With threats multiplying in numbers, forms and frequency; how has role of CISOs changed over the years? Would they be prone to more sleepless nights?
The chief information security officers (CISOs) have got a greater connection into other teams within the business. We see more CISOs getting buy-in from the board. They are able to position security as a business enabler as they are allowing core departments to function quickly and innovate while providing some assurance of security. Of course security cannot be guaranteed.
CISOs are explaining the risks to board which is now beginning to understand the risk of data breaches and cyber threats and then allowing the business to place mitigation for it. They are building out 'breach preparedness' plans which is based on the assumption that breach will happen. But you make sure to have the capabilities to respond accordingly. You have practiced on how to respond give information to law enforcement, you understand your responsibilities that adhere to particular legislation that might demand breach notifications to send out to affected individuals. And of course call in security professionals to help you to analyses the threats international such as Raytheon Websense.
A prepared CISO who has implemented necessary controls based on the right business level discussions with the board would enjoy more peaceful sleep.
Any Dos and Don'ts for CISOs to follow in 2016 for a robust security posture?
Absolutely do focus on the importance on data theft prevention tools. Because coming from the position that breach will happen, you want to make sure that the importance of data within the business is firstly identified, know location of data, know how secure it is and how technology plays once data leaves that organization. One of our predictions for 2016 is that data theft prevention will be more of a commonality across businesses as they realize the need to stop data leaving the organization. That could be from external attacker cybercriminal or indeed internal threat.
CISOs needs to be appraised of any local legislation to be introduced in few years for them to have plenty of time to prepare. Even for legislation out of their jurisdiction like European Union data protection legislation expected in 2017. If any business stores information of European citizens, they have to understand the implications. This is very relevant to Indian business who work with lot of data of UK.
Don't underestimate the power of the board. Get the board on your side and present to them the business implications of an incident -- say operate your website -- that will impact the bottom lines. If you can explain the brunt damage that might occur.
Sign up for CIO Asia eNewsletters.