries or have not yet identified security as a strategic priority.
4. CIO/CISO roles converge: This is the structure in companies where there is a great need for IT security but comparatively lesser need for data protection/thwarting targeted attacks, etc. The difference between this model and model B could be because of a few reasons, such as decision-making power at a certain level, sheer unavailability of the right people or the CIO coming from a strong security background and not letting it go.

Of course, we are ignoring companies where there are no CISOs. Such companies are becoming rarer by the day. We believe increasingly, models B and D will give way to A and C. A model A CISO would be similar to the CISOs in the industries where a CISO position is a tactical requirement (such as compliance or marketing) too.

Today, the issues that the first category of CISOs and the first sub-category (model A) CISOs from the second category discuss and what the rest discuss are very different. They are also part of the most action. Look at the list of top CISO movements presented in the box. All the 15 movements involved the first category and 13 of the new appointments in the list are in banks or insurance companies, where a CISO position is regulation-mandated.

In short, CISOs are still a new breed in other businesses.

One development—ironically regulatory—may change that. With the personal data protection (individual privacy) bill in India, in the lines of GDPR, on the anvil, it is just a matter of time before most businesses, especially the B2C companies, will come under these regulations and they will have to designate a Data Protection Officer (DPO). With the draft regulations making it explicitly clear that the DPO role need not be exclusive, many would like to have an executive who is good at technology and compliance, handling the job. Many companies who were unable to justify the investment in a full-fledged CISO can easily justify a CISO who also happens to be the DPO, or should we say it the other way round?

Read Should CISOs be the Data Protection Officers?

…and their many roles

There is so much discussion around how a CIO needs to be a multi-tasker—handling multiple strategic and tactical things at any point of time. While that is true, the responsibility of CIO, however, is one and can be precisely defined. And that is: Leveraging technology to create value for business.

A CISO, on the other hand, has to perform tasks that have different objectives.

The first—and the stated—objective is to protect organizational information asset. That is supposed to be his reason for existence.

The second—which has become a significant part of a CISO’s responsibility—is compliance. While it started with security compliance (an extension of the role), this has now expanded to include all kinds of compliance. However, with organizational and business maturity, this role may move to specialist compliance executives, who would still be part of the broader risk, compliance, security and governance organization, along with the CISO. However, for the time being, it is the CISO who is playing the role.

Third emerging role is going to be protecting the personal data of consumers, once the personal data protection regime sets in. Initially, it will be doing stated work—more like compliance work—but then will evolve to be a full-fledged work. We will see if this too evolves to a separate role. However, initially it is expected that CISOs will have to play the role of data protection officers.  

Of course, while these are clearly different roles, the stated role of protecting organizational information has also changed over the years adding far more complexity.

Two of the most fundamental changes have been:

1. Change from an effort-based responsibility to an outcome-based responsibility: With targeted and sophisticated attacks, a CISO’s job is not just to build high walls and expect that everything will be fine but to get into the combat mode, matching wits with the attackers. That is a very different ball game.
2. Change from protecting IT systems and information to ensure the business runs: A CISO’s job has traditionally been to protect information/intellectual property and IT infrastructure. With digitalization, almost all aspects of a business—manufacturing to retail—is getting automated using information technology. Protecting that is also expected from CISO. Interestingly, in many manufacturing companies, the operational teams do not expect the involvement of CIO in their technology management even if it is significantly digitalized, but they still expect CISO’s help to protect that digitalized infrastructure.

The Challenge or the Opportunity?

The World Economic Forum (WEF), in its recently released Global Risk Report 2019, has identified massive incidents of data fraud/theft and large-scale cyberattacks as the 4^th and 5^th probable global risks among its top ten most probable risks. It has also identified large-scale cyberattacks as the 7^th most impactful risk.

It is a no-brainer that organizations need far more preparations in terms of security to sail through in an era like this. Yet, most organizations do not comprehend the reality so well. Even in industries where CISOs are given power and responsibility, it is driven by tactical considerations like regulation and showcasing to customers.

It is not before long that serious businesses will get sensitized to the strategic role of CISOs. A lot depends on the current generation of CISOs to build the future path for CISOs in organizations.

They must not just rise above technology—as they are being repeatedly told—they must understand the importance of all their roles—their short and long-term implication and build strategic direction for themselves and the next generation security professionals who want to take up this important role of protecting the organization of the future—in many possible ways.

Thanks to its symbiotic relationship with regulation and consumer mindsets, the CISO roles in each of the market will be very different from each other—far more than the difference in CIO roles. That means, today’s generation of CISOs has the added responsibility of being role makers.

Read the ITNEXT January 2019 Issue

Cheap Nike Air Max 2017 For Online Sale