VOLUME 44

   ISSUE 44

18 March 2015

As the counter and severity of cyber-attacks and security breaches continue to rise, the presence and power of chief information security officers (CISOs) have increased significantly, and this job is now among the fastest growing positions in the corporate C-suite or the senior management. Recent developments starting from early 2014 in Srilankan context, several organizations (especially in the financial sector) demands a dedicated senior officer�s involvement in managing information security risks in the governance framework.
CISO role should be to protect the organization�s reputation, information assets, and intellectual property, as well as to guide the implementation of innovative technologies to ensure that all business transactions are conducted securely. To full fill stake holder�s expectations for making the digital Infrastructure a safer place to work and conduct businesses, the CISO role needs to have an insight on overall business processes at a higher level.
The below 5 ways are designed to help CISO's and top level Info-Sec officers in charge , to avoid operational difficulties that complicating carrying out of tactical and strategic functions.
 

1.More you know your business, more you know your playground

Deep understanding on your business is extremely important for a CISO. Due to the fact that most of the senior CISO�s are developed through a pure IT, Technical or Audit background, those individuals are very reluctant to understand the nature of the business they involved.
True, your objective is to understanding IT and Information Risks, also making sure proper controls in place, but you won�t be able to become an �excellent contributor� to the senior management forum if you become a silent listener all the time and activating only during security discussions. Be familiar with products, solutions you offer and revenue generating models while understanding the enterprise culture you survive.

2.Be smart with the political landscape

 
Know the politics that you will win and which you will likely lose. Many Info-Sec officers are faced with daily surprises of how Information Security was left out of the decision making process and finally a new online portal for financial transactions is active and exposed to the internet. This is where a CISO should demonstrate executive maturity. Always re-establish positive and productive relationships with business owners. Argue with facts and business related points. Don't mention any bits and bytes. They hate it. Speak business. Take examples. Be a good communicator. Else you will be just a member to occupy a black seat in the C-Suit.

3.Be a salesman for the entire organization

Being a CISO, play a distributed role. Ultimately you will be the personnel justifying the �Info-Sec Budget�, in another words selling the business case to the CEO or Board of Directors. Build strong communication skills to sell yourself and your idea to the stake holders. Once in a while, sit with an end-user and educate him why the corporate has blocked using the external USB drives and the reasons for not letting you browse cloud storage sites such as Drop Box. Spending time with all layers in an organization will be a success factor for a friendly CISO since ultimately your security vision will be enforcing to everyone at each layer engaging sensitive information assets.
 

4.Drop hard efforts in sustaining security resources

In today's world, chief information security officers (CISO) are often challenged with a lack of resources ranging from reduced budgets to lowered headcounts. In Srilankan context, every year we lose talented security professionals with their objectives on having a comfortable life styles in overseas. None of us can stop this till the industry gets matured and seeks the involvement of security officers in every critical organization. Also it is in-practical to pay a high remuneration for Info-Sec members, while top profiles also gaining a lower income in other departments. Keep a trusted external security consultant, those offer great service and are strategic to the Information Security programs. Those advisors might hire on contract basis, project basis or even as a volunteer service if possible, and then CISO�s can minimize the expenditures for maintaining senior level on-site resources.
CISO should make sure they took wise decisions while selecting consultants, and they should not entertain any �security product promoters�.

5.Continues education and awareness

The CISO should also pursue continuous education, such as vendor-neutral certifications, including certifications offered by (ISC)2, ISACA,SANS..etc. These qualifications refresh the memory, invoke new thinking, increase credibility, and are a mandatory part of any sound internal training curriculum. Also don�t scream in front of your CEO for approving budgets for next RSA conference or Black Hat events, when company is going through a crucial situation. There are many modern facilities available for gaining knowledge such as webbex sessions with live instructor interaction. Spend some time with google, write to forums, wait for free security educational sessions, join the session as a team, explorer youtube and type the interested areas. The world of education and security updates in your fingertips until your company performs good numbers and showed a green lights for IS training budgets.

Wasantha Perera

CISSP, CRISC, ECSA, CEH(V3), Certified CISO from EC-Council USA
ISO27001 Lead Auditor

Wasantha helps range of commercial companies, agencies and specialist teams in the region as an independent security advisor to secure business critical information assets. During his career he served leading organizations including Millennium IT, N-able (A fully own subsidiary of Hemas Holdings PLC), Bartleet Group and MAS Holdings. He is the Head of Information Security and Compliance at Colombo Stock Exchange, the national stock exchange in Srilanka and also the president of (ISC)2 local chapter. (ISC)� is a non-profit organization which specializes in information security education and certifications and it has been described as "world's largest IT security organization". Wasantha holds bachelors and a master�s degree from University of Peradeniya and also received multiple prestigious awards in the security industry including (ISC)2 Presidents Award 2014, (ISC)2 Honoree in Senior Information Security Professional Category and Certified CISO awards finalist in EC-Council Global CISO Awards 2014
 

�..The Internet of Things, or IoT, is projected to undergo massive growth with 4.9 billion IoT-connected devices in 2015 and more than 25 billion predicted to be in use by 2020, according to Gartner....�

'....Your house and office need keys. Your bankcard and mobile phone need PINs. Your computer and online accounts need passwords. When it comes to software, innate security features are crucial. Those safety features are designed to protect people, the companies that hire them and data entrusted to them. Yet in a time when convenience is king, safety can often slip by the wayside � especially when it comes to mobile devices...'

HP Aruba purchase bolsters wireless networking business

'...Hewlett-Packard will purchase Aruba Networks to boost its wireless networking business, the companies announced Monday.

HP will offer US$24.67 per share, giving Aruba a $3 billion value. The deal is worth $2.7 billion taking into account Aruba's debt and cash.....'

'...The State Department says it needs to reconstruct its classified computer systems after suffering a hack the agency has said only affected its unclassified networks.....'

'...Information security and privacy are perennially hot topics, but as 2015 gets underway the temperature seems to be turned up particularly high. Recent months have seen high-profile cyberattacks and actual atrocities that have focused the world's attention on topics surrounding data protection, encryption, privacy and surveillance as never before....�