Why CISOs Need to Elevate Their RoleHDFC Bank CISO Sameer Ratolikar Offers Six Point Agenda for Leadership Role
The CISO has come a long way since the early days of cybersecurity. With increased connectivity, cybersecurity gained prominence, resulting in the elevation of the CISO's role. However, the role of the CISO must continue to evolve, towards leadership. "CISOs need to become influencers and business enablers within their organizations," said Sameer Ratolikar, CISO, HDFC Bank.
Ratolikar was speaking at a plenary session titled Redefining Cybersecurity Leadership: CISOs at Their Best at ISMG's Cybersecurity Summit in Mumbai on November 1.
"A decade ago, just 4 to 5% of company staff had cybersecurity roles, but today that has grown to 18 to 20%. CISOs were once regarded as IT heads, and there were just five or six people in the country with the CISO title. Today, there are thousands of CISOs," Ratolikar said.
He urged CISOs to play bigger roles as India moves toward a $1 trillion economy. He prescribed a six-point agenda for cybersecurity leadership.
- Ownership: CISOs need to take ownership for business performance and boldly embrace innovations. There was a time when CISOs, especially in regulated industries such as banking, were hesitant to adopt open-source solutions. But they need to be bold and evaluate the risks and implement solutions. "CISOs must take ownership, both for wins and losses."
- Technical Depth: CISOs must have the technical knowledge to understand what happens when there is a breach or if the business is considering to implement a newer technology. They should also understand what vendors are offering. And for this, they must continuously update their knowledge on par with the evolving technology.
- Business Understanding: Tech knowledge and defining the vision for cybersecurity isn't enough. A firm grounding on business concepts is equally important. It will help in making the right decisions about tech adoption and implementation. For instance, if a bank aims to offer a two-second loan in its retail assets, the CISO must understand the processes for this, and how technology will enable it.
- Analysis and Dashboarding: Dashboards are powerful tools and provide all stakeholders, including board members, complete clarity of the status of security. A dashboard can present an analysis of the situation at different levels, using multiple colors to indicate levels of criticality.
- Simplicity in Communication: CISOs should communicate technical concepts in a language that is easily understandable to the board. They should be able to explain what happened during an incident without excessive jargon and how it will impact the business.
- Balanced Risk Management: CISOs must balance business with risk. They should collaborate with business leaders and understand what risk means to them, and explain the impact and what it translates to, for the business.
By following these six tenets, CISOs can be seen as business enablers or influencers. A balance of both technical and business knowledge is essential to move the discussion from pure security to risk and business impact.