Organizations have done a lot to secure their infrastructure, get compliance efforts in place and get going with the emerging requirements that are hard pressing them to move to excellence on the Security Front. But how much to secure is secure? It should not be the case where Security that is supposed to be the business enabler becomes a show stopper.
In my numerous discussions with the CTOs and CIOs, I noted that many of them do not know why a recommendation from consultant or a requirement as being driven by their CISO / CSO is to be honored. There were few remarks as in they go with the general opinion during the meeting and if majority voices to go for it, they go for it. Strange ain't it? To me it was rather shocking. In few other cases, the CIOs I interacted with were a little Puzzled on what data to be secured and where does it lie in their network. Shocking, certainly it was a shocking revelation for me. but I had to accept it the way it is.
So what do we require now? What I call is consolidation of efforts driven to manage IT. Consolidation of Overall Compliance Scenario, which till date is happening on as-on where-is Project basis. Different SMEs leading different Compliance Programs with no interlink between their efforts. The CIOs need a deeper and clearer view of what's happening in the Organizational IT Landscape with a definitive look at the requirements driven from the Risk perspective.
Certainly, I am talking about establishment of a Governance Framework within an organization to ensure that the projects do not get executed as standalone projects and that they have the required interactions between them to rule out any redundant step / control deployment. The governance framework thus established needs to run in a risk management program. This Risk Management program should not just look at the risk emanating from the threats pertinent to organization, but also the threats emanating form the lack of governance to IT Landscape.
The efforts more need to consolidate to ensure that the Organizational Approach towards Securing Data and Information is Top-Down Approach than the Bottom-Up as it will give better control and insight to the Controls Deployment. Any Control / measure deployed will have strict backing of the output from the Risk Management Exercise.
This would not mean that the Organizations need to do away with the Bottom-Up Approach all-together as during the Risk Management Exercise, it will be the Bottom-Up approach that will provided an insight to what is going the way it should and where the gaps are. The Risk Management exercise also needs to be aptly supported with a Business Impact Assessment Program to ensure that the inputs from all the quarters are taken in consideration when decisions are being made.
The market is already moving towards the Governance frameworks and there are many tools in place to address the consolidated requirements in Governance, Risk and Compliance sphere, its just that the drive is from the Vendors and OEMs, we still need to see the Organizations driving it. From where I see, the Role of CISO would need to be molded as that of IT Risk Manager and an Office of IT Governance needs to make its way to the IT Board Room.
