Let me leave that debate to the community—or should I say the two communities? But essentially, the call will be taken by the organization’s leadership
The cover story of this issue is about a very old debate – should CISOs be part of IT team? The debate is certainly old but the whole proposition of the story is that it should be revisited in the wake of certain environmental changes—such as rising importance of cybersecurity risks, a lot more compliance responsibility for the CISOs and a few regulators mandating that the CISO should not report to the CIO.
Interestingly, the logic on which RBI’s and IRDAI’s mandates are based is not exactly unique to banking and insurance industry. It applies to all industries. A CIO, like most other business executives, would like to speed up things. CISO’s job definition is not to allow anything unless it is fully secure (which invariably slows down things). There’s a conflict of interest.
Let me leave that debate to the community—or should I say the two communities? But essentially, the call will be taken by the organization’s leadership. The onus is on the organization to decide either way—after evaluating if they are ready for this shift.
Let’s turn our head towards the other side—are CISOs ready?
These days, when we plan for any event for CISO community, we always face a dilemma. On one side, you have the CISOs from banking, insurance, telecom, IT/ITES and a few selected companies, whose CISOs are extremely aware of the issues, regulation, compliance needs and business risks. On the other side, there are the other large chunk who understand only technology and some immediate business priorities for their organization—no macro view of regulatory changes. Two months after the white paper on personal data protection bill was released, I asked a dozen odd B2C CISOs in one of our events for comments on it. Outside insurance and telecom (no banking CISOs were present), only two knew that something like that existed and only one of them had a fair idea of the content of that white paper.
If CISOs have to take up this organizational role, the first and foremost requirement for them is to keep an eye on regulatory changes, as compliance is one of the biggest responsibilities that will come their way.
But I think it will not be difficult. The only question is whether they wait for the organization to take that call before they start preparing or start preparing right away for the opportunity. If they choose the latter path, maybe they will help in accelerating the change.