Majority of Indian CISOs are still strongly aligned with IT organization
Where do Indian chief information security officers (CISOs) stand in the organizational structure? Who do they report to? What is their relationship with other functional departments, especially IT organizations? What are their cultural/people challenges, when it comes to roll out security policy in the organization? And how are they meeting those challenges?
These are some of the questions that got asked and answered in a series of freewheeling discussions under a common theme, CISO-CXO Relationship with groups of CISOs in the recently concluded 8th CSO Summit organized by CSO Forum. The discussion, which happened in a total of five rounds, with each round having 7-8 CISOs as panelists, was conducted by a common moderator.
Apart from the qualitative discussion, CSO Forum did a quick dipstick to understand where exactly do the CISOs stand in the organizational structure. It got 30 responses from the participating CISOs.
The results are not exactly shocking. About half of the CISOs are strongly aligned with corporate IT. While one-third of them said they report to the CIOs, one-sixth of them are actually CIOs themselves, who are doubling up as CISOs. Of the rest, an encouraging 4 out of 30 CISOs report to the CEO, Chairperson or the board, while the rest report to various functional executives. In banks, all of them report to the risk organization, often called Chief Risk Officer (CRO)’s office, as mandated by the banking regulator, the Reserve Bank of India.
RBI, in its Guidelines on information security, Electronic Banking, Technology risk management and Cyber frauds, has clearly mandated that the CISO in a bank should be a “sufficiently senior level official, of the rank of GM/DGM/AGM” and he/she should “report directly to the Head of Risk Management and should not have a direct reporting relationship with the CIO”
When asked, many CISOs did agree that there can be a conflict of interest because the CIO, driven by business—many of them were explicit in mentioning marketing—could want to proceed faster while security can be seen as a decelerator.
But does not the same logic apply to other businesses?
It does, but “I guess we are mature individuals and the organization should be mature enough too”, said a CIO of a non-banking company. Many CISOs, however, justified the RBI mandate saying that the real reason behind the guideline is to drive home the point that CISOs need more prominence in the organization, the role is very important and should not be subdued.
CISOs—most of who came from IT side—did, however, argue that a CISO within an IT department is more effective. “The moment you place him outside IT, he assumes the role of an auditor; that is not the best way to roll out important security policies. As an insider, he works as a partner.”
Interestingly, most of the regulated industries such as banking, telecom, pharma and insurance have CISOs reporting to non-IT executives, though unlike RBI, other regulators do not mandate that CISO should not report to CIO.
Quite a few CISOs complain that security is seen as a hindrance and very often senior executives too do not cooperate in rolling out security policies. In fact, one banking CISO said that the banks are having CISOs only because there is an RBI mandate. “The CISOs do not have the power to be effective,” he complained.
However, the good news is that the dominant voice is that of hope, except in some Indian companies, run the old way.
Yes, we slow you down, but…
Most CISOs seem to be sensitized to the fact that some of the security measures have an immediate negative impact. “I know it slows down sales sometimes; and I feel bad when I see how it impacts the work of some of my colleagues, but then, in the interest of the long-term interest of the company, I have to go ahead and implement those policies,” says CISO of a telecom company.
Agrees another CISO, also from telecom industry. “Security is a cost and it does slow down certain things. I once got five live applications down. But then, I had no other option. The cost of a breach would be far more. These small delays and revenue loss are a price to pay for that secured feature,” he justifies.
A CISO narrated how after a big breach in a competitor’s business, the whole language of senior management changed.
At the end, though, it is a struggle for most CISOs. But they seem to know that and many are trying to work around it.
“I actually go and ask my friends at business what they see as risk. Once it comes from them, it is far easier for me to go ahead and work towards containing that risk,” says another CIO. He said that not everything should be mandated from the top. Like IT requirements, risk definitions should also emerge from the business units.
While some CISOs in older Indian companies do complain about a complete lack of understanding of risk on part of their senior management, thankfully, that is exception, rather than the rule. Slowly, but steadily, Indian organizations are waking up to the security challenge.