In an interesting CISO huddle on security conducted by Dataquest, security and IT senior brass condensed cybersecurity into 4 aspects—be ready, have clarity, have maturity and be cohesive. And be a better wicket-keeper!
How to maximize digital transformation and security operations – it’s a realm that has become very complex and very pressing in the recent few months – given the onslaught of cyberthreats, cloud attacks, outages, vulnerability-exploitation and ransomware. Who better than hands-on CISOs to tell us how to navigate this minefield! This is exactly what an interesting panel of CISOs and security experts did at a Dataquest panel.
Minu Sirsalewala Executive Editor-Special Projects, CyberMedia, moderated the session and started the discussion by putting the spotlight on how cybersecurity is a key challenge for businesses today.
“There is a significant rise in cyber-threats regardless of organization size, vertical and operations. Businesses continue to progress in digital transformation and increasingly adopt Cloud, IoT, distributed work environments—thus, increasing their attack surface. This is expanding security, financial and reputational risk. This calls for a proactive incident response and better perimeter visibility. With constant shifting budgets and scarcity of skilled manpower-it’s turning very difficult to bolster security,” she reckoned.
To have a strategic plan of action, to limit incident costs and minimize reputation damage – is a big task for a CISO today.
So, what does it take to be a CISO today and what new roles and responsibilities does a CISO face?
CISO-Then and Now
Kalpesh Doshi, Group CISO, HDFC Life,defined this in the context of the respect and the stakes that CISOs get now.
“Over the years there has been a transformation – a lot in the last four decades but also drastically in the last two years. There is a pre-Covid world and a post-Covid world. A lot has changed in terms of security. It is getting complicated. We want to have a user experience which is persistent across all platforms. But all of this boils down to reliance on data and cloud. That changes the paradigm for a CISO. CISOs were, earlier, involved in certification programs but today they are serious parts of a boardroom. Everyone respects and recognizes the contribution that a CISO makes – and that’s a phenomenal change.”
Apurva Dalal, CIO, Adani Green Energy Limited and Solar Manufacturing, seconded this view and explained how a lot of Wi-Fi devices and IoT have accentuated the need for security-edge. “People have started to take cybersecurity very seriously, more so after the pandemic. What I see is that the transformation has happened on the IT side. The OT side still needs to catch up,” he contended.
The big adoption of cloud is a remarkable change, chimed in Chandan Pani, CISO Mindtree.“The challenge is – lack of good cyber-security experts. It’s an all-encompassing skillset – one needs to understand a broader spectrum. There is an estimated shortage of 8 million cybersecurity professionals by 2022-end. It’s a huge concern. As AI, ML and automation get more pronounced, and get adopted by adversaries as well, the scenario is going to change even further. CISOs need to outdo the threat side on AI and ML usage.”
Murali Urs, Senior Security Sales, Service Now, reminded about how digital penetration has changed in the last decade. “Every bit of life is getting digitized. With that a significant amount of data and digital infrastructure is emerging. Earlier the CISO’s role was limited. Their life was limited to a gate and a firewall. Today, the world has gone out of control with vast digital footprints, and with multi-fold and complex applications. The infusion of IT as a basic service in the day-to-day life of an organisation has added to this complexity. A CISO’s life will become more difficult and complex ahead. While solutions in risk management and some level of automation will help, it will not erase all challenges immediately.”
Minu brought in here the question about the level of awareness that CISOs need to address. “Is it a failure to prepare for cyberattacks that has led to even the best of giants failing – even those with great security hygiene?”
Just by being aware one can handle some level of threats, but how to protect perimeter and cloud – more so in today’s IT-OT converged environments and hybrid world – answered Dalal. He cited how the company does regular cybersecurity awareness trainings, alert-releases, attack updates from the market and communication on basic security hygiene to its workforce.
Accept, Prepare, Watch
Doshi explained how third-party integration is being handled at his enterprise. “If you walk on the road, you can have an accident. There is always a pro and a con with every decision of going digital—it’s not new. Even old business models had their risks around data pilferage, espionage and theft. We need to be accepting of the fact that risk is around us. What we can try is to limit the damage and not be paranoid about it. It’s about how to respond to an attack. Many organisations have started to show maturity, clarity and ‘calming-the-nerves’ in sharing data. It’s also important that your third-party vendors follow contractual safeguards and organization culture.”
The panel, then, unraveled implications of going beyond 7 layers of SecOps, of the Shift-left approach, of better visibility, incident response management and of automation.It also warned against problems like too much downtime, prioritization of backlogs, decision paralysis, and weak responses at individual level. Siloes amidst data centre teams, operations team and security teams may be huge—specially as these teams have different priorities and poor communication. These also need to be taken care of. Plus-Vulnerability management also has to sync with the reality of application performance. Specially when the ecosystem is fragmented, when vendors are not ready to keep up with regulations and requirements. Also it is important to let go of the false perception that investing in the most-expensive tool will make the enterprise breach-proof.
What’s also interesting is how CISOs are usually made the villains during Go-Live deployments. There is a genuine need to have SecOps and integrating security testing as an overall culture of the organizations – instead of last-minute testing. Test right from the first step and at every interval. That can bring a big change.
Doshi suggested about having deep and sharp fire-drills with top leadership as well – and then using it as a playbook. The response has to be unified and harmonized – no one person can be responsible for anything.
The panelists also highlighted how sometimes business users can feel frustrated with CISO emphasis. “They ask why you are worried with so much security. Then we tell them how even the most secure organizations are getting hacked. Basic security hygiene is an imperative then,”Dalal shared.
Like Doshi confronted well, “It’s about how cohesive and well-co-ordinated your organisation is. It’s not a question of ‘whether’ you will be attacked – it’s about ‘when’. So how you deal with it and what maturity you show—defines your organization.”
Don’t drop the ball
It’s ultimately about the weakest link – and humans are those links too. It’s because attackers have become smart – they have moved from attacking organizations to attacking individuals. Because a lot of data is now on a person’s phone. There is no need to break perimeter security. For an attacker it’s enough just to break an individual – where, ironically, not much is invested in terms of security.
As Chandan Pani summed it up well – A CISO is like a wicket-keeper. You win five wickets, no one notices. But you miss one and everyone complains.
The challenge is – lack of good cyber-security experts. It’s an all-encompassing skillset – one needs to understand a broader spectrum. There is an estimated shortage of 8 million cybersecurity professionals by 2022-end. It’s a huge concern. As AI, ML and automation get more pronounced, and get adopted by adversaries as well, the scenario is going to change even further. CISOs need to outdo the threat side on AI and ML usage.
It’s about how cohesive and well-co-ordinated your organisation is. It’s not a question of ‘whether’ you will be attacked – it’s about ‘when’. So how you deal with it and what maturity you show—defines your organization.