Aman Raheja, Chief Information Security Officer at BMO Harris Bank N.A., stressed the importance of security as a core business value and advocated for removing the fear factor as the driver of security strategy.
Raheja’s talk at the 2016 Chief Information Officer Leadership Forum in Chicago on March 9 presented the B-I-C-T framework of Business value, Industry benchmarking, Compliance, and Threat management.
Raheja stated from the outset that he wasn’t going to leave his audience with a lot of answers but rather a lot of questions. “There’s no silver bullet when it comes to cyber security.”
“There’s no silver bullet when it comes to cyber security.”
B-I-C-T is multi-pronged approach to security with the elements aligned from least to most important. Too often, it’s executed in reverse order, which lessens its effectiveness because it leads with fear, explained Raheja. What we see and hear in the news about breaches and data being stolen should come as no surprise. The threats prove that hackers are part of large criminal rings and demand that we be vigilant.
80% of corporate board members surveyed are quite concerned about cyber security, indicating there’s a lot of fear in the suites. But Raheja was quick to point out: “We won’t make good decisions about data security if they’re based on fear.” Any strategy proposed to a board shouldn’t have all its eggs in one basket (namely, addressing fear of a first or subsequent attack). Security based entirely or principally on threats tends to make for a weak response.
“We will not make good decisions about data security if they’re based on fear.”
Some security strategies are based entirely on compliance: “My auditors want X, the regulators demand Y, etc.” All this is fine and part of a good strategy, said Raheja, but it must be part of a broader strategic approach. Perfectly executed compliance is good and will basically give you the security you want and need, but the threat climate is constantly changing. Compliance standards become outdated and archaic in just a year or two.
How about security based principally on industry benchmarking? Hackers are part of a broad criminal industry. They work diligently in a focused, networked manner, and they’re constantly on the lookout for soft targets. Staying in touch with peers is a necessity but not an adequate approach to security.
Raheja concluded that we must begin with the end in mind, and the best end is security as a core business value. “Can security actually do something that makes the organization more productive, more agile? I say: ‘Yes.’”
“Can security actually do something that makes the organization more productive, more agile? I say: ‘Yes.’”
Raheja suggested that we ask ourselves: Can security become a differentiator to the point where my security posture actually becomes a deal-maker relative to my competition? Again, emphatically: Yes. Take all four components, put them together in the right order, and you’ll have a solid strategy and a wonderful business driver.
Communication is crucial in Raheja’s approach, as are specific metrics of added value, so look for ongoing development of the B-I-C-T approach. But the important thing is to remember that fear should not be the driver.
Raheja referenced a recently published Gartner report on the alignment of risk and security to business, which, along the way, advocated proceeding from a posture of preventing threats to one of detecting and responding to threats. Raheja countered this approach by stating that security as a core value will always be about the business of preventing cyber attacks.
ABOUT AMAN RAHEJA:
Aman Raheja is the Chief Information Security Officer (CISO) for BMO Harris Bank, based in Chicago. He was the Deputy CISO at Express Scripts, a Fortune 25 company, for three years and has led Information Security for multiple businesses at CitiGroup. He has experience orchestrating and executing enterprise information risk management strategy. He has led transformations across multiple security domains that ensure compliance, employ prudent risk management and maintain business focus.