SearchSecurity.in: How would you define the CISO's role in enhancing an organization's overall information security levels?
IT is a small factor in the whole scheme of information security. The person in charge of information security should understand every business aspect [like human resources (HR), administration and legal operations]. We need to convert technical lingo into financial risks for the management's understanding. CISO's role is to guide the management when it comes to risk aligned with the line of business. So CISOs can be viewed as consultants. A CISO faces various organizational bottlenecks, since you basically police every individual's activities and find loopholes in business functions. Buy-in for security initiatives come only when top management is committed to security. SearchSecurity.in: Can you give some tips for infosec professionals on how to groom themselves to become CISOs?
Security per say cannot be taught. It is a mindset which you develop over a period of time. A security professional should have a mindset which is always be able to detect risk aligned with processes.
To build a career in infosec, you should thoroughly understand three aspects: security operations (IT network), processes and compliance. A thorough knowledge of technology is necessary, although you may not need to know every product. Also you should understand the difference between policy, processes, procedure and guidelines. These are often used interchangeably. SearchSecurity.in: How far has your role as a CISO changed over the years?
Seven years back, I was quite hands-on with technology. After I moved to Bharti Airtel, I was responsible for establishment of the information security team and audit function. Internal audit is critical, as it helps the organization to understand third party performance. These audits face resistance, and third parties often hide information. We started seeing IT audit alignment after a few audit cycles.
When I joined to Tulip as the CISO, there was a larger change in my role. It required me to get out of operational mindsets and adopt a strategic outlook. The only way to learn was through observation and interaction. I had the right people around me. You should interact with the C-level to understand business objectives and how they perceive risk. Infosec is a field where you need to learn constantly. SearchSecurity.in: Can you tell us about the infosec landscape at Tulip and your priorities for 2010?
At Tulip, security measures are being implemented a bit slowly but strategically. In the past, there were bottlenecks due to change of management, but things are stable now. I am seeing a positive change in the management's mindset; they are realizing that security should be imbibed in the organizational DNA. It will take a while to change a 12 year old organization.
With each passing day, we are getting more process oriented. My first priority is to align three critical functions — administrative, HR and IT. If you can get this alignment, you can be assured that 70% of your infosec requirements are complete. Although I am not making any specific demands in the 2010 security budget, I will ask for budgets to increase automation in the administrative and HR functions. We want to bring more control in these functions. I also take care of ISO certification for Tulip, which includes ISO 27001, ISO 9000, ISO 20000.
In 2010, I plan to deploy an end point security solution for our laptop and desktop users. We will further strengthen our perimeter security and audit functions. There will also be an increase in employee training and awareness session investments to change user mindsets.