Security Must Speak the Language of RiskBharti Airtel's Dr. Sivasubramanian on Why Security is Misunderstood
Note: This interview was conducted on the conference floor at ISMG's Data Breach Summit Asia 2015, held in Mumbai. The ambient noise in the recorded audio was unavoidable and is regretted.
The increasing importance of security to organizations today is plain to see. There is increasing clamour for CISOs and the security function to have accountability to the CEO and the board. But how do practitioners earn a seat at the table and keep it? How do they transform security into a business enabler, from traditionally being a cost center? (Also see: Articulating Security's Business Value)
"Security is not a technology function - it needs to be a business function," asserts Dr. Siva Sivasubramanian - Global Head of Security (CISO), at telecom giant Bharti Airtel. "This is because security needs to talk in terms of risk, to be on the same page as the business."
Keep security risk driven, he advises. Simply present it in terms of quantifiable risk to the business. It need not always be in monetary terms - it could also be reputation, or others that are well understood by the business. If security speaks only in technology, and believes in security in and of itself, it is not earning its keep, he says. (Also read: Security & Privacy: Making the Case)
Subramanian further expands on what he believes is the undue emphasis on technology in security today. When you consider people, process and technology, practitioners today start with the technology piece without first getting the other two more important pieces in order. "Together people and process will solve most of the problems. Technology is a tool, or an aid to help you do this," he says. "I'm not against technology. But first and foremost you need to identify the problem and fix the fundamental people and process issues before adding the technology layer."
Technology will never be able to overcome the cascading effect that people and process have on the security equation, he says, adding that only by addressing people first can you ensure that technology is effective at doing what it is supposed to. He advocates a focus on building a culture of security awareness based on practical, not bureaucratic processes. (Also listen to: The New Economics Of Cybersecurity Risk)
In this exclusive interview conducted at the Data Breach Summit Asia 2015, Subramanian talks about security issues close to his heart and reflects on some of the conversations that took place at DBS 2015.
He shares insight on:
- The need to focus on people, awareness and culture;
- Security as a business enabler;
- The need for leadership in Indian Information Security. (Also see: Symantec's CISO on Security Leadership)
Dr. Sivasubramanian is currently the Global Head of Security for Bharti Airtel - a global telecom player of Indian origin. Siva is a transformation champion, and in his earlier stint at SingTel Optus as CISO, he successfully transformed a back office security function into a strategic business enabler and a channel for enhancing customer experience. As a keen researcher on Innovation, he enjoys driving innovation in the domains he works through mind set changes and building of new knowledge.