I have seen many blogs, articles and most of them stated as, CISO need the ability to adopt the business. The role of the CISO in any organisation is to protect the business and bring the operations under secured mode, under the policy defined, governance so on and so forth. So obviously he has to aware of the business, competition and more than that the risk to the organisation and compliance matter.
Here I am putting this in other side of the context. Does business also need to consider CISO in the same perspective? Is it not required to involve CISO in the business discussions?
Of late, I was interacting with one of my senior colleague from the CISO fraternity. It gave a very interesting insight with the real time example he referred.
(Read more: Top 5 Big Data Vulnerability Classes)
CFO had a KRA to implement a solution which he had shown to the management which make some process easy and faster. As usual this discussion was never involved with IT or INFOSEC. CFO decided to go ahead and finalise the solution on the cloud with one of his known parties. Generally this happens in many organisations. Senior members do have some contacts with start-ups or some consultants within known internal circle. To show their seniority they go ahead and finalise with solution partners. This may be one of the encouragement activities for those consultants or start-ups. But it also needs to be seen with the organisation where they are working. Fine, this order got developed as specified by the CFO and prototype was shown in the lab environment. CFO and his team were happy to see the GUI within the time specified. Now it is the time to implement in real time..!!
Consultants need the access to all those IT setup to get connected and fetch real-time data. Then the discussion started with IT. Here the CISO was reporting to CIO. Situation was such a nightmare that, CISO realised that, he need to dilute the FIREWALL to make this solution working. Incoming traffic was required to keep open in order to roll out this solution. Even in the best interest of the organisation and respecting the CFO’s KRAs he suggested some work-a-round. But this was seen as CISO was hard nut to crack..! Some of the other senior leaders also commented as CISO is becoming difficult to get the work done. Here CISO put his pen down to sign off the project, unless this is owned by CFO or CIO and they should communicate to the management on the side effects of this solution. Both were unaware of these consequences. Ultimately CFO deferred his solution roll out. He had to pay out for the development without using but still he got promoted as Director Finance, which is the different story.
(Read more: How to write a great article in less than 30 mins)
CFO; after getting promoted started to make all his efforts to harass this CISO to see that his orders were obeyed. Ultimate goal was to implement his solution in come what may. Finally this CISO decided to resign. Probably this is what was expected to the management as convinced by the CFO.
All that CISO was honest and working in the best interest of the organisation. Even he was ready to work on different solutions but that service provider was unsupported that kind of environment.
Is this not required to involve CISO in the beginning of the any solution for the organisation benefit? I leave the decision to the fellow CISOs to think.
More: Join the community of 1400+ Chief Information Security Officers. Click here
Comments