Purpose of security is to enable business

Illyas Kooliyankal, CISO, ADIB, elaborates on the importance of a business empowering security officer in the evolving cybersecurity era.

How does a CISO ensures business continuity despite potential cybersecurity threats?
Empowering the business is a critical objective of a successful CISO. The CISO should understand that the purpose of security is to enable the business to achieve its goals. This encourages them to take a different approach to security. Traditionally CISOs and information security departments are considered a policymaker and road blocker who slows down progress with stringent controls and impractical requirements. The outlook was somewhat true in many cases, as CISOs tried to enforce security policies without clearly understanding the business needs. Such policies may indirectly hurt the business and also not effectively manage the risks.

A better approach is to draft policies based on a systematic risk assessment and business alignment with inputs from various stakeholders. This is likely to secure buy-in and boost efficiency without compromising security.

How do you manage the complexity of an institution like ADIB?
As a leading financial institution, ADIB operates in complex technology and business environment requiring the protection of critical information and safeguarding of essential services. Ensuring the cybersecurity of ADIB is quite challenging and, at the same time, rewarding, which makes my job very interesting. We have approached cybersecurity strategically and systematically, covering people, processes, and technology-based on principles of confidentiality, integrity, and the continuous availability of our services to customers.

As we all know, managing cybersecurity risks is extremely difficult as the complexity of the environment increases. On top of that, the pandemic has thrown up additional requirements and associated risks to the bank. Being a business enabling CISO, I always try to balance the cybersecurity controls with operational needs and objectives.

Formulating a business-friendly and secure approach is key to success in any environment. Preventing key initiatives in the name of security with a blanket approach is destined to fail. We have formulated the security strategy by aligning it with ADIB’s business objectives, ensuring regulatory compliance, and at the same time providing adequate controls. A holistic approach with the right, effective processes, technology, and people is the key to success. At ADIB, we have built a solid and dependable team of empowered and driven professionals to design, deploy, and ensure the proper security controls for the bank. They complement each other with governance, processes, technology, investigation, threat intelligence, incident response, cloud security, and all other areas of information security.

In the past, security was fragmented. How have the organizational structure and lines of responsibility evolved?
Information security has been evolving for a long time. Due to its significant dependency on technology, it was considered an IT function in the earlier days. CISOs or information security managers were therefore reporting to the CIO or head of infrastructure in many organizations.

More recently, organisations have realised that information security is not just a technology issue, and keeping it under IT poses a potential conflict of interest. Although significant dependency and alignment with the technology department are unavoidable, the function needs to be independent and empowered to oversee and govern technology assets and activities. Hence organisations started to embed it within the risk management department or reporting to Chief Operating Officers and CEOs.

Financial organisations led the transition, mainly driven by regulatory mandates and the significance of information security in these institutions. Those organisations understood the importance of this function and started to give adequate attention to CISOs and the Information Security Department. CISOs need to have strong technical expertise to understand the risks and controls around IT assets and services. Simultaneously, they need to be capable of formulating and managing strategies that align risk-based approaches to organizational purposes and activities. They must also have a strong business acumen to ensure that security controls and plans support the business aspiration by managing the risks with efficiency.

Organisations need to define the reporting lines and organisational structure by keeping these factors in mind to ensure independence, effectiveness, and streamlining the related activities. The ideal position is reporting directly to CEOs or the Board of Directors, and if not that is not practical, to the next level down.

Are you experiencing the talent or skills gap that we hear about in the cybersecurity space?
Cybersecurity skills are in high demand these days. Although the overall job market was undoubtedly tough during the pandemic, what I’ve seen is an increased demand for experienced cybersecurity professionals.

The more significant challenge is the requirement to have multilevel skills to become expert cybersecurity professional. The need to have a combination of technology, risk, and business acumen makes it tough to find the right resource for the job. Besides, the adoption of new technologies, such as cloud services, makes it very difficult to find experts with deep technical expertise and a good risk understanding.

Cybersecurity professionals who keep their knowledge and skills updated have enormous demand in the market. However, it is also important to consider an individual’s attitude and passion. I have been fortunate to identify talent from various other fields, including pure bankers, mentoring them to become cybersecurity experts. This has helped me to ensure that we have the right combination of team members who can complement each other to establish and maintain a robust cybersecurity control environment.

If you look down the road for the next three or four years, what keeps you up at night?
The ever-increasing number of cyberattacks and the threat they pose is alarming. All kinds of organisations are getting attacked, especially those operating in the financial industry. The world is transforming towards digital day by day, and the Covid-19 pandemic has expedited this trend.

Almost every organisation is online now yet there continue to be naive people who remain vulnerable to fraudster tactics. The return on investment for those criminals is high since they know that there is always a percentage of potential users who are not alert, knowledgeable, or putting inadequate resources to protect themselves or their organizations.

Attacks these days use the latest technologies and capabilities, such as big data and AI, to target their victims, generating even more customised and sophisticated attacks. As cybersecurity experts, we need to be proactive, innovative, and comprehensive in our approach to be prepared even for future attacks. Information security is not an end but a journey!