Information Security is an Emotion!

True Information Security has nothing to do with technology; instead it’s an emotion, a shared responsibility, and a strategic business partner. This blog dives into the heart of Information Security as a cultural mindset and a fundamental business driver. By exploring how companies can integrate security as a core value, not just a technical measure, we reveal how Information Security acts as a guardian of trust and a strategic advisor essential for sustainable growth. Discover why effective security is about culture, collaboration, and commitment—not just limited to Infra and Tech.

Roshan Yacob George C|CISO CISSP CISA CFE

11/4/20243 min read

blue and white smoke illustration
blue and white smoke illustration

When people hear "Information Security," they immediately think of technology—Infra and Tech. But in reality, Information Security isn’t about IT. Surprising? The more I delve into this, the clearer it becomes. IT is merely an enabler for Information Security; it’s a tool, not the mission itself. In fact, placing Information Security under the IT department can sometimes hinder its effectiveness, even aiding hackers by reducing its autonomy and limiting its reach. Information Security should stand on its own, as an independent pillar of a company’s values and culture, not just a technological subset.

A Shared Culture, Not a Single Responsibility

Information Security is not something that a lone individual or team can implement; it’s a collective commitment where every employee has a part to play. This responsibility is not exclusive to the CISO, the security analysts, or the IT staff—it’s a culture that the entire company must embrace.

In the past, kings and wealthy families safeguarded their treasures in ways that extended beyond locking them away; they layered their security with methods that played on human psychology. There were no banks or lockers those days, and definitely no Fintech. They’d bury valuables beneath temple ponds or scatter cobras in treasure pits to deter thieves. Some even spread ghost stories about those sites to instill fear. These were all psychological deterrents that complemented physical security.

Similarly, Information Security in a company should draw from that mindset. It needs to be deeply ingrained in the culture, an emotion that drives decision-making and behavior. Everyone—from the CEO to entry-level employees—must internalize security practices as part of their daily routines, just as past generations adopted unique and persistent habits to protect what mattered most to them.

Protecting the Family

In my training sessions, I ask a simple question: “Who closes the main door at your house at night?” Most people respond with, “My father” or “the head of the household.” In my maternal family, we had a routine: my grandfather would walk a hundred meters to lock the main gate, secure it with chains, and then come back to the house, lock the doors, and shut every window. This ritual was a nightly routine, repeated without fail. In my paternal family, it was slightly different because of their many businesses: my grandmother always insisted the main door remain closed due to the cash stored inside.

These routines represent a proactive, consistent approach to security that has nothing to do with technology. It’s about maintaining vigilance and discipline—traits that are essential for robust Information Security. Such routines demonstrate how security practices become second nature, ensuring that risks are constantly mitigated. Without a similar mindset from company leadership, especially from the CEO, security efforts can fall apart and soon the company itself falls apart.

Information Security as a Business Strategy

Information Security today must transcend checklists, questionnaires and compliance tick-boxes; it should be recognized as a core part of business strategy. The strongest example of this shift in the industry is seen with companies that have pivoted to prioritize compliance and security as integral to their growth.

Paytm, after facing an RBI ban, transformed itself from a 'technology-driven company' to a 'compliance-driven' one. And Cashfree achieved tough RBI licenses, such as Payment Aggregator (PA) License, Payment Aggregator - Cross border (PA-CB) License and most recently, the Prepaid Payment Instrument (PPI) License, that demonstrate their commitment to securing payments and data. These milestones didn’t happen by accident; they were a result of intentional, emotional dedication to security led by visionary leadership. Kudos to Cashfree’s co-founders, Akash Sinha and Reeju Datta, and the unsung heroes on their teams who laid this foundation.

What motivates these companies is a fundamental belief that security is not an add-on or a hindrance, but the lifeblood of the business. This outlook is the emotion that underpins successful Information Security. Without this foundational value, security risks becoming a mere formality—one that, when overlooked, can lead to devastating consequences.

Why IT Can’t Hold the Reins of Information Security

IT, while crucial to enabling security systems, shouldn’t control Information Security outright. When IT departments own security, they may view it primarily as a technological problem, missing the larger picture. This perspective can actually help attackers because the broader cultural aspects of security get sidelined, and security risks go unaddressed. Instead, Information Security needs the freedom to operate independently, influencing all aspects of the organization’s culture and strategy without being limited to technical implementations.

In essence, Information Security is an emotion, an attitude, a culture. It must go beyond IT if it is to truly safeguard a company’s assets. After all, security is not just about systems but about creating an environment where everyone, from leadership to the newest hire, is invested in the protection of information. This commitment transforms Information Security into a powerful force that protects and propels the entire organization.