Security is more than an IT issue, it is a business challenge, say CIOs

Today, enterprises are being driven by data, but at the same time comes the challenge of securing information. As new age threats begin to surface in the Indian enterprise space, companies become more and more vulnerable to data leaks and hacks.

Security is no more an IT problem, it stretches to all departments. But are lines of business doing enough to ensure that it is the responsibility of all employees and departments to help IT secure an organization’s intellectual property?

“Security is all encompassing today, touching everyone and having dependencies with all connected to business, and sometimes outside the business as well. So the issue of security has to get into the culture and DNA of the organization, there are dos and don’ts that are needed to be practised and adequate security responsibility needs to be shouldered by everyone,” said Jayanta Bhowmik, CTO, Apeejay Surrendra.

Departments that are not directly impacted by data might not understand the implications of a security threat, but it will not be true to say that business is reluctant about security, but yes, the culture is yet to set in.

“Security is no more an IT problem but it’s a business challenge. To be more specific, every business needs to protect its information assets with right technologies. I won’t fully agree that business is yet to realise the significance of security,” said Nandkishor Dhomne, CIO, Manipal Health Enterprises. 

Bhowmik adds that complying with proper security standards should become more of a habit, especially in business houses that have been there for a long time.

“Today in India, although knowledge and awareness is fast catching up, legacy business houses still have a notion of security being an IT issue and therefore tend to have a careless approach towards security fundamentals and even have a lax attitude to planned security exercises, events, quizzes, certification and awareness mailers,” said  Bhowmik.

“Deployment of security solutions must get discussed in the context of privacy laws, customer expectations, IT Act, regulatory compliances for the given business,” Dhomne added.

CIOs at times find it difficult to make business realize the significance of certain high end security solutions that are needed to be deployed, but then it is obvious that the question of return on investment will always creep in.

“Today, every business is very sensitive to their information and there is a readiness to invest in adequate security solutions provided the CIO or CISOs present the investment in right perspective keeping in mind the nature of the business,” said Dhomne.

Bhowmik said that deployment of sophisticated solution alone is not enough, and that a security solution can only succeed when necessary security culture and support is available to supplement the solution.

“Not only support, I prefer business teams to be involved and be stake holders in the implementation exercise of any security solution, then only the deployment can be successful and a proper return from the investment can be achieved satisfactorily,” adds Bhowmik.

It is crucial for businesses to understand the impact of breaches, but at the same time it the responsibility of IT heads to ‘educate’ all the departments about disasters of security negligence.

Dhomne said that it is the responsibility of a CIO or a CISO to educate the business on the risks associated in the absence of an effective information security framework and the right skills to manage the same on an ongoing basis. 

“CIOs and CISOs should avoid talking technical jargon which will certainly make things difficult for business to understand and appreciate the associated investments on IT security,” said Dhomne.