RBI in continuation of its fire fighting efforts after the “Mega Data Breach” in the Indian banking system has suggested that the “CISO” (Chief Information Security Officer) in a Bank which is already a senior position is to be upgraded from an “Operational Level” to a “Strategic Level”. (Refer article in IE).
The Gopalakrishna Committee which in 2011 gave a comprehensive recommendations on the E Banking security (Refer here for more information) which included the Administrative structure for Information Security Management. It included a Board Level Committee followed by an Executive Level Committee and a mandatory position of CISO etc.
Any sensible information security structure places the role of CISO as a top level officer who needs to be consulted on new product releases and other strategic initiatives besides managing the day to day security issues.
Again in June this year, RBI gave further mandatory instructions in the form of Cyber Security Framework.
Now RBI for the umpteenth time has reiterated the importance to be given to the CISO in the organization. Banks need to now look at whether the CISO should be at the Chief Officer level or at AGM/DGM level or at GM level.
Also it is important to note that the roles of the Chief Compliance officer and Chief Security Officer in an organization overlaps with the role of the CISO. For a proper functioning of the system it is necessary to identify that there is an apex level “Chief Security Officer” who oversees the work of the Information Security officer, the Physical Security Officer and the Compliance officer.
Ideally, such a person in the Bank should ideally be at the Executive Director’s level. At present there are a few Banks who may have multiple “Executive Directors”. Probably there should be one exclusively designated as “Executive Director-Security”.
We hope some Bank takes the lead in creating the CISO at the Executive Director’s level who naturally will be supported by several Deputy CISO s at lower levels.
Naavi
Related Article:
Changing designation will be useless unless the person is given objective responsibilities and accountability alongwith defined powers. Unless, the danger of rolling heads, people do not perform. Further, the working culture in banks need paradigm shift. Just by kicking us CISO to be fancy designation, things will not change.