The story behind getting into information security started at a library. During my third year of B.Tech, I went to the library to find some books on network security. Eventually, I discovered a few on ethical hacking, cracking operating systems, etc. That’s how it started initially and later I completed a few certifications as well. Today I head the information security department of an Indian company and enjoy new challenges every day.
A CISO usually wears many hats. The major part of my roles and responsibilities can be divided into three sections. The first and most important task is to continuously assess risk and compliance. Depending on the vertical you are functioning in, you must be able to comply with different applicable standards. The second thing that I must talk about is – vendor management; in which you have to be careful about intellectual property rights and related regulations. Thirdly, you have to keep an eye on the data point and ensure strict security control measures are in place. A single data breach can invite a huge penalty. That’s why you have to stay on top of things. In addition, you have to meet client expectations including compliance with different regulations i.e. ISO 27001, HIPAA, etc., and look at the ITGC audit as well.
One of the fundamental issues that companies face today is the lack of a reliable cybersecurity team and the right set of tools. The people who work behind the scenes are equally important as the tools. This is why most of the companies outsource the data security bit of their business. As an organization, you must ensure that your business data is in good hands.
The demand for cybersecurity professionals has been growing over the years. That’s why it is a good time to start if you are planning to build a career in network security or cybersecurity. Companies pay handsome salaries to professionals experienced in compliance management or even ethical hacking.
The best practice, in this case, includes ensuring a strong due diligence process. While making the contract, companies usually include contractual obligations that consist of different clauses i.e. confidentiality, privacy, and right to audit. Also, when you annually audit the assessment, you will get a fair idea of if the vendor is practicing the latest information security practices or not.
A CISO needs to be aware of the threat landscape with respect to his company. Usually, the best way to go about is to keep an eye on different cybersecurity forums such as CIS Security, CIO Security, and so on. Also, you must have up-to-the-minute knowledge of different tools, databases, and vulnerabilities
CISOs are definitely responsible for any data breach that happens. But with continuous data point assessments, CISOs will be able to stay confident about the process deployed in keeping the data secure. Some breaches can be managed internally as well.
Any critical data breach involving client data will impact many things including your reputation, stock prices, client investor relations, etc. Most companies hire third-party experts in order to identify the issues after an attack happens. That is why it is crucial to have a SOC (Security Operations Center cyber team in place.
Recently the Indian Government has banned 59 apps on the ground of data privacy and information security. But that probably has nothing to do with Chinese smartphones. As long as the smartphones and software by Chinese brands adhere to the regulations set by the Government of India, there shouldn’t be any problem.