“Outsourcing IT security requires a strong strategy in terms of controls”
Tell us in brief about your professional journey till date.
Over 20 years of rich experience across IT and Business functions as an End to End Business IT enabler, a strategic contributor, a consultant (projects and presales and integrations) , a Project Management office (inclusive of transitions, Compliances, Information Security, IT Planning & Budgeting and strategic projects), and an advisory role to the CIO and Business Heads. My journey has been extremely satisfying
and enjoyable. I am currently, serving Hindalco Industries Ltd (Aditya Birla Group) in the capacity of General Manager of IT.
Why did you choose information security as a profession?
Honestly, I never chose Infosec as a profession. I have been extremely flexible, yet quite focused in my career choices. I took over Information Security and IT Delivery as an interim functions in one of my previous stints. I found it to be a extremely interesting subject, and something which was very futuristic in its existence as a function. In the age of social media, Infosec will be pivotal for every human beings privacy and security. I enjoyed carrying out various initiatives and settled in as an Infosec professional along with the other business function which I am responsible for.
According to you what are the big challenges CISOs facing today?
Information security challenges, landscape and action plans are ever evolving and pose the biggest challenge to a CISO. A CISO, barring the BFSI domain, is still struggling to be looked upon as a CXO level person in various industries, manufacturing being one of them. This at times proves to be a roadblock for the CISOs to effective convinces the top management. A CISO is usually perceived to be an IT
professional and hence he has a challenge of being soaked up into IT Audits etc.
Traditional organizations are now adapting to newer technologies like Cloud, BYOD, Social Media etc. CISOs have a challenge on allowing or disallowing the staff from accessing these. Budgets for protection of privacy often prove to be a roadblock for the CISO to implement stringent controls.
Do you believe in ‘information security outsourcing’, and if so, to what extent?
Information Security is a relatively smaller, yet a critical part of any organization’s IT strategy. Outsourcing IT Security is a little risky, however a economical option. Building in house capabilities is an expensive option. Outsourcing IT security requires a strong strategy in terms of controls. However, the outsourced staff comes with specific skills and can be a big plus in any organizations effort to be secure.
How do you define the thin line difference between data privacy and data security?
Data security is about protecting or shielding your Private, Financial, Heal related data etc. This data without ones realization resides with many agencies that you transact with online. Data Privacy is about how one can secure the above data which is already with external agencies, which might use it in a way that may be objectionable to you, yet legally tenable, and used in a fashion which is beyond your level of perception. However, in wake of a situation where this data is compromised, the impact can be unimaginably damaging. In my view, one has a very little option when it comes to the privacy of data to be protected.
What will be your suggestions to information security vendors providing solutions to reach your expectations and satisfaction?
All the Information Security Vendors should take efforts and make investments in understanding the customers business. They can add a lot of value by identifying areas of risk, which may not have been foreseen by the businesses, since they may not perceive risks the way the experts can! This will help them to reduce/ eliminate the risk of “Loss of Reputation” to the customer that may arise due to a mean and lean understanding of his business by the vendors. They should be educating the customers on the potential threats and sharing their perspective in easily understandable language which appeals the CXOs across business functions.