Balancing Compliance, Business Risk Security StrategiesSecurity Head at Credit-Rating Bureau Shares Insights on Setting Security Priorities
While the push for security in regulated industries is compliance driven, it's essential for organizations to also develop security strategies based on business risks, says A. Shiju Rawther, head of infrastructure and security operations at a leading credit-rating bureau in India.
"Successfully marrying compliance challenges and risk challenges for a holistic approach to security is where the practitioner comes into the picture," he says. "And the biggest challenge in bringing all this together is putting the right mitigations in the right place, having considered both aspects - compliance and risk - to achieve the desired balanced security posture."
In this exclusive interview with Information Security Media Group (see edited transcript below), Rawther discusses:
- Balancing risk-based vs. compliance-based approaches;
- Achieving a proactive security stance in the current environment;
- Communicating security issues to the management.
Rawther has more than 16 years of experience in IT infrastructure and security. He currently heads the IT infrastructure and security operations for a leading financial services company, specializing in positioning the technology and security functions as business transformation initiatives. Previously, he has worked at Sify Limited, Primus Telecommunications India Ltd., Wipro Infotech, Gateway Terminals India, PCS Technology Ltd. and Fullerton India Credit Company Ltd.
Compliance vs. Risk
VARUN HARAN: What is your sense of how practitioners can tread the fine line between compliance-driven security and risk-driven security?
A SHIJU RAWTHER: It's a challenge to find the balance because these are two sides of the same coin and every practitioner has to deal with this issue. If you look at the risk perspective, each organization is exposed to many kinds of risks today - human risk, technology risk, process risk, etc. On the compliance side of the table are numerous regulatory compliances depending on your industry. And there will be customer and shareholder audits - each with its own nuances. Successfully marrying compliance challenges and risk challenges for a holistic approach to security is where the practitioner comes into the picture.
At my organization, we do risk analysis in terms of all the above mentioned aspects - technology, process and people. However, risk analysis cannot be limited to business return on investment. It has to be mapped to compliance and regulatory norms. You need to decide how you plan to mitigate each risk. Given each risk can be mitigated either through technology, through process or through people (awareness), or a combination of these, the biggest challenge in bringing all this together is putting the right things in the right place to achieve a balanced security posture.
HARAN: What is your approach to achieving such a posture?
RAWTHER: I like to look at everything that can go wrong for a business and plan remediation accordingly - in keeping with the above philosophy. For instance, the short-term issue from a cyberattack or breach has compliance ramifications; the long-term damage is to the brand, which will adversely affect the business.
As a practitioner, I suggest taking a proactive approach. Keep an eye on the market to know what's going on. Keep tabs on your own industry in terms of developments and challenges being faced by others. Keep a lookout for incidents and developments in the security arena from around the world that can possibly affect your business. Map all these risks to your mitigation plans (6 Principles of a Resilient Digital World).
Understand Business Risk
HARAN: While regulated industries seem to be a lot more mature in security because of regulatory oversight, they may not be thinking of security from a business risk point of view. Which do you think is the greater - a focus on business risk or compliance? Where should the practitioner focus more?
RAWTHER: Everyone today is in the habit of running toward compliance just to mitigate those risks and obligations. But this is a short-term approach. If you look at the long-term picture, business risks need to take precedence because they are more dangerous. In a competitive market, if something goes wrong from a business point of view, at the pace at which business is conducted today, any damage to the brand reputation can mean significant losses.
Business risk is generally neglected, because unlike the compliance-driven mandates, where there is accountability to people who are following up with you; the business risk-driven approach has to be proactive - a self-starter. But for a business, nothing should be more important than the stakeholders' and customers' interests first (SEBI Issues Risk Framework Guidelines).
A New Mindset
HARAN: Can you share some recommendations for regulated verticals on how they can make a good case for business risk-driven security? Because these organizations are generally extremely compliance focused. How can they break out of this compliance-only mindset?
RAWTHER: First of all, frequent audits should be in place. Today, the scenario in regulated industries is such that audits take place at the regulator's discretion. There should be a scheduled internal mechanism for audits and proactive measures from the business to report to regulatory bodies. It should be a top-to-bottom approach, rather than just the backend people trying to plug the compliance gaps.
The security culture need not just be driven out of one office, like the CRO or CTO. The top rung of the business needs to be educated so that this culture is driven down. If the message is from the CEO's desk, for instance, the entire organization falls in line without a hitch has been my experience.
CISO's Elevator Pitch
HARAN: What approach can a CISO in a regulated industry take to educate the top management and get the right mindshare to put these practices into place down the hierarchy?
RAWTHER: Regular and direct interactions with the top management is key for any CISO. A CISO should not just think from a security perspective. If a CISO thinks from an overall information perspective - a business perspective going beyond just IT security - this can make this task a lot more proactive.
I think the CISOs today lack the maturity to present security appropriately to the management. CISOs should focus on their "elevator pitches" - a 15-30 second rundown that they can present to the management that will grab their attention. Prepare for the questions a CEO may ask of you; what should be the appropriate answer from a business perspective? This is something CISOs can prepare and plan. How well a CISO is able to grab the management's mindshare plays a big part in these direct interactions.
CISOs need to talk from a strategic perspective to management and give them a clear picture of how secure an organization is and the level of information security risk. For instance, if you can tell your CEO that the organization is 90 percent secure, the obvious reaction will be: What is the 10 percent that we are short on? The first buy-in needs to be at the top end for the awareness and concern to percolate down the hierarchy. A usual consequence is that a team with the right stakeholders comes into the picture to understand and mitigate the concerns.