Nearly 72 percent of Indian companies faced a cyber-attack in 2015, and with the onset of SMAC, the surface area prone to attacks in a company has increased drastically. Currently, India ranks among the top three countries in terms of susceptibility to cyber-attacks.In a t\u00eate-\u00e0-t\u00eate with CIO India, Burgess Cooper, Partner, Information Security, EY India, revealed the looming threat faced by Indian enterprises and shared his two cents\u2019 worth on what security heads at the country\u2019s top IT companies can do to counter this.\u201cAs you migrate to the cloud, expand your media channels, incorporate mobility, your attack surface goes exponentially up,\u201d explained Cooper.It\u2019s no secret that hackers work together and share their expertise on clandestine forums on the dark side of the moon or the net (Take your pick). So, what do security heads have to do in order to stand up and stave off breaches?Make no mistake, dear CISO, your organization is just as vulnerable as the next one. What makes it easier for hackers to breach defenses is that around 68 percent of CEOs are unwilling to share cybersecurity information with their peers, as revealed by an IBM study.Vigilantes join forces\u201cIf hackers can collaborate, why can\u2019t security heads?\u201d This seemingly simple question is the rationale behind the formation of the CISO group. Today, the group has 122 members, and this is necessary to build stronger defenses, according to Cooper.\u201cIn any warfare, intelligence is key. If you know about a particular vulnerability in the system, and work quickly to patch that vulnerability, you\u2019re that much safe,\u201d he explained. \u201cThe idea is to not fight the war in isolation, but to fight the war with friends who may have fought the war earlier.\u201dThe idea behind the group is to have leading CISOs collaborate together to strategize, share best practices, and innovate to keep hackers at bay. \u00a0\u00a0\u201cThe moment any vulnerability exists anywhere in the world, we inform each other through the network. It\u2019s an early warning system. If some company has undergone an attack, fellow CISOs give the right kind of advice, who may have suffered the same kind of attack at an early point in time,\u201d stated Cooper.However, do bear in mind that cyber-resilience is not just the CISO\u2019s cross to bear. Cyber resiliency must be considered as a board-level issue. The company should be able to track the risks and measure its defenses again. It cannot be left only to the IT dept.\u201cFirstly, the tone has to be set form the top. Secondly, companies should make investments in people, processes, and technologies. Earlier, companies were spending lots of money in prevention controls alone,\u201d explained Cooper. The companies later realized that they cannot really prevent an attack, and there aren\u2019t too many companies in the world that are completely resilient to an unforeseen attack.\u201cIf you start fighting at the IT level, you\u2019ll lose the game. Make it a business issue, and get the right support from across the board,\u201d maintained Cooper. \u201cOnce the company views it as a threat to its existence and survival, with the possibility of share prices plummeting, then, it\u2019s a far more unified approach.\u201dAlso read: Cybersecurity whistleblowers: Get ready for moreBut what about the competition? Won\u2019t CISOs from competing organizations get caught up in the board games?\u201cThere\u2019s no competition amongst us. It\u2019s just that some participate more, but few hold back. If somebody asks for help, some may share the response openly on the forum, whereas some may call the person individually and discuss the past occurrence. The person asking for help gets the right kind of advice, and promptly so,\u201d clarified Cooper.Takeaways for CISOs\u201cOnce you ensure that cyber-security becomes a board-level issue, not just an IT-issue, frame a clearly defined strategy on how you respond for each type of stakeholder, not just a CISO. A CISO would be the person defending the attack, but he would need the right support from across the company,\u201d said Cooper.Take for instance, Corp Comm. It needs to frame the right response strategy to the market; the HR should get the right skills in place in the team; the IT team for the framework; and the legal team for the correct course of action.However, Cooper emphasized on the fact that the CISO must stay abreast of the current trends in the industry, and the changing trends as they occur. Every few months, a new type of threat looms. The CISO\u2019s job is to be alert and be aware of all the new-age threats, not just to his own company, but also to the industry.After that, a CISO ought to monitor and measure his progress on a regular basis. And this, can be done by participating in cyber-attack simulations.It\u2019s simply a question of when, not if. So, when the company faces a real attack, the CISO doesn\u2019t have to run helter-skelter. He knows the scenario inside out, knows whom to call, and what to do. \u201cThe system ought to function like a well-oiled machine, even in the CISO\u2019s absence,\u201d stated Cooper.So, do CISOs in India choose to play the ostrich, turning away from the problems, or is there something more deep-rooted?\u201cI would say all CISOs have always been proactive in identifying that security is needed, and to stay on top of their game. However, some of them may not have had the right support at the CXO-levels,\u201d said Cooper.The good news is that, that support is now slowly increasing, after CXOs have identified the impact an attack can have on the whole organization.After all, we\u2019re not strangers to situations where CEOs have had to resign, and the share prices of the company plummeted following a breach.\u00a0Impact of mobility on cyber-securityCooper believes that CXOs and CISOs have to embrace the fact that mobility is here to stay, and there are no two ways about it. And fortunately, they have good controls in place in terms of mobile secure device management.But the fact they need to recognize is that you cannot protect everything in life. \u201cMake a crown jewels program, and put controls around it.\u201d\u201cThis is in fact one more opportunity for a CISO to display his strength and prove his ability,\u201d he added.So, fret not, dear CISO. It\u2019s just another feather waiting to be added to your cap.