These three factors are critical for any organisation to run successfully in the age of digital. Where a single breach has the potential to bring down the entire organisation and breach the confidence of millions of customers, it should not be a lightweight thinking. For organisations forming part of critical information infrastructure (CII), the impact will be more pervasive and the impact will be felt beyond the enterprise. Therefore, security today means continuous monitoring and application of controls in various forms, whether logical or physical.
Governance is all about initiatives and strategies for setting the tone. It has to be taken care of at the level of the board, regulator and other nodal agencies. It also involves customers. These days they demand better control over the data. They worry about the safety of their data while sharing it with various entities. It is a natural demand from the community, whether it is customer, regulator, government, law enforcement, etc. It will determine the nature of controls and their design. Bharat Panchal, Senior Vice President, Head – Risk Management, National Payments Corporation of India (NPCI) talks about these issues in the Book Titled “Accelerating Enterprise Innovations”. The following is an excerpt from the same book:
As the threat landscape keeps changing, agility in control deployment will be an essential component of cybersecurity strategy. In risk identification, you have to be proactive rather than reactive. This will help figure out the potential chances of breaches. Looking at the larger picture. I believe security, risk and governance are key pillars for any business. People should not view them as deterrents but as business enablers. If these three things are taken care of, customer satisfaction is going to be much higher.
As technology becomes more aligned with business, the ability of risk and security leaders to effectively present to their management will gain importance. In the times to come, we will witness a growth in this trend and that will help in making the world a more aware and secure place.
Not Everything Is Critical
While every bit of data is an asset for the organisations but not every bit has similar criticality. As part of our risk and security framework, we have to look at a strategy to classify the data sets. CISOs and their teams need to understand one fundamental aspect about risk management: ‘Everything is not critical’. It’s no rocket science when I say, one should try to secure what is most critical. If I run an organisation, I must know what information/data sets are critical and where are they located. All information is not critical or confidential. Assigning a risk quotient to both systems and data sets should be an important part of the overall risk and security framework. A thorough assessment of risk weightage is as necessary as putting controls and technology.
Important questions need to be asked: What is the risk quotient if something goes wrong in a particular area? For example, the Internet-facing servers and application servers are definitely more critical security than my channels or servers hosting data for my internal environment.
Then comes applying controls, which need to be applied based on criticality. If everything is assigned the same critical value, it will result into increase of cost, effort and manpower. This should be avoided. It may not be necessary to have an equal amount of control for every environment. They should all be assessed separately. A risk-based approach is crucial in today’s world, because security threats of the digital world are dynamic. You need to have the agility of control.
Excerpted from the Book Titled “Accelerating Enterprise Innovations“
(Image Courtesy: www.betanews.com)