As a cyber-security professional within the organization, the CISO must have a thorough understanding of security and business functions, as well as act as a business enabler by implementing necessary solutions, tools, technologies, or processes that will help businesses reduce time to market while also improving security and lowering organisational risk by putting necessary governance in place
When asked how he planned his career as a successful technology leader, Basil Dange, Chief Information Security Officer (CISO) from the financial services industry, in an exclusive interview with CIO News, said, “For me, a CISO is a person who has a broad understanding of the overall organisation’s landscape and not only that which is related to security.”
Explaining about his journey, he said, “I started my journey with an understanding of the network, as it is the backbone within the organisation.” “Think like a Packet“. If you want to protect your data, you need to have a detailed understanding of where and how the data will be travelling within and outside the organisation.
Once I had a firm grasp on the network and data flow, I shifted my attention to security, as it was the next step in my journey. With getting my hands on security devices such as firewalls, IPS, WAF, DDOS and more, as they work and provide visibility from layer-3 to layer-7. We’ve also begun to learn how we’ll be able to protect data throughout its entire life cycle.
After I started having interactions with the business, I understood what kind of data was important to them. So, different businesses from different industries will have varying degrees of criticality according to their business requirements. Hence, I started to implement the necessary solutions, tools, technologies, and more to protect the organisation’s data. Usually, when protecting data, there are a lot of solutions to be implemented – first you need to have complete visibility about where the data is hosted and then you need to start protecting that data.
For me, visibility is the most important asset for protecting any asset of the organization. “You can’t protect what you can’t see.”
Speaking about the challenges he faced in his career path and how he overcame them, he said, “Initially, getting opportunities was a challenge.” As I said, I started my journey with network and so, getting hands-on with security was tough. Managing networks did not get me much exposure to security.
After I started working on the security portfolio, asking the business to have the security solutions in place was a challenge, because once you try to implement security solutions around the business, it has a certain impact on the performance. For example, if you have an endpoint security solution, then it will add certain overheads to both the business as well as the information technology (IT) team because the tech team will have to manage the performance impact on the endpoints and the business, and at the same time, the tech team will be taking more time. In this case, if the business wants to implement any new product or technology in the organisation, it has to go through the security cycle. For a database, there needs to be a database activity monitoring solution and database encryption for both security and privacy, which can have a performance impact.
So, adding these kinds of controls will enhance security but will also add overhead. As a result, convincing the business of the importance of security and getting it implemented is a significant challenge.
When asked about challenges other technology leaders are facing in the current scenario while implementing digital technologies and how they can overcome the challenges they face, he said, “Now, security is being taken seriously and discussed at the management level, and so, security is not a challenge.” But, still, I see that there are certain challenges, such as talking only about security and technology with the management is not entertained. As a result, as security leaders, we must speak in a way that explains the benefits of implementing security in a business. For example, if we implement a solution for data security, how will it help the business, such as by reducing attack footprint, possible data loss, or commercial/revenue impact, while at the same time helping the business to comply with regulatory requirements. So, it will be easier to convince the management and have the necessary solutions in place.
When asked about best practices, trends, or advice he would like to give to fellow technology leaders for their successful professional journeys, he said, “As a CISO, one needs to have a diversified team member specialising in their own domain and focused in their respective areas because different areas must be projected in a relevant way to the management as well as to the regulators by having the required compliance level for the organization.”
CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics