Traditionally looked upon as a back-end profile, the CSO position, driven by the changing IT landscape, is increasing coming to the fore and enabling businesses to grow.
The position of a Chief Security Officer (CSO) in an enterprise has traditionally been looked upon as a back-end role. Perceiving them as business enablers was always a far-fetched scenario. As enterprise information security practitioners, it has always been a challenge to justify the spent on security implementations. The top management views security investment as buying an insurance policy, an area that nobody wants to spend on. Hence, it becomes increasingly difficult for a security leader to prove himself to be a business enabler.
So, will the CSO always remain at the back end? Can he ever position himself as a business enabler? The changing IT landscape is bringing about a change in the CSO role and perception.
The Changing IT Landscape
As Sunil Varkey, Chief Information Security Officer – Wipro, says, “The CSO role has evolved. From being a back-end guy, he has now become a business person. The role is evolving and will continue to do so, predominantly driven by the adoption of new technology, BYOD, privacy concerns and customer demands. The one thing that is certain, however, is that CSOs are increasingly coming to the fore and adding value to the business.”
Mobile phones are emerging as full fledged computers. They are not being looked upon only as communication devices. All the security mechanisms put in a laptop or a desktop need to be put into a phone today. Similarly, cloud is emerging as a game changer for corporates. Many companies are going on cloud. Their networks which were confined to their premise are now expanding to their vendors and partners. The success or failure of any cloud implementation hinges on security. The ‘dos and don’ts’ of cloud are determined by -- risk associated, security policies around it and standard operating principals outlaid. The guardian of all these are the CSOs when it comes to security. Those CSOs who are proactively plotting these and exploring new avenues are increasingly getting classified as business enablers.
Walking the Extra Mile
On his part, a CSO has to walk the extra mile if he has to be looked upon as an enabler of business.
“All CISOs have the potential to be business enablers. But those CSOs running ahead of the curve and updating themselves with technologies and trends before they actually land are becoming business enablers,” says Yateen Chodnekar, Group CIO and CSO, Writer Corporation.
Giving an example of how innovation could lead to business enablement, he says, “Some banks give you alerts as soon as you swipe your card. This means they have security built into their technology stack. This is what the end customer wants. For a CSO who embedded it into the stack, is a business enabler. Not all banks have this feature but those that have used it to attract more business.”
Enterprise information security leaders will also have to work on their mindset. While some of them have already become enablers for their businesses, others are still struggling. To make the transition, they will have to come out of their risk-averse mold. As opposed to business people who are risk takers, CSOs are traditionally afraid to take risks. To be business enablers, they themselves need to take risks.
“There are two distinguishing categories of CSOs – those who love to say ‘No’ and those who say ‘Yes.’ The former faces the risk of elimination, while the latter is clearly a business enabler. The mindset change needed for this change is to move from the don’ts to the dos. The negativity needs to be arrested and transformed into positivity,” says Chodnekar.
Becoming Business Savvy
Businesses are demanding. The first transformation for a CSO is to challenge the status quo. Also, successfully functioning at the C-suite level demands working more as a business manager. A CSO will have to understand business and talk the language of business. Instead of discussing technology, he would have to understand the typical requirements of business and provide insights into early adopter risk curves to business unit heads.
“With the rate if change of technology is rampant and the rate of threats and vulnerabilities is multifold and hence we need to accept the fact that maybe preventing in totality is not possible but controlling and mitigating and arresting it is a new approach that we can take. Security has to be integrated in all the touch points and when it comes to deployment it has to be holistic otherwise no point in addressing one or two corners and leaving others open,” avers Chodnekar.
Taking on additional responsibility could also help CSOs position themselves as business enablers. The emerging role of a CDO (Chief Data Officer) is one such function that CSOs can take up.
A CDO not only saves cost but also generates revenues. By applying analytics and intelligence, he can provide actionable information to strategic business unit heads in terms of market segmentation and cost analysis. This helps them in their strategizing and aids their day-to-day work.