GRC is dying and the Indian CISO would be jobless in a decade – LinkedIn4 minutes read

Published on LinkedIn:

This is not clickbait, rather an epiphany. I think CISO is the only executive function that is becoming weaker with experience. It has nothing to do with the individual who occupies that seat, but more with the rigid precepts of the industry that produced him/her. Those precepts are Governance, Risk and Compliance – the holy trinity of the information security universe.

Gartner, the strategy kahuna we all love to hate, recently put out a blog post that is strangely deceptive in its brevity. Although much of the risk assessment discipline thrives on speculation – which means that everything can be interpreted in multiple ways and will be – the message that Gartner seems to be sending is that compliance has elbowed out governance and risk, upsetting the objectivity of the whole movement itself.

The Indian information security market, however nascent it may be, has wholeheartedly embraced the culture, or rather the cult of compliance. While corporate governance has always remained weak in India, Inc. – due to our socio-political proclivities – risk, too, is a mere afterthought to compliance. An erudite executive once told me that it’s primarily because we don’t value life much, but let’s not get distracted.

So the industry is dominated by services: advisory, assessment, audit and the whole shebang. Take the case of ISO 27001, at whose feet the auditors fall. Created in the eighties, it deconstructs the enterprise into kernels of security. This fragmented, checklist-driven approach might have set the baselines in the last millennium, as the threat landscape was still a little devil that had not grown horns yet. We wrongly treated them as the toplines.

Although I will touch upon the technical aspects in the second part of this article, the cybersecurity product ecosystem also followed a similar siloed paradigm. The integrated, data-driven and top-down frameworks to quantify risk weren’t entertained – analytics was still in its infancy. Even GRC platforms are merely rule-driven, prescriptive monoliths that require constant tweaking.

So risk assessment became highly speculative and subjective. And along with speculation came the brokers. The market was captured by the Big 4 kind of consultancies, which have conventionally treated risk as a mere roadblock to enterprise efficiency that should be hedged. Auditors became fixers and CISOs the middlemen of this compliance mafia. Such consultancies also wrongly assumed that technical risk, much like financial, should ideally be suppressed rather than disseminated, creating an environment that inhibits disclosure.

The one thing which got side-lined amidst the chaos is what really is at stake here. Security evangelist Richard Stiennon rightly pointed out that this is the only industry of the larger IT domain whose driver is external – the threat actors. The information which has ceased to be under your control is in someone else’s. And that information can break enterprises, economies, societies and nations.

The last arbitrageur of risk you can go to is the government. Even compliance expects that the laws of the land are at work. But in reality, the laws governing cyberspace have been trailing behind its technical dynamics by almost two decades. The internet is fundamentally broken and attack attribution remains procedurally impossible. So how would enforcement, prosecution or adjudication even take place?

I just balk whenever someone utters “cyber insurance”. Insurance requires a well-specified actor, while there’s none here. After the recent breach of 3.2 million Indian debit cards, there has also been the talk about enforcing penalties. Well, the enterprises are meant to withstand a gust of wind, not a Category 4 hurricane. A motivated state-sponsored actor in cyberspace is exactly the latter. The liability here is shared between the enterprise and the nation state, as a cyber-attack is both an act of criminality and war.

That brings us back to the title of the article. I may be generalising, but the emergence of the Indian CISO as the product of an ecosystem driven by compliance – thinking that risk is merely something to be “managed” – kind of highlights the problem. They either come from the IT administration or financial advisory backgrounds, bolstered by certifications crowding their resumes.

Risk indeed assumes a wager or a bargain. But that bargain has to be statistically driven and mathematically proven. Gartner is calling the bluff and telling us to solely focus on the risk, deriving it from the precision of information that lies in abundance. Every enterprise process has been mostly productised – so those old human-driven, interpretative notions of compliance should be discarded – giving way to metric-driven approaches where federated risk gains priority.