In today’s competitive world, protecting data is one of the major challenges before an organisation. Chief Information Security Offi cer (CISO) can be a possible solution
As cyber criminals loom large, it has become imperative for enterprises to give emphasis to security solutions, especially with regard to confi dential information such as customer data, intellectual property, trade secrets and proprietary corporate data.
With the availability of a multitude of platforms and the ever increasing number of mobile workforce – accessing information on the go, the risk of data breaches and its fi nancial impact on organisations is now higher than ever before. Ponemon’s1 2009 “Global Cost of a Data Breach” report revealed that the average cost of a data breach incident in the US last year was USD 6.75 million, compared to the international average of USD 3.43 million; which roughly breaks down to USD 204 per compromised record. Th ese are alarming facts!
Th ere has been a surge in the number of employees who access, receive, and store a company’s confi dential data, customer data, regulated data and intellectual property, due to which, data protection and threat response has become extremely challenging in today’s business scenario.
A key solution to counter this serious threat to data loss is to recruit a Chief Information Security Offi cer (CISO) in addition to investing in security solutions, to provide companies with the best IT security outcomes. CISO primarily monitors employees’ cyber behaviour within an organisation and ensures that breach of company-related sensitive information is annulled.
Cyber attacks plague Indian enterprises
Results from Symantec’s 2010 State of Enterprise Security study shows that Indian enterprises perceive cyber attacks as a bigger threat than terrorism or natural disasters. Th is isn’t surprising, considering that 100 per cent of the surveyed Indian enterprises reported a loss of revenue due to loss of customer and employee data, and 81 per cent reported a direct fi nancial cost due to the spate of cyber attacks targeted at them. Moreover, 59 per cent of Indian enterprises felt that employee-owned endpoints compromised security.
The seminal cause of data breaches
To effectively prevent a data breach, it is important to identify the source from which it emerges. Th e anatomy of data breaches point fi gures at three primary sources of data breach – targeted attacks by malicious outsiders, wellmeaning insiders and malicious insiders. Many a time, an attack could be the result of a combination of these factors. Often times, breaches are witnessed due to negligence or ignorance on the part of the employee, to comply with internal security policies.
Saved by the CISO!
According to the IDC study, the state of data loss in Indian enterprises, sponsored by Symantec (2009), over 50 per cent of information in Indian enterprises is classifi ed as confi dential. Th us, to prevent data loss, organisations need to not only invest time in educating employees about Companies inclined towards hiring and retaining a `named CISO’ are evidently more successful than those that merely hire a manager of information security the security policies in the system, but they also need to create a position for CISO, who will ensure the consistent implementation of those policies.
Information security has always been a top priority for enterprises. Th is is evident from the fact that a lot of organisations have joined the bandwagon of companies that have appointed a CISO to be in charge of the day-today security operations, and most importantly, to strategise the company’s growth plans. Th is appears to be a growing positive trend given that 44 per cent of companies employed a CISO in 2009 compared to 29 per cent in 2008, according to 2010 PriceWaterhouseCoopers survey.2
CISOs contribute to success in organisations
Recent studies have shown that companies that have ropedin CISOs are reaping the benefi ts of enhanced and assured data protection, as compared to organisations that have shied away from this cyber crime buster.
Within the industry, it is gradually being proven that companies experiencing the best outcomes manage their information security function through a CISO, who reports to a senior Chief Information Offi cer (CIO). Such enterprises have become more competent by implementing standardised procedures based on frameworks (for example, ISO, HIPAA, CobiT, PCI), automating these procedures and controls, and measuring, assessing and reporting risks on a regular basis.
Th e fi nal outcome of such companies is lower audit spend, reduced data theft and higher customer retention. As a result, these organisations garner larger profi ts, higher revenues and higher levels of business productivity from IT.
CISOs: Risk-reducing factor
It has been noticed that companies inclined towards hiring and retaining a ‘named CISO’ are evidently more successful than those that merely hire a manager of information security, who performs similar duties. Th e IT Policy Compliance Group found that companies with a named CISO are 10 times more likely to experience loss or theft of customer data.
In contrast, organisations where the information security function is managed at lower levels by systems and network administrators, or by managers in IT operations, are 4-8 times more likely to be among those with signifi cantly higher rates of data loss and theft.
In addition, the best performing organisations (with CISOs) manage business productivity and risks by using policies and targets for minimum acceptable downtime and maximum acceptable risks, as well as measuring, assessing and reporting on risks daily, weekly and monthly.
CISOs make companies cost-effective
Companies with named CISOs are the most successful and experience less fi nancial exposure from data loss and theft, along with reductions in risk.
Findings of studies conducted by the IT Policy Compliance Group show that organisations with best outcomes spend 0.4 per cent of revenue on data loss exposure, as compared to companies with worst outcomes, which spend 9.6 percent of revenue on costs related to data loss.
Th e need for CISOs is not just an IT need but a business one also CISOs highlight the importance of viewing security as part of the business process, rather than just an IT problem. In most organisations vexed with high rates of data loss and theft, security is left solely to be managed by IT operations without proper oversight and control. Companies with the best business outcomes manage information security at a higher level, as a quality-controlled function, that involves automation of policies, procedures and controls.
According to the IT Policy and Compliance Group, an average of two-thirds (66 percent) of procedures related to the information security and assurance function are fully automated among the organisations with the best outcomes. In contrast, the worst performing organisations automate less than one-third (33 percent) of procedures and technical controls.
In addition, the best performing organisations also automate measurement and reporting of key risks, controls and indicators on a daily, weekly and monthly basis; versus the worst performing organisations which assess and report only once every five months.
On the whole, CISOs contribute to better business results by ensuring proper implementation of security measures, by standardising and automating procedures and by taking a strategic role within the organisation to make information security a part of the business process.
Th e Indian enterprises need to sit up and act now. Th e Symantec Enterprises Security Survey 2010 states that the average revenue lost by Indian enterprises due to cyber attacks was INR 58,59,234 in 2009. Th is should annul all doubts on whether Indian enterprises need a CISO or not.
In this era of information explosion where cyber attacks and cases of privacy invasion are on the rise, the role of the CISO will become increasingly vital in Indian enterprises.
A CISO is akin to the modern day cyber crime buster and enterprises need to have one in their armour.
- Global Cost of a Data Breach, 2009, Ponemon Institute
- The Global State of Information Security Survey, 2010, PriceWaterhouseCoopers