It is very important for an organization to build the internal tech competency required to assess a security solution. But that’s easier said than done; in-house talent tends to have a generalist make-up than a specialist one. Then once capability is built, it soon becomes outdated and needs constant upgrading. Risks that are known and mitigated successfully yesterday, are of little use today. Retaining talent in a competitive environment is another big challenge CISOs face today.
However, more mature organizations have the right strategy and policies to tackle this situation. Godrej Industries, for instance, has a two-pronged approach. Other than constantly upgrading itself with the latest technology–which is an absolute necessity–the in-house competency team works closely with the business.
“Once we know what the business is planning to do today–and in the next few years–we know what kind of risks are likely to be encountered,” says V. Swaminathan, EVP–corp. audit and assurance at Godrej Industries.
Through this approach, his team has increased its efficiency to the point that it was well-prepared for the organization’s shift to the cloud–even before the business decided to embrace cloud computing.
Collaboration with the business, he says, helped the team understand that the company was in expansion mode and would soon be going global. The team kept a watch for developments in the area of cloud computing and boned up on the risks associated with it.
“When the business finally decided to move to the cloud, we were ready with the kind of security solutions we needed,” says Swaminathan.
In addition, the team kept a watch through various security forums and on their industry peers who were already moving to cloud. Interactions with them helped identify the service provider who would help them assess risks and mitigate them proactively.
Swaminathan believes that the skill of a CISO lies in identifying the internal risk perception and in finding solutions to mitigate them. “At Godrej, we always ask vendors to do a POC to test whether the results meet our expectations. There is no ‘one size fits all’ solution when it comes to security,” he says.