Audit , CISO Trainings , Governance

India Urges Organizations to Hire CISOs, Conduct Audits

But Security Experts Demand More Detailed Guidance
India Urges Organizations to Hire CISOs, Conduct Audits
Ravi Shankar Prasad, Minister for IT & Law, Govt. of India

After the recent leak of details on more than 3.2 million debit cards, Ravi Shankar Prasad, minister of IT and law, is calling for more organizations to have a third-party security audit and hire a CISO.

See Also: Webinar | Beyond Managed Security Services: SOC-as-a-Service for Financial Institutions

At a recent Press Information Bureau economic editors' meeting, Prasad also said the Indian government will spend Rs 985 crore on the National Cyber Coordination Centre project to help develop a real-time situation awareness and rapid response mechanism. Plus, it will soon develop a software product security policy.

Some cybersecurity experts contend, however, that the government isn't moving fast enough on its initiatives, such as the coordination centre. Plus, they question the effectiveness of third-party audits and call on the government to provide more guidance on the role of CISOs.

"The minister's recommendation for organisations to have a CISO must come with a strict guidance to enable them to comply," says Chennai-based V. Rajendran, advocate and cyber law consultant and past president of Cyber Society of India. "It took several years for the banking sector to comply with the guidelines of Sri Gopalakrishna Committee report, which recommended that every bank must have a CISO as part of security strategy. And this should not be the case with all other organizations."

Auditing Support

In his address, Prasad emphasized that the government can provide organizations with auditing support.

"The government has empanelled 35 IT auditors for third-party audits which organizations can leverage to make themselves cybersecurity compliant," Prasad said.

Some security practitioners say most large organizations already hire auditing firms to assess their security. But Coimbatore-based cybersecurity investigator Ravichandran Swaminathan, a member of DSCI, says too many such audits are superficial.

"Auditing is not all encompassing, it does not include physical security of assets and does not possess the skills to value information or data that needs protection against attacks," he says. "Just hiring auditors will not serve the purpose."

Government-empanelled auditors will concentrate more on process, rather than ferreting out vulnerabilities, some security practitioners argue. Bangalore-based J. Prasanna, director and founder of Cyber Security and Privacy Foundation, argues, for example, that most auditing organizations lack teams with knowledge of zero-day vulnerabilities.

Rakshit Tandon, cybersecurity adviser to the UP Police, contends that the government-sponsored auditing process lacks transparency and is not designed to help pinpoint emerging security issues.

The audit process has shortcomings because it focuses on income tax, sales tax and credit risk, which come under the Company Registrar Act and does not usually include auditing for data security, Rajendran contends.

"Most organizations, though they are conducting financial audits, have not deployed auditing processes established under the IT Act and IT Amendment Act under Section 43-A, which require auditing to establish reasonable security practices and procedures - a major loophole," he says.

Developing Rapid Response

India wants to move toward achieving real-time awareness of threats and build a rapid response mechanism to tackle cyberattacks, Prasad said in his address.

To achieve this goal, the government has launched a five-year project to build the National Cyber Coordination Centre. Plus, the government will soon roll out a draft policy on software product development to help ensure security is embedded at the design stage.

But some critics say the government has made little progress in the year since it announced the coordination centre project. For example, it hasn't recruited a complete technical team or created a mechanism for intelligence gathering, Rajendran says.

"There are no strong signals sent to cybercriminals as a concerted effort by the government to prevent so-called breaches," Rajendran says.

What Does the Country Need?

If the government is to play a vital role in cyber defence, it must incorporate a few stringent measures of evaluation, some security practitioners say.

For example, Ravichandran suggests it's time to set up a national cyber investigation agency with its own courts, lawyers and judges. Some security experts also say:

  • The government should take steps to pass the Privacy Act to address data leakage;
  • Every e-governance project must be monitored by a CISO;
  • Empanelled security auditing organizations must have highly skilled white hat hackers to help address risks;
  • Organizations must ensure empanelled security auditors are well versed in handling APTs, vulnerability assessment and penetration tests and zero day vulnerabilities.

Government critics also underscore a clear need to move beyond formulation of policies and take action, including reporting security breach incidents, deploying effective breach responses and implementing effective intelligence gathering mechanisms and preemptive threat intelligence tools.


About the Author

Geetha Nandikotkur

Geetha Nandikotkur

Managing Editor, Asia & the Middle East, ISMG

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.in, you agree to our use of cookies.