MeitY Requires Government Departments to Have a CISOExperts Question Whether Ministries Have Qualified Candidates
As cyberattacks continue to increase, India's Ministry of Electronics and IT is requiring every government department to appoint a CISO.
In a note to ministries, MeitY states that it shall be the responsibility of the secretary of a department to identify a member of senior management to serve as CISO. Those in this new position must establish a cybersecurity program and coordinate security policy compliance efforts across the organization and interact regularly with CERT-In.
While some security experts praised the move, others question whether there are enough qualified security experts in all government departments to fill the new CISO positions. Some suggest government departments consider hiring outside experts, rather than selecting someone already on the staff.
MeitY instructs all government departments to provide the CISO with enough resources to establish an information security program. Plus, it says the CISO preferably should report to the secretary of the ministry/department. If this isn't possible, the CISO must report directly to the next most senior officer.
In its notification, MeitY says that a CISO should monitor the threat landscape for the department and:
- Establish a cybersecurity program and business continuity program;
- Ensure that Vulnerability Assessment & Penetration Testing, Software Development Lifecycle, Web Application Security Assessment and other appropriate audits are carried out at regular intervals;
- Develop and implement scenario-based incident response plans.
The move shows that the government is making the right moves in light of the threat environment, says C.N. Shashidhar, founder and CEO at SecuriT Consultancy Services. "Having an empowered CISO in each department will help put in place the governance required to ensure accountability for cybersecurity issues and timely completion of activities," he contends.
Some security experts, however, say there aren't enough qualified officials to take over the role of CISO in each department.
"A senior person in government doesn't necessarily guarantee the right skills required for a CISO," says J Prasanna, director at the Cyber Security & Privacy Foundation Pte Ltd. "At the senior level, you may have someone who commands respect, but he should also understand security process."
Given the criticality of the role, government departments should consider hiring outside experts to serve as CISO, rather than selecting someone already on the staff, as MeitY is requiring, says Sivakumar Krishnan, former head of IT at M Power Microfinance.
Shashidhar adds that each department "should appoint industry experts and empower them as CISOs in the short term. Simultaneously, it should impart cybersecurity education to all government officer cadres to hold fort."
And Vikas Yadav, an information security professional, says MeitY's notification should have clearly spelled out CISOs' qualifications.
"Nothing has been mentioned on the qualification criteria of a CISO," he says. "It can take the help of industry bodies like DSCI to come up with a well-defined criteria."
The best way for government departments to rapidly ramp up their information security efforts is to "have a partnership model with the private sector," says Sameer Anja, co-founder and COO at Arrka Consulting, a cybersecurity consulting firm. "The government should ideally look for an enabler and a BOT [build-operate-transfer] model of public-private participation. This way, the current officers can be enabled and the requisite processes will be put in place. The private sector often uses this model, and the same model can be applied within the government."
No Auditing Standardization
The MeitY notification lacks details on the reporting structure for the new government CISOs.
"It's easy to deploy policies, but there needs to be a check on whether audit reports are regularly sent back to the concerned authority," says Felix Mohan, CEO at CISO Cybersecurity, a cybersecurity consulting firm. "Nothing has been mentioned on the timeframe which should be followed within which an audit report should be submitted to the head of the department or CERT-In."
Although MeitY is mandating security audits, it does not specify a standard to apply. "As a result, every department can have their own way and standards of auditing," Mohan says. "It will be complete chaos."
Krishnan offers other recommendations regarding audits:
- The findings should form the basis for considering other standard assessment methodologies to protect data;
- Vulnerabilities identified should be fixed in the production environment, but used with deception methods, such as honey-pots, to help understand the modus operandi of hackers;
- Various departments should share information on cyber threats so they can learn from each other.
The incident response department must document its findings and also help identify corrective and preventive actions, says Anja, the consultant. "An example is the WannaCry ransomware. If we had paid attention to earlier attacks and enabled preventive actions of patching, building backup, monitoring for events, etc., we would have possibly reduced the impact of the attack."