The CISO role's keystones: Technology, business and risk

At a recent ISACA meeting, Vishal Salvi, HDFC Bank's CISO explained how technology, business and risk are transforming CISO roles. Here are some excerpts.

The chief information security officer's (CISO) rolehas come a long way from its erstwhile status of being a mere coordinator, to that of an evangelist of security and risks within the organization. To highlight this transformation, Vishal Salvi, the CISO of HDFC Bank recently presented a talk on 'Evolving role of CISO' at an ISACA Mumbai chapter meeting. As part of this session, Salvi explained the significance of three critical pillars -- technology, business and risk -- and how a CISO can look forward to align these aspects with the business.
Technology has traditionally been the information security department's stronghold. So identifying risk, creating a short term (as well as long term) security strategy, developing security architecture, ensuring planned implementations, and monitoring the state of security will always remain a CISO's key functions.

Salvi feels that the business team's sponsorship and engagement are critical to meet a security project's intended goals. Hence the CISO must be able to negotiate the extent to which a technology solution can help. "Even though almost 80% of information security professionals at present come from a technology background, the trend is rapidly changing," says Salvi. As a result, CISOs now have an independent reporting line outside technology in business functions like risk and operations.

CISO and the business
Every CISO needs to remember that business is the main cause behind information security's existence. Just as you require powerful brakes to control a car's performance, you need a strong and robust risk assessment team for the business to move faster. At times, the CISO can be perceived as a hurdle to business innovations or projects. "Instead of being discouraged, the CISO should think of his job as an important value addition to the business process," explains Salvi.

As information security gets increasingly aligned with business, there may be several disagreements. Hence the age old laws of Indian diplomacy, "Saam, Daam, Dand, Bhed", are very relevant for the CISO's role. It's always good to first try and discuss things out between business and technology teams. However, certain things are not negotiable. Exceptions to security policy cannot be frequent in nature. In such cases, there is a need to rethink the policy.

To effectively service business, the CISO must understand business dynamics and nuances. He needs to communicate the value of security investments to management using the business' language. To this end, the CISO can also be called a chief information sales officer.

CISOs should articulate and build security metrics which can give quantifiable results. For example, every CISO should track aspects like the number of virus incidents stopped in a day, or downtime avoided due to security controls. While doing this, CISOs should balance the value of risk and cost of control. If business understands the language of cost, productivity and profit, then the CISO can explain security using that language.

Being agile and adaptable to business imperatives is essential for taking your organization forward in the long run. Sometimes you may have to lose a few battles to win the war.

Vishal Salvi,

The CISO must understand that one size does not fit all. So his tactics should be based on a thorough understanding of the organizational culture. "Being agile and adaptable to business imperatives is essential for taking your organization forward in the long run. Sometimes you may have to lose a few battles to win the war," explains Salvi.
Learn to leverage risk
Risk is among a security initiative's critical drivers. So, along with business and technology, the CISO also needs to develop risk as his core expertise. To a large extent, regulation and compliance helps organizations to identify and mitigate risk with specified controls. The CISO needs to ensure that risk and compliance are well aligned; compliance need not be done just for its sake.

Healthy engagement with regulators (auditors) is essential to explain an enterprise's risk management and information security strategy. So the CISO should alignrisk assessment with the efforts of teams that undertake testing of security controls. An integrated approach to risk will help CIOS properly align compliance enforcement strategy, security controls, and auditor expectations. 

Organizations may have to comply with multiple regulations. According to Salvi, the best approach is to take into account the requirements of all regulations, prepare a single framework for the organization, and develop security controls that map these regulations.

While articulating business value, risk should be imbibed in every discussion. Risk assessment and metrics are developed over time. Continuous improvement in this process brings maturity to how the organization perceives risk. Today, there are tools which can automate the entire process of risk assessment — from identification of risk till remediation. So it is very clear that next generation CISOs are expected to act as business and risk leaders, rather than being mere technology heads.

Read more on IT risk management