Security should be the fabric of basic application built up: Trideeb Roy, Cisco

Cisco Expands Its Data Center Presence In India, announces innovations and investments In security infrastructure. to assist organisations in becoming more resilient and addressing cybersecurity risks in a hybrid environment, they has announced security advancements and investments in security infrastructure in the nation.

In order to defend against new attack vectors, Cisco has released a Cybersecurity Readiness Index that demonstrates that the majority of businesses are simply not prepared for an assault. According to the survey, 53% of Indian organisations were affected by cyberattacks, and the incident cost to resume regular operations after one was between $500,000 and $1 million. Over 80% of respondents in India, as opposed to 57% globally, stated they had encountered a cybersecurity incident in the previous 12 months.

During the Cisco India Summit 2023, we spoke to Trideeb Roy – Director, Public Sector, Cisco India & SAARC, about how is the government addressing these serious cyber security, threats, and criminal activity and more. Trideeb runs the public sector and defense business in Cisco. Before that, he used to run the Datacenter and Architecture sales. Excerpts:

What role do regulatory frameworks and policies play in building trust in the digital world and how can they improve?

Trideeb: From the government perspective, there are several different charters. We heard today was -  whatever gets connected, needs to be protected. From business perspective, that is highly prerogative in terms of citizen Services. Since the government is predominantly driving citizen services, citizen data is of paramount importance to government. Wherever there is an essentiality of exposure of such data, the regulatory services come into play very strongly, predominantly around data sovereignty and security in any of these citizen services. India has the largest digital transformation story in the world - Aadhaar and the DigiLocker. These are all highly regulated architectures. So the government is very concerned about such kind of regulatory measures that you mentioned, and security is of paramount importance. Not only security but from an overall, architecture and multi-layer architecture perspective, there's a strong opinion about how the cloud should be consumed as well. 

What are some ethical considerations that need to be taken into account when building trust in the digital world and how can we ensure that these considerations are addressed?

Trideeb: So tomorrow, you are going to hear one of the professors from IIT Delhi, who will talk about how trust and integrity are the basic fabric of building an IT infrastructure from day one. It starts with training, you need to have people who are well-trained. Trust-based platforms needs to be built into the overall architecture of any application. 

Predominantly, it is all about applications and how applications get consumed. Application has now become a line of business. That is for the enterprise. But for governments, applications are like citizen services  - birth records, driving licenses, railway bookings, etc. So, the fabric of this is fundamentally a robust infrastructure, which encompasses all the security and trust features, and on top of that there is layers of application, which gives ease to citizens, because at the end of the day, you are playing with the citizen data, right? So, that's the basic part of the fabric when they develop the overall architecture.

Can you expand on the idea of the culture of cyber security within a government entity?

Trideeb: Government is very concerned about cyber security because of the criticality of the data, that they deal with. Any citizen data which gets leaked is of a major concern to the government. As you might have also come across news on AIIMs and IITs. So, they are very concerned the security should be the fabric of basic application built up. At the same time, the skilling of people is also very important, because as a country, the basic mobile users who are in the villages and smaller towns, are not fully educated about cyber threats or cyber security issues. So the government is working with various organizations to ensure that cyber security is part of the basic curriculum in schools and colleges in partnership< with various NGOs and other institutes to sort of take cyber security to the grassroot level. In villages the usage of WhatsApp, YouTube, and Facebook is tremendous, and that's where the leakage happens and people fall prey to cyber threats. So the government is very concerned about this and they are partnering with various organizations, including Cisco.  

There is the enterprise side of the government that include organizations like hospitals and NIC, and that's one side, those are secured because they have the budget, but what about the common man? What about the citizen that is where also the government is very concerned about, because they fall prey to so many such episodes, and we come across them all over the country and the interiors of the country, where such fraud happens. So, the government is trying to sort of build that infrastructure at the enterprise level of what their organization is, as well as skill up people on the ground so that people are aware of these cyber threats and cyber security issues.

How is the government addressing these serious cyber security, threats, and criminal activity?

Trideeb: On the enterprise side, I think they are gearing up in terms of adopting technology, in terms of creating a framework, creating basic policies within their organization, how they should work through, and what kind of authentication they should give to. who should get what authentication? etc. That's on the enterprise side, but on the citizen's side, I think there is a tremendous need for enablement and education. Most of the people who fall prey are senior citizens, housewives, and small kids, so that's where skilling is important. so the government is working on skilling, but the size of the country and the number of young people in this country is enormous, so that's a daunting task. But at least there is a realization at the government level that this is a social issue. It's the issue of how people’s savings can get wiped out because of these cyber threats. So, that's one, and on the enterprise side of the customer end of the government, they are now very serious about cyber security.

Earlier they were more focused on infrastructure, connectivity, and network, but now the concern has heightened. Now they feel that if the citizen’s data gets leaked out, it has got a lot of applications, so from the center, the state, or from nodal agencies, it's now getting measured to determine the kind of security framework that you have created for your organization. There are now several workshops, trainings, and seminars, that are being conducted to ensure that the right framework gets adopted. 

When do data breaches require notice to the regulators or consumers? And what are the key factors that organizations must assess when deciding whether to notify regulators or consumers?

Trideeb: This depends from organization to organization, with respect to the government, any breach, as per the government policy, it is an ethics issue that if there is a breach you will have to report. In government it is compliance, which cannot be put under wraps and hidden. If there is a breach, they have to report it. I also understand that even for the private sector, it's now pervasive that you have to report, but when it comes to the government it is mandatory that you will have to report if such an episode happens. So they must adopt all required frameworks.