Tell us in brief about your career as a CISO/Security professional. How have you seen your role evolving with time and pressure?
The journey in Information security field is challenging and at the same time rewarding because of the significance of the field and the momentum it received. When I joined Etisalat, there were only around 10,000 internet users. It was just the starting of a boom and then slowly the need for security of information became prominent. The role became more vital in financial sector, because regulations are tighter in the sector and the tangible losses associated with information security and the risks were very significant. CISO role was initially focused in Information Technology but the position, role and function is gaining more relevance and becoming independent. In some organizations, a CISO reports to a Chief Risk Officer or a CIO, while some are reporting directly to CEO or the board. All of this depends upon the maturity of the organization.
With the evolution of the role, the pressure and the challenges associated with the role is also increasing. Information security is about how information is secured by having the right controls in technology, people and process that protect the information and services of the organization from internal and external threats.
As a CISO, what kind of gap do you see in the enterprise security space today?
One of the key gap in Enterprise security that I see today is the lack of holistic approach towards security. The security is in bits and pieces while being technology driven and buying the latest solutions. A lot of wrong decisions are made while buying and implementing solutions without understanding the requirements, risks and addressing the root causes of the issue. In IT, the right approach should be to get the balance of security and business requirement in such a way that security supports and enable the success of the organization. Some of the mistakes organization makes is by running behind the flashy, extravagant latest solution and forgetting about the fundamentals. Basics are the most important element for the organization to build a robust security environment.
Another mistake in many organizations is not giving right authority to the security managers or CISO s. If someone wants to enable or transform information security across the organization, he has to be able to lead, drive and take decisions and change processes without being arrogant and at the same time by taking stern steps so things can be in better shape. Information security is much bigger than risk management or technology oriented part. It is a business driven function which is to be placed under top management umbrella.
What would be your expectation from a security solutions/services provider?
A solution or service provider should be more transparent in their approach. They need to be selling and making money which is their business but at the same time they have to ensure that they are providing the services and solutions required for the business, organizations and the clients and the delivery is meeting the expectations. Without comprehensive management of projects, both the client and vendor will be at loss. They need to make sure that the organization has the right skillset and need to advice on running and managing the solutions.
When it comes to security, we all would agree that there is nothing as 100% secure. But, as a CISO how do you gear up to best protect your organization from an outsider as well as insider threat?
100% security cannot be promised by anyone. We do the best to manage, protect, detect, respond and recover. People, process and technology should be in place to tackle any security threats. If something goes bad, and there is a disaster, best way to recover in an effective manner should be part of a security programme or activity. Security is about management of risks. There are risks which needs to be accepted, transferred or mitigated according to rating. There should be a risk management framework for the organization, based on which risk assessment should be done for effective security control implementation..