A CISO, a CIO and a CTO Discuss Cybersecurity StrategiesUsing Security as a Business Enabler
The cross-functional groups across enterprises need to be held equally accountable for cybersecurity, viewing security is a business enabler.
That was the consensus of a CISO, CTO and a CIO who participated in a panel discussion at the Information Security Media Group's recent Cybersecurity Summit in Mumbai.
"While enterprises do understand the proximity between the CTOs and CIOs, and each one is gung-ho about carrying out big things with high aspirations, it is always critical to set the rules of the game when it comes to securing the processes and the responsibility therein," said Sandip Chakraborty, CTO at Edelweiss General Insurance Co. Ltd. "While the CISOs and CTOs do not cross lines, there are lot of functions that CISOs and CTOs jointly do, and there is a lot of scope for enhancing the coordination to make the environment secure."
CIOs and CTOs must work closely together to ensure system availability and security, said Sridhar Sidhu, senior vice president of enterprise information security at Wells Fargo.
The panelists agreed that most enterprises have come a long way in dealing with security, pointing out that many now have an enterprise risk management framework. But too many organizations have failed to clearly define who has responsibility for cybersecurity.
"The problem is that CISOs are hired for the reason that they are made accountable for security or any breach incidents that may occur, which is a wrong model," Dutta said. "In mature organizations, CTOs and CIOs also need to be made accountable for security breaches so that if one happens ... the coordination happens on its own without any disagreements. The conflicts can be resolved if risks and vulnerabilities are communicated effectively. In my opinion, the accountability starts from the top."
Chakraborty argued that CISOs need to be perceived as business enablers and consultants who are helping CTOs by providing meaningful logs that can be less vulnerable to threats.
CTOs are responsible for deploying new technologies and applications and new projects, and they need the CISO's support to help avoid any business disruptions, he said.
Sidhu said there's a growing appreciation that the security department cannot function without the help of the CTO and a CIO, so building trust is essential.
Many companies' boards of directors have overlooked cybersecurity responsibilities, preferring to leave them to the "experts," the panelists said. But that approach is no longer viable, they said, because the board needs to set the strategy for the organization.
In most mature organizations, the CISO now reports to the CIO to help ensure faster response to cyber incidents, the panelists said.
Meanwhile, Dutta said, more organizations are adopting a self-service model where automation is the name of the game. "Since automation is enhancing the capabilities around detection and visibility into networks and apps with the help of machine learning data science, security teams are working closely with both CIOs and CTOs in bridging the gaps," Dutta said.
Although understanding risks is critical for both the CIO and CTO, the first steps toward securing the ecosystem should come from the CISO and his team, the panelists concluded.