Social Network For CISO (Chief Information Security Officers)
At CISO Platform Annual Summit 2017, we had a panel discussion on the topic of Prioriritizing Security Investments for 2018, including industry stalwart like Durga Prasad Dube (Senior Vice President, Reliance Industries Ltd), Sanjivan S Shirke (SVP, Head-Information Sec., UTI AMC Ltd.), Sachchidanand M (Director, JM Financial Ltd.), and Natarajan V (Chief Manager IS GRC, BPCL)
Key Learning - Prioriritizing Security Investments for 2018
1. Investment in security should be part of a business strategy:
As any security investment is long term investment whether it is for endpoint, perimeter control or any other control to protect organisation's assets.
2. Risk Assessment is must in prioritisation:
In order to prioritise the Investment in cyber security, an exercise of Risk Assessment has to be necessarily done to assess highest risk. Once the Risk Assessment exercise is completed with rating as highest, middle and low risk findings, the investments need to be accordingly prioritised.
3. Some exception to Risk Assessment while prioritising Security Investments:
However, certain investments in security need not wait for Risk Assessment exercise. This could be emerging threats like Ransomware, DDoS attacks, wherein Anti-threat protect or DDoS services are becoming must and form a part of best practices. This brings due diligence on the part of the organisation. Such risks can not be anticipated and need to be addressed urgently due to impact created at the State / Industry level by such newer threats.
4. Focus on Awareness:
Many a times the investments in the Awareness of Employees and strong monitoring are overlooked and are not addressed appropriately. There should be practice investing in these to areas consistently.
There was good question raised from the audience that, after investing and putting control does the risk is avoided: Panel's answer to his question was, any security control implemented may not avoid complete risk, but the risk will be minimize and there will always be residual risk, which can be either accepted by the organization or can be transferred such as loss of data theft : Now a days you can get this insured.
Again there was another question from audience that, how to we justify the investments in security: Panel's answer to the question was , one should install security Dashboard and provide daily updated to the top management and also to Board periodically in terms of:
Whether ROI in Security is possible ? Panel's answer to it was Yes: In the case of online transactions, one can arrive on what percentage of business is done through a web portal. If the website is down for a day due to security attack, one day revenue of the above percentage can be shown as loss.
Note: the loss could be massive in case of BFSI if actually calculated.