Soma Tah
Security has been considered a top hindrance for businesses so far, and the CISOs, who are responsible for laying out the security strategy of the organization are often looked upon as control freaks. You could call it occupational hazard; but is security all about putting right controls in place and nothing else?
No. Changing business needs, consumerization of IT and the wake of Internet of Everything have made enterprises revisit their security postures to build more open and resilient enterprises, asserts Sheetal Mehta,VP and global head of enterprise security solutions at Wipro Technologies.
But how close have they reached towards that goal? Unfortunately, the ground reality is that despite being aware of the risks the businesses are exposed to in the digital era, organizations have not yet been very successful in instilling a culture of security internally. Read on..
Are enterprises making them more susceptible to risk and attacks by embracing new technology and collaboration?
Businesses are changing fast- the method of doing business today vis-a-vis what it used to be in the past has changed significantly. The concept of mobile and connected enterprise made employees empowered to do business anytime and anywhere. Enterprises on the one side are shrinking and also becoming boundary less on the other as collaboration and federation become the new norms. These changes throw enormous security challenges to organizations to protect the crucial business data.
If I put myself in the shoes of a CIO, CISO or CRO, I see a complete shift in the in the fundamentals of security today. If you look at the recent incidences of breach and attacks, most of them are sparked by an internal cause and got exploited by external entities later. In fact, internal users sometime pose more threat than an outsider. The reason is very simple- they have access to data, they know the security posture of the organization and control mechanisms also.
Is the traditional approach to security a misfit in today's enterprise environment?
As the business models change, you will see a change in the threat patterns and in the ways attackers hit the businesses as well. The simple rule of thumb- “Prevention is better than cure” does not work in today's dynamic scenario and CISOs need to understand that putting controls is not a solution in this case.
Unfortunately, a majority of the security investment decisions in businesses today is a short term approach to deal with the issues on hand. If you look at the enterprises today, you will see that they are not certain about their security posture- and hence go on with various controls and technologies to tackle different security threats that lull themselves into a false sense of security.
Does that put additional burden on CISOs?
There is no denying that intricate patterns of attacks and a fragmented approach to security with inadequate defense mechanism do make the job of the enterprise security community quite hard. What needs to be done is you have to tie up these technology controls together under one umbrella, i.e. one people, process and technology framework and drive it in a structured manner.
CISOs has to think through that how they can align to business needs, and be enabler of business. On one hand, CISOs need to know the risks the businesses are exposed to and also be nimble enough on the other hand, to respond quickly in real breach or attacks scenario. Applying requisite controls across the detection layers, response layers are much more critical than the protect part of it.
Is security the responsibility of CISOs alone?
Security is no longer a responsibility of CISOs alone. The changed scenario within the enterprise demands a complete transformations of the CISOs role.
The first and foremost thing that needs to be done by the CISOs is to make the organization understand that security and risk is not just the job of the security solution provider. Changing the employee behavior is the first and foremost fundamental piece, that I see businesses need to do.
To drive the conversation top down, it is important for the CISOs to take the security conversations, right into the boardroom level, convey the risks the business is carrying and the operational and financial impact of it.
We see that changes happening with CISOs spending time, effort, energy in probably four primary functions -protect, assess, detect and respond. How do I asses my environment? How do I protect my environment? which is a potential strategy? How do I detect and how do I respond in case an impact or an attack happens to the enterprise?
But convincing management of the need for security still is a challenging proposition..
CISO or CRO earlier used to be consume around 6-8 percent of the CIO's budget. But that ratio has changed of late as the awareness grew. The budget of the CISOs has even gone up to 14-18 percent in few industries.
For example, in the case of financial services the spending is upwards of 16 percent and we see a generous uptake in healthcare, energy utilities, and retail segments too, where budgets have already gone upto 14-18 percent. Manufacturing is slowly catching up on that segment.
Protection and detection activities consume most of the security investments today in organizations. But they need to invest time in streamlining their current security setup and be future ready also. Hence, driving a risk based governance model which maps risk and security together in a top down approach and ensuring business resilience will help them secure the required funding.