Infosys is a global leader in consulting, technology and outsourcing solutions. We enable clients, in more than 30 countries, to stay a step ahead of emerging business trends and outperform the competition. We help them transform and thrive in a changing world by co-creating breakthrough solutions that combine strategic insights and execution excellence.
In the age of information where data is king, a company cannot be devoid of a security strategy to protect its data (and customers' data if e-company). Here are seven habits that CEOs can adopt to create a highly effective cyber security strategy
1. Leadership & Organisation:
Hiring a right leader (CISO – Chief Information Security Officer) to drive the cyber security strategy is the foundation of cyber security program of any organisation. Without a CISO, there is no link between the senior management and the security operations. The CISO plays the dual role of engaging the management and getting the sponsorship for the cyber security strategy and providing a vision to the security team for alignment and consistent delivery. Getting the right person at the helm sets the tone for what you wish to achieve for your organisation and therefore the person needs to have an optimal blend of good understanding of business, cyber security domain and leadership experience.
The other important aspect is the constitution and size of the cyber-security organisation. Cyber security is a highly specialised function and therefore needs a very specialized workforce and strength, commensurate with the cyber risks faced, complexity and size of the organisation. The organisation should be modeled to meet the current and future requirements in terms of scale, focus, defined roles, career path and minimum overlap across functions and roles. There has to be clear defined organisation wide RACI matrix (Responsible, Accountable, Consulted & Informed) which should not only define the roles of the cyber security team, but also other functions such as Information Technology, Human Resources, Legal & Compliance, Privacy etc.
2. Independence & Empowerment The cyber security team’s success is fundamentally dependent on two key factors viz. 1. Competence and 2. Independence & Empowerment. If you have the most competent cyber security team but it’s positioned at an operational level within your organisation, then it will become significantly constrained to give the desired results. This is especially true if the cyber security team or the CISO is directly reporting to CIO or head of IT of an organisation. In organisations, where there is a proper segregation in place between cyber security teams and Information Technology teams, it still important to get the balance of accountability and responsibility right amongst them. This is very important to generate a healthy friction between the teams to allow critical issues and risks, to be surfaced in a timely manner for senior management to take decisions on remediation or acceptance.
The cyber security team must be sufficiently empowered to be able to raise important issues and cyber risks, assertively and objectively to senior management and the Board. This will enable timely and direct visibility for the top management to take appropriate action.
There are different theories and formulas that are generally used to arrive at what should be the ideal spend for an organisation in cyber security. A decade back, this figure used be 4% to 5% of the total IT budget. In more recent times, this has risen to 8% to 10%. So it’s doubled. These are average spends and they tend to vary for each industry as well as size of the organisation. We also know that these spends jump to 20% or more for those organisations which are hit by a major cyber security event.
Once you make cyber security a strategic concern for your organizations, spends are a consequence of that decision. So one should invest in whatever is appropriate for your cyber risk profile of your business. This is also dependent on how much trust is built between the CISO and the senior management.
4. “Opportunity Window”
Cyber risk is probabilistic and hence dependent on threat capability and threat contact (apart from vulnerability and impact). Understanding the threat contact is of great significance for developing organization’s cyber security strategy (especially for zero day attacks). The organisations which are the first point of contact for any cyber threat are much smaller in number as compared to those which get impacted over a period of time. So there is this time span (Opportunity Window) which is available for rest of the organisations to respond and learn from these incidents and make their IT infrastructure resilient to that particular attack. This strategy can reduce the likelihood of cyber attacks to a very large extent. This can be done by building strong capability of deep visibility of your IT assets and investing in a robust threat intelligence platform and threat hunting capabilities. Both these capabilities will enable organisations to prioritize the strengthening of the cyber controls for resilience against those know and identified attacks in a timely manner.
The other important aspect to recognize is that, it’s time for organisations to declare “Zero Tolerance” when it comes to cyber security hygiene of their IT Assets.
5. Maturity model
The notion of “security being as good as its weakest link” still holds good. The adversaries need to get it right only once but the good guys all the time. Therefore the approach towards building a cyber security strategy should be holistic and comprehensive. Of course, Rome was not build in one day and so one needs to prioritize and improve on an ongoing basis. This can be done by adopting a cyber security framework, performing a gap analysis, benchmarking against your peers and then charting a roadmap for improving the maturity of your organisation holistically.
6. Risk Management
The foundation of any cyber security strategy should be business risk assessment. The cyber security team must have a good understanding of the business goals for them to then identify the cyber risks which can hamper the accomplishment of organisation business goals. The cyber risks assessment should be performed by competent teams and should be reviewed and approved by the CISO and the Information Security Council. The cyber risk management framework should be aligned with the operations risk management framework of the organisation, so that cyber risks get integrated with the organisation risk management for visibility and management.
7. Understanding the domain
There have always been expectations from CISOs to have a good understanding of the business. Given the widespread and deep impact of cyber-security incidents on business, we can now say that cyber security is now a mainstream business issue. Therefore the CEO and the leadership team can no longer afford to leave the management of this risk only to CIOs and CISOs. There is a need for CEOs and their leadership team to give sufficient amount of time to understand the different aspects of the cyber security risks and their impact to the business and take certain decisions on sponsorship for their remediation or acceptance. Unless led from the top, it may still remain a superficial or incomplete exercise. Remember, today may be your neighbor, but tomorrow, it can be you.
By Vishal Salvi, Chief Information Security Officer, Infosys