Insights

Task

Technology Risks were being addressed by the organisation based on prioritisation of risks. As the CISO, I was on Top of the challenges that these brought. But, I felt that there was always a gap in not understanding the non-Technology aspects and the risks these brought. Therefore, I took upon myself to understand the current risk levels for the organization as a whole rather than only focusing on Technology Risks. This was key to a holistic approach to looking at Security within the organization and changing employee behavior. Also, this would help bring in the much-needed CXO and Board level of focus.

Action

During my time as the CISO, I tried to understand the other elements that pose a security risk in an organization setup. To this end, a specialized audit was performed. An auditor was provided general visitor access to our offices for 3 days. The auditor went inside the offices every day and mingled with the employees. You would be amazed at what all information he could gather during these days :
1. Colleagues speaking about their innovation programs, on video, purportedly for a review by the CEO
2. Business Results ahead of its release
3. Marketing Plans from the Meeting Rooms
4. Access to many Laptops (without screen saver or weak passwords)
5. HR Confidential Records etc.

Results

The outcome of the actions undertaken by the audit showed that it was necessary to protect Organisation’s information as a whole rather than just focusing on IT Security. The Head-HR was made the leader of Information Security, with functional leaders as its Team Members. The Head-HR teamed up with Head-Information Security and instituted some changes –

• Information Classification & Protection
• Clean Desk
• Controls on Entry & Exit into offices
• Meeting Room Behaviours etc.

Value was delivered by;

• Creating Confidence and Reputation with Customers and Peers
• Reduce Organisation’s Risk of fines, theft and Reputational Damage