CISO: Time to Think Out of the Box

At a conference where I spoke recently, the big question doing the rounds was: Will the CISOs diminish from the scene very soon? They are seen as people who block the flow of information and data and thus perceived as inhibitors, rather than facilitators of business. 

During my talk, I took a leaf out of the Mahabharata. When Arjuna surrenders himself to the lotus feet of Lord Krishna and says that he cannot fight the Kauravas as they were his relatives, the God tells him that he has only two choices. One is to follow the path of Karma, accept that his relatives had turned into his foes, fight them and emerge victorious, else resist the change and die at the hands of the Kauravas. Similarly, the CISOs need to accept the change that is taking place and acknowledge that they cannot resist technological innovations. 

CISOs cannot resist change for long, otherwise they will be annihilated. The reason is that any new technology that comes in to help people do their jobs faster and better cannot be stopped from getting deployed only because of the fear that it could threaten data security. It is time for CISOs to think out of the box to deal with both the advent of new technology and the possible security threats. 

The moment a new technology comes in, the CISO should look where to draw the Lakshman Rekha (demarcated line). This means that he should make the users aware of the need for security, possible threats and the boundaries within which they can use the device. Also inform the users that any violation of the Lakshman Rekha could attract punitive action. So, instead of resisting the use of technology, CISOs should know where the draw the line. 

The need of the hour is to create credibility and trust. How can that be done when security entails huge investments and is seen as a cost center rather than a profit center? This is where CISOs should look for ways to reduce costs and yet deliver a secure environment. 

For example, if I find that the internet usage of employees is such that they spend 20 percent of their time visiting sites like Facebook or doing some personal work. And accordingly calculate the figure for bandwidth consumption and the loss of productive time. One can always arrive at a numerical figure in terms of money.

Now instead of stopping them from visiting personal websites, can we create kiosks where the employees can spend some time during the day doing their personal work? This is where you put web filter from security standpoint. By doing this, I am sure one can save on bandwidth cost and the loss of productivity. The gain from curtailing the bandwidth and productivity loss will be much more than the investment that the company is doing on the web filters. One can always arrive at a numerical figure in terms of money and show that the cost of technology to control this will be less than the productivity loss. This would prove that security brings profit. This would be music to the ears of the CFO/CEO. 

Similarly, as companies spend too much money on infrastructure and its maintenance, one could consider outsourcing processes that are not very data-critical or go in for cloud-based pay-per-use model. This would help save capital and operational expenses for the company. This way, CISOs can demonstrate that they have saved avoidable investment for the company while managing with limited corpus. This too is quantifiable in terms of declining expenses over the next few years. 

For this to happen, CISOs will have to start thinking from a business point of view rather than the security point of view. They will have to prove that they are not part of the cost center. Rather they are part of the profit center. They might not be increasing the topline of the company, but they can improve the bottomline of the company. It is high time the business side of the CISO also comes to the fore. 

Categories: Technology

About Author

Orange Themes

Kaushal K Chaudhary

Kaushal K Chaudhary is Senior Vice President – IT & Group CISO at LANCO Infratech. He has over 23 years ...

Read more

Write a Comment

Your e-mail address will not be published.
Required fields are marked*


Recent Comments