The Hindu Business Line : Oh, for a watchdog!

CEO, CFO, CIO... Boring acronyms, right? Now, get ready for the CSO. But wait. The chief security officer is not just an esoteric acronym. Why is this role so important? eWorld takes a look.

NOT long ago, the IT industry was tying itself in knots trying to explain why technology and a chief technology or information officer (CTO or CIO) was critical to a company's operations. Since then, the role of a CIO has come to be appreciated by top managements of most companies. Now, it's the turn of the chief security officer's (CSO) post to command the attention. Why is this role so important? What is the CSO's job that is so distinct from the technology chief and what challenges does the average CSO face? If these questions sound intriguing, read on...

Corporate politics is the biggest problem faced by most CSOs, according to most people in these positions. Convincing the top management team to allot the required budget for security infrastructure, putting in place a well-defined Information Security policy and proactive implementation of the policy are challenges faced by most CSOs.

However, the evolution from a CTO (chief technology officer) to CIO (chief information officer) and now the CSO (chief security officer) has been dramatic over the last two years with incidents like the 9/11 disaster and increasing security threats through virus attacks.

While global technology companies such as Oracle, Hewlett-Packard and Microsoft already have a CSO in place, there are a handful of Indian enterprises that have started to realise the importance of a CSO.

India now has a growing tribe of professionals who use technology to pool information within an organisation. . The new security leader has responsibilities not merely to IT, but to improving operational efficiency of the business and implementing cost-effective risk management measures. Those bottom-line improvements come most easily when companies treat security as a business process, assigning a single individual to coordinate the various risk management processes of that organisation.

Security professionals

Nasscom estimates a shortfall of 72,000 IT security professionals by 2006. And given an installed base of 9 million PCs in the Indian corporate scenario and over 1,00,000 companies having 30-plus desktops, "It is important for the CSO to move from the Information Technology department to the CEO's room so that the IS policy is linked to the company's business delivery model and corporate governance," reasons Anil Menon, Vice-President, Operations, SecureSynergy.

Godrej Industries, BSE, HDFC Bank, Zip Telecom, SBI Life Insurance and Birla Sun Life are examples of companies in which the Indian CSO is coming of age. And even though all these firms do not have a specific designation like the CSO on its employee list, they have a dedicated team of IT personnel who take care of network infrastructure and security.

An award such as the Chief Strategist Award 2003 instituted by IT security firm SecureSynergy underlines the evolution of the CSO. Mani Mulki, General Manager-IT, Godrej Industries Limited, for instance, has put in place policies that allow the company to check and trace fraudulent mails and also conducts ethical hacking to ensure that the company's network is safe from external threats. Explains Mulki, "Security is more than implementing products to trap and prevent spam mails. We realised this two years ago when we decided to have an Information Security policy in place.

With the Internet set to grow steadily with net transactions to touch $6 trillion by 2006, it will become a vital piece of the IT opportunity. This means that data security will become paramount. According to industry estimates, companies have lost around $20 billion to $30 billion in 2002, up from $13 billion in 2001. If enterprises had a good security policy in place then the economic and financial implications of virus attacks could be controlled. Niraj Kaushik, Country Manager, Trend Micro India estimates that the economic and financial impact of external threats will continue to climb during 2004.

On the technology front, it is interesting to note that viruses can gain entry into computer networks via instant messaging channels, such as Internet Relay Chat (IRC) programs and Time Warner Inc's ICQ service. IDC says that Spam would emerge as the key transmission vehicle for viruses in 2004.

Changing security architectures and the increasing priority of security measures is catalysing the evolution of the CSO. Most organisations struggling with e-business pressures recognise that an elevated security posture is appropriate.

"The title, `chief officer', should not be used lightly. Officer assumes liability. The newly assigned CSO (or equivalent) has the challenge of directing technology, policies, processes and people toward a common security posture," observes Kaushik.

So, why can't an existing technology chief assume an additional responsibility on the security front? Businesses have become technology driven and along with this the role of the CTO has shifted to that of a CSO, says S.B. Patankar, Director (Information Systems), Bombay Stock Exchange.

Some of the responsibilities of the CSO include mapping technical security measures to real business needs. Typically, he helps business managers assess what security measures are really needed and negotiates with service providers to maintain service levels.

At the BSE, regular security audits including ethical hacking are conducted to prevent a security breach. BSE has also installed a network address translator to ensure that the public does not access the real Internet protocol (IP) address of the Exchange and access a virtual IP. This allows the CSO to define which protocols would be accepted by the real IP of the Exchange and which would be rejected. According to Patankar, nearly a crore of rupees has been spent on procurement and deployment of security solutions.

But isn't it easy to merge a couple of functions? After all, earlier, it wasn't uncommon to see a finance person take charge of the technology function, especially when his company claims that only business needs drive technology adoption. No says, Patankar. "It is not possible for, say, a CFO to become a CSO since these are two different specialisations. Look at the external threats and vulnerabilities that the network infrastructure faces daily: Hacking and virus attacks as also unauthorised access to critical information. Only the CSO will be able to tackle these issues on a continuous basis along with implementing a security policy, monitoring the policy and conducting security audits."

The CSO responsible for directing the activities of the corporate security and data security functions will oversee a variety of tasks. The delineation between CSO and CTO is very clear and in large enterprises all three entities-CIO, CTO and CSO are very much present with each of these individuals taking care of their issues and working in tandem towards implementing the security policy, observes Mulki.

Functions of CSO include the following:

Develop, implement and manage the overall enterprise processes for technical and physical risk management and associated architecture.

Develop and implement policies, standards and guidelines related to personnel, facilities and data security, disaster recovery and business continuity.

Oversee the continuous monitoring and protection of facilities, personnel and data processing resources. Evaluate suspected security breaches and recommend corrective actions. Negotiate and manage service-level agreements (SLAs) with outside suppliers of protective services or data hosting.

Serve as the enterprise focal point for computer security incident response planning, execution and awareness.

Define, identify and classify critical information assets, assess threats and vulnerabilities regarding those assets and implement safeguard recommendations.

Establish and monitor formal certification programs regarding enterprise security standards relating to the planned acquisition and/or procurement of new applications, technologies or facilities.

Assist in the review of new facilities, applications and/or technology environments during the development or acquisitions process to ensure compliance with corporate security policies and directions, and assist in the overall integration process.

Oversee the development and be the enterprise champion of a corporate security awareness-training program.

Manage personnel associated with security functions.

According to Kaushik, the CSO could either report to the CIO - a common arrangement - since the emphasis here would be on technical measures mitigating technical threats, or to the CFO or other business executives in very large corporations. The reason for this is that there is low tolerance for business risks and security is a combined IT and corporate function.

The CSO may additionally serve on the executive council and the CIO's architectural strategy council, or equivalent. The CSO will be the direct manager of all corporate and IT security personnel.

"Critical to the success of a person responsible for electronic security is the commitment from the top management to ensure that Information Security policies tied in with the business processes. Even though we (IT team) took nearly four to six months to convince the top management of the IS policies which we planned to implement, since the management was IT savvy, we now have a well-defined security policy in place", says Mulki.

GIL invested Rs 30-40 lakh on security measures alone including installation of firewalls and anti-virus software from three vendors including Trend Micro, Symantec and Sophos. The proactive measures that Godrej adopted include periodical testing of password used by employees. Staff who had assigned easy passwords that were simple to crack were either penalized or pulled up by the IT team.

"When we started out the exercise we found 30 per cent of the employees had chosen passwords that were easy to remember or replicate and this has come down to zero now," adds Mulki.

According to Anil Menon, Vice-President, Operations, SecureSynergy companies have started to perceive security as critical. "This has come about very drastically with the evolution of e-commerce and e-governance. There are at least 3500 Indian companies who have put in some security measures and at least 10 Indian companies which have a CSO on their top management team," says Menon.

Interestingly, security concerns are not limited to large companies, even smaller firms like Zip Telecom, with an installed base of 150 desktops, has a dedicated team of security personnel. "We have had to distinguish between internal and external threats to protect the system and this included firewall at the e-mail gateway level and centralising net access," according Nandu Bhat, GM-IT, Zip Telecom Ltd.

Bhat, however, believes that a CSO is more relevant to a large enterprise with a huge installed base of PCs and servers as compared to a smaller company like Zip Telecom wherein the responsibility of network security and maintenance of network infrastructure can be fulfilled by the same person.

Across industries though, the consensus is clear, the CSO is here to stay and as technology adaptation becomes more accelerated and progressive, the CSO will be more closely involved with the CEO for strategising business plans and "would implement security policies within the company ensuring. Most importantly, security will no longer be an after-thought," observes Menon.

preetim@thehindu.co.in

Picture by K. V. Srinivasan

Article E-Mail :: Comment :: Syndication

Stories in this Section
Goodbye and keep out

Another line to the railways

Which four would it be?

Quiz

Networking in a metro

Cartoon