As CISOs we have to find methods to help businesses achieve the goals
I started working an infrastructure consultant with a company based in Indore, Madhya Pradesh. After a 2 year stint, I moved to Mumbai and worked for a Bank’s offshore processing center in their support team for 4 months. I was always fascinated about Information Security as a profession; Shoppers Stop offered me a role in year 2003. I accepted the opportunity and joined the IT team as information security officer. When I joined Shoppers Stop, company had very few retail stores; however had an ambitious plan to grow as a company. During the course of 10 years of my association with Shoppers Stop, the company has grown and I had opportunity to grow and develop personally and professionally.
Information Security as a profession
During my brief stint at a leading Bank’s Data Processing arm, I understood nuances of information security and challenges of protecting information and assets. The very idea of creating processes and integrating them with technology excited me. Having access to the banks processes and methods of securing systems, I was fascinated with the way security was integrated in to the operations of the company. This experience influenced me to take a plunge in to the world of Information Security.
Big challenges CISOs facing today
As penetration of broadband, internet and smart phones increases besides adoption of many consumer oriented technologies in business, the risk levels also increase. The traditional datacenter architectures are not good enough to protect against new age threats. As we see internet, smartphones, cloud and big data evolve, there is a constant requirement to integrate all these things together. For example, secure accessibility of analytics on an employee’s smartphone becomes a business enabler. We cannot stop them saying, it isn’t secure. As CISOs we have to find methods to help businesses achieve the goals by enabling them with tools according to latest technological evolution but still protect our assets.
Information Security Outsourcing
It is always difficult for a small company to setup a comprehensive information security function. Hence a substantial part of the operations such as security operations center, vulnerability assessment, remediation etc. can be outsourced. However the companies may need to build in-house expertise for compliance and governance functions because outsourcing these aspects may not be effective. For large companies, a mixed approach is going to be effective as traditional way of running Security Operations Center, Vulnerability Assessment etc. are no longer effective against new age threats. To counter these issues, an own team with assistance from external partners could be more effective.
Data Privacy and Data Security
Data Privacy and Data Security together provide protection to data for business and customers. Data Privacy is appropriate use of data, whereas objective of Data Security is to ensure data is accurate and reliable and is accessed by authorized people.
Suggestions to Information Security vendors
- Matured products & tools: Companies needs to ensure that the products are tested in different environments and conditions to make them reliable and matured.
- Better support models: Security companies should look at improving processes and using better tools so that these delays in support can be reduced and quality can be improved.
- Proactive and Intelligent Products: Security vendors should provide built-in actionable tasks based on the trends and alerts, so that customers can quickly take action on them.
- Periodic Mandatory Product Deployment Reviews: Often the products are not deployed according to the standards set by the vendor leading to post deployment issues and poor security posture. An affordable offshore or automated review method could help the customers to ensure that the product deployments are according to best practices.