Whether in banking or any industry, business needs take precedence; everything else not as tangibly connected to organizational objectives and profitability is regarded as not as important by senior management.
Information security and the concept of CISO have struggled to gain prominence – this despite ISACA’s best efforts, shouting from the rooftop that information security must be part of boards of directors’ agendas and CISOs should be installed, reporting to the CEO.
During the late ’90s, the CISO position was always thought of as something connected to “IT.” It was more data security than information security. Even when I passed my CISA examination in 2005, I was given the role of “Data Security Officer” in my organization, reporting to the VP-IT.
In the banking sector, the CISO position was normally held by somebody handling network security and reported to CTO (GM-IT). We had a position called “head of IT,” and the custom of designating a CIO was quite infrequent.
Then, Reserve Bank of India (RBI) published a comprehensive report and recommendations of the working group on information security, electronic banking, technology risk management and cyber frauds, popularly known as the “Gopalakrishna Committee” report, in January 2011. This report not only mandated that the CISO position be held by a sufficiently senior-level official of the rank of GM/DGM/AGM, but also stated that the CISO report directly to the head of risk management. Thereafter, in most banks, the CISO position was held as a part of the risk management department and reported to GM-Risk Management, alternatively designated as Chief Risk Officer (CRO). Interestingly, the report also mandated that the CISO not have a direct reporting relationship with the CIO.
Not satisfied with the various banks’ response to continuing cyber attacks, RBI came out with a comprehensive cyber security framework consisting of baseline measures on 2 June 2016. Board level sponsorship was mandated, baseline controls were established and strict compliance was required, in addition to having a cyber-crisis management plan. The CISO position assumed huge relevance, and RBI expected the CISO to play a pivotal role.
Within a year’s time, RBI once again came out with a document clearly articulating the CISO role. Apparently wanting significant improvement in remediation of cyber security attacks by banks, the new mandate was for the CISO to directly report to Executive Director (ED) or the equivalent, overseeing the risk management function. Therefore, the CISO now has more board visibility than ever.
In addition, the regulator very clearly positioned the CISO role along with the CRO to establish a strong risk management framework. They both should have strong communication and work together to enable a holistic risk management approach.
This is a very good development, which will make cyber security in the banking sector more effective and the position of CISO more challenging and fulfilling. Both the positions report into the ED with their respective teams. Credit risk management and information risk management (IRM) for backing them.
With credit risk management being a proper discipline, we can soon expect that information risk management will fully mature into a robust discipline as it evolves to defend the entity against continuing cyberattacks and threats, and shapes itself to comply with associated advisories from the regulatory bodies.
Very exciting times ahead!