Does India Need a CISO?Security Leaders Deliberate Whether India Should Follow U.S. Lead
U.S. President Barack Obama has rolled out a $19 billion "national action plan" to harden the country's cybersecurity posture, responding to warnings from his intelligence chief about new security threats that open doors to hackers.
Besides investing in cybersecurity education, Obama announced creation of the first-ever CISO to oversee activities across the federal government. The announcement begs the question: Is it time for India to follow suit and appoint a designated national CISO?
Some security leaders say India currently has a number of roles existing that focus on specific areas of cybersecurity, but none of these has the comprehensive view that a CISO would bring.
"The biggest hindrance is lack of political will and bureaucratic understanding of its importance," says Prashant Mali, Attorney at High Court and cyber law expert. "The Indian government is eager to promote cybersecurity, but who will lead and execute the action plan is always a million-dollar question."
The challenges for both the U.S. and India are similar, with the evolving digital age presenting new threats.
Obama's plan directs the federal government to take new action - establishing a commission on enhancing national cybersecurity, made up of top strategic, business and technical thinkers from outside the government, including members to be designated by bipartisan congressional leadership.
In contrast, the top Indian challenge is political and establishment inaction, say leaders.
"The biggest challenge is ignorance, apathy and an inability of government leaders to appreciate the value of an information security function, combined with complex laws in governing cybersecurity," says Coimbatore-based SN Ravichandran, member of DSCI and CyberSecurity Society of India.
"No doubt the government has big plans. Modi's government has announced big plans to protect India against cyber threats, but they lack vision or plan of action and get buried the same day," says Dinesh Bareja, COO of Open Security Alliance and founder of India Watch.
While Obama has proposed $19 billion for cybersecurity allocated towards recruiting the best talent in IT and cybersecurity, critics say the Indian government's investment proposition is only eyewash. Most often, the government intends to find ways to extract private funding for the smallest initiative.
Ravichandran says India spends roughly 2.5 to 2.75 percent of the GDP on defense initiatives. If a fraction of that, say 10 percent, were to be spent on cybersecurity - on allocation to academic institutions for specific security related projects, on manufacturing special hardware, for research, or for salaries to attract the best talent - it would do much good.
"The question is not of availability of funds, but to effectively engage, recruit and deploy people who will deliver," says Ravichandran. "The bureaucratic stranglehold must be loosened if we are to move forward."
Does India need a CISO?
Some security leaders say there are huge ambiguities concerning the role of a CISO in India, given the diversity of bodies and agencies and states. However, India recently formed a National Cyber Co-ordination Centre under the leadership of Dr. Gulshan Rai to tackle India's cybersecurity challenges, reporting to the Prime Minister's office.
Says Mali: "If India plans to have a dedicated CISO, it would remain only a ceremonial position."
However, the leaders do agree having a designated CISO would enable a comprehensive view of cybersecurity and its core functions.
"Considering we need a CISO, the moot question that would arise is: Who should recruit the CISO, and what would be the necessary qualifications and the job profile? If the CISO is someone from the system, it would be another seat-warming position, with no great benefit for the country," Ravichandran asserts.
As an example, Modi's government has rolled out its Digital India vision and has appointed a CISO for the program reporting to the Home Ministry. Critics say there is no justification for Digital India's CISO to come under the Home department, when it is an all-India initiative impacting all departments. Having a CISO for India would also raise similar questions, they fear.
What should India's Cybersecurity Plan Constitute?
If the challenges for India and the U.S. are the same, then what should India's cybersecurity plan focus on?
Mali says India has started working on its plan. This year it should focus on developing "cybersecurity culture" among government and institutions, he says.
"Having budgetary allocation for cybersecurity education and defence and on deploying necessary technology wherewithal to defend cyber threats is a must," he says.
Ravichandran outlines three priorities for India's cybersecurity action plan:
- Reinspect all steps taken so far, and discard those not effective or implementable;
- Form a group on the lines of what Obama has recommended (establishing a commission) under the central government and task them to come up with a comprehensive policy covering all aspects of security from infrastructure, technologies and management of all security-related actions, including laws that need to be tweaked or legislated;
- Identify people to lead the function, put these policies in action and deliver results in the shortest time possible.
"Whichever organization takes the lead in devising the plan, the critical factor is to put a tight time frame and clear execution steps, if we have to protect the nation from cyber threats and attacks," Ravichandran says.