The Situation

Information Security is always considered to be in the domain of IT Function. To the uninitiated, it’s the technology guys who have created the problem. True, many aspects of Security emerge from the usage of Technology. But, there are several aspects of Security that emerge from our behavior – for example our passwords and how we remember them or how we store them, wiping off boards after the meeting in meeting rooms, clean desk, entry and exit into offices etc. Organisatons do not understand this need and club everything under Cyber Security. The question is “Is there a need to look beyond Technology ?”

The Task

Technology Risks were being addressed by the organisation based on prioritisation of risks. As the CISO, I was on Top of the challenges that these brought.
But, I felt that there was always a gap in not understanding the non-Technology aspects and the risks these brought.
Therefore, the task I took upon myself is to understand the current risk levels for the organisation as a whole, rather than only focusing on Technology Risks.
This was key to a holistic approach to looking at Security within the organisation and changing employee behavior.
Also, this would help bring in the much needed CXO and Board level focus.

The Action / Approach

During my time as the CISO, I tried to understand the other elements that pose a Security risk in an organisation setup. To this end, a  specialised audit was performed. An auditor was provided with general visitor access to our offices for 3 days. The auditor went inside the offices everyday and mingled with the employees. You would be amazed at what all information he could gather during these days :
1. Colleagues speaking about their innovation programmes, on video purportedly for a review by the CEO
2. Business Results ahead of its release
3. Marketing Plans from the Meeting Rooms
4. Access to many Laptops (without screen saver or weak passwords)
5. HR Confidential Records etc.

 

 

 

The Result

The outcome of the actions undertaken by the audit showed that it was necessary to protect Organisation’s information as a whole, rather than just focusing on IT Security. The Head-HR was made as the leader for Information Security with functional leaders as its Team Members. The Head-HR teamed up with Head-Information Security and instituted some changes –

  • Information Classification & Protection
  • Clean Desk
  • Controls on Entry & Exit into offices
  • Meeting Room Behaviours etc.

Value was delivered by;

  • Creating Confidence and Reputation with Customers and Peers
  • Reduce Organisation’s Risk of fines, theft and Reputational Damage

Pains relieved included;

  • Resistance to Change

Focus In On: Responsible for Cyber Security / CISO

New Areas of Value:

Improved Confidence in Role or function

Enhanced Reputation with Peers

Provide more Innovative Solutions to the Business

Reduce Risk of fines, theft & Reputational Damage

Lower Perception of Risk from Customers

Improvements around:

Lack of visible value with peers

Lack of Credibility with peers

Resistance to Change