Security has become the most important aspect of an organization. From leading to a drastic financial loss, to spiralling the business down to the tunnel of customer/client mistrust, Security breaches have destroyed many successful businesses. This demands a constant reworking of the Security Framework by the CISO to stay a step ahead of the hackers.
In 2006 when Clive Humby coined the phrase, ‘Data is the new oil’, he couldn’t possibly have imagined the turn Security would take in the second decade of the twenty first century. From being the by-product of business, Data has gone on to become the cornerstone of an organization.
With the evolution of Internet, there has been a substantial shift in not just the idea of a business, but also the way business is undertaken. So much so, that it has simultaneously allowed the emergence of a village in Romania, notoriously called Hackerville.
While we improve technology, the threat persists due to intelligent hackers. Therefore, my focus will be more on identifying the probable or possible data leakage avenues like mobile phones, social networking websites, app security and dark web besides creating more awareness among my employees.”
S Sridharan, VP & CISO, NCDEX
In environments where security sprawl is occurring as fast as digital transformation, traditional approaches to security don’t stand a chance against determined and well-armed cybercriminals looking to target the expanding attack surface. Securing these complex, distributed, and continuously evolving networks requires developing and deploying security devices that can provide business-level digital performance, consistent functionality, and seamless interoperability. ”
Rajesh Maurya, Regional Vice President, India & SAARC, Fortinet.
Our preventive controls do not evolve as quickly as an attacker’s tactics, techniques and procedures. Considering this, the challenge for CISOs is being able to detect attacks in real-time without false positives. This does two things – (1) Changes the SOC mindset to one that assumes breach. You can defend better if you know what you’re dealing with. (2) Orchestration, the long-cherished dream of a world where remediation can be done with minimal human involvement, becomes a reality if you have high-confidence alerts that do not need to be vetted by an analyst. ”
Amir Moin, Head of Product, Smokescreen
With respect to Cyber Security my priority is to get the paper work as per the framework of the ISO and PCI – DSS standards. We also need to develop new engineers in cyber security.”
Deepak Kalambkar, AVP Infrastructure, Safexpay
How has Internet made Data the most valuable asset of an organization?
Businesses in 2019 are fundamentally dependent on the Data that they collect and collate through their operations. Customer information, employee details, internal business formulas, there is no end to the confidential information that the business needs to keep secure. This information if leaked, will not only lead to the loss of personal and professional data, huge financial risks, but can also potentially wreak havoc on the market reputation of the brand. How many of us would dare to get into a business relationship with a company that has had its security breached in the past?
Yes, Technology has been incredibly conducive to the modern marketplace. It has revolutionized all industries beyond recognition. But it has also led to a very real, exponential increase in the risks faced by a business. It has fallen on to the CISOs to protect the organization from the same Technology that has allowed it to thrive in the enterprise market.
Enterprises are also feeling the heat from regulators, governments to beef up their security defences. Due to privacy acts coming into play, there is a fair amount of legal scrutiny about how data is being used. With the boards of companies also being questioned, now they are also asking the CEOs about cyber security readiness of the organisations.”
Pankit Desai, Co-founder and CEO, Sequretek.
The CISOs Struggle in the Modern Enterprise
The fact that makes Technology hard to keep up with, is that it evolves at a rate faster than the human understanding. So, by the time the CISOs wrap their heads around a potential security threat, and begin planning protection against it, the hackers are well on their way to breaching the barriers through a more evolved technology.
This means that the CISOs are stuck in a loop and can never really achieve absolute security. It will always be subject to technological advancement. The CISO’s struggle then is not just to stay updated and constantly vigilant, but also to ensure the flow of funds for making this vigilance practically possible.
Recently we have seen various new technologies coming into the mainstream. Trends related to Artificial intelligence, Blockchain and IoT will rule the year but in terms of cybersecurity, we should gear ourselves to witness more of data breaches, ransomware and malware attacks.”
Alok Gupta, Managing Director and Co-Founder, Unistal Systems Pvt Ltd.
Due to the impossibility of tracing the performance of the Security department in quantifiable parameters, it becomes impossible for the CISO to present a convincing case to the Finance department.
Add to this, the fact that Security as a business operation does not productively contribute to the company’s ROI. It fundamentally works on hypothetical grounds. Its success is not measured in terms of the revenue that it has generated or how useful the security department has proven to be by streamlining the operations of other departments.
As the CISOs and their teams are not directly responsible for generating income for their organizations, they tend to lose their fair share of the budget to other departments that bring in quantifiable profits.
Addressing this complexity Rick Howard, CSO, Palo Alto Networks, says, “The core objective of the CSO/CISO is to prevent material impact to the organization. You can’t define that in terms of ROI because protecting the enterprise isn’t going to bring in any money. Rather, I would advise CSO/CISOs to calculate and present the potential cost of a hypothetical breach if leadership fails to properly invest in security. Everything from business disruption and loss of customers to consequential legal fees and remediation can rack up the bill more quickly than leadership may realize.”
The Security framework then works by negation. Its success is marked by an absence of a substantial data breach. Substantial because, security threats cannot be absolutely eradicated or protected against. There will be bumps along the road, and that’s how you know that the Security Framework has proved to be a success. It contains the road bumps and prevents them from turning into a full-blown wreckage.
“For any CISO, the IT security budget allocation is very important, it should be done according to the severity of the data value. For instance, any data which is worth 1 lakh rupee, we can invest Rs 20,000 on its security, it is justifiable but at the same time we should not spend 1 lakh rupee to protect Rs 20000 value data. So, depending on the sensitivity, privacy and importance, budget of each entity is decided. Proper risk analysis should be performed with probability taken into consideration that what would be the consequences if something wrong happens,” said Manish Kumawat, Director, Cryptus Cyber Security.
But the problem is that it cannot be done without the support of the entire management. It requires huge funds and then they need to deliver an answer as to how those funds have been utilised and whether it was really crucial and/or beneficial for the company to do so.
Legacy infrastructure has got to be refreshed. Technology is advancing rapidly in so many areas. Enterprises need to review their legacy software and hardware and make significant investments to upgrade to the latest and greatest platforms which have significant security benefits built in that address today’s threats, not yesterday’s problems.”
Sandeep Puri, Country Manager – India and SAARC, Gurucul.
“Cyber security has become mainstream in terms of getting a seat at the boardroom. The executive board is now held accountable for cyber security, so the budget should fit the responsibility. What is the risk to the organization if intellectual property gets stolen? How much will a breach cost in terms of restitutions and corporate reputation? It all depends on the industry and the extent of the cyberattack. CISOs need the right mix of people, process and technology. And, they need the right technologies to address their company’s specific cyber security needs. It’s safe to say cyber security budgets are on the rise as they should be. It’s up to all of us to ensure that budget is spent wisely,” said Sandeep Puri, Country Manager – India and SAARC, Gurucul.
Though this might appear to suggest a very basic understanding, that might not always be the case.
Lack of Awareness among the Management and Employees
This is due to a disjunct between the understanding of the Security Executives and that of all the other departments of the company. Their job then becomes doubly complicated. As they don’t just have to understand the Technology, possibility of a breach through a chink in the company’s armour, and what the possible repercussions of the same can be. But in order to justify the existence of their department and the funds that they are spending, they need to break down this information in a way that can be understood by the top-level management who are not trained in the technicalities of Security Frameworks in the way CISOs are.
So, the next problem that the CISOs encounter is the lack of awareness amongst the different levels of the organization. This is not something the effects of which are limited to a particular level of the management. But it percolates throughout the organization. A lack of awareness in the top-level management will directly result in insufficient funding for the Security department or lack of assistance from other teams.
As a CISO, I look for the tools being configurable enough to meet my particular requirements and give me the advantage to modify the data collected. I feel the customer hasthe right to use the data collected for customizable dashboards and even interfacing with other tools for a collective analysis, if required. ”
Amit Dhawan, CISO, Birlasoft
“In the present times, the top priority is creating a culture of Cyber Security in the organization. In addition, this approach has to be top-driven. Once the senior leadership understands the threats and the possible Risks, it becomes easier to drive that agenda,” said Amit Dhawan, CISO, Birlasoft, acknowledging the need to educate and inform the employees of the company, starting at the top.
This unawareness about Security in its basic form takes on a rather ugly turn when it comes to the lower levels of the organizational hierarchy. The employees of the company being ignorant about the security protocols prescribed by the CISO, or them not understanding the importance of the same for the company’s financial and intellectual safety, can have serious consequences for the company. It can potentially lead to unintended data loss. Uninformed employees sharing their company credentials or being careless about confidential information are accidents likely to happen when employees do not receive adequate security training.
While the lack of awareness among the top-level management can make it extremely difficult for the CISOs to take adequate measures to ensure Security, the same, coupled with an absence of a regulatory framework among the employees of the organization can potentially render those measures moot.
Advancement of Technology complicating Security
Even when the employees are well-trained in identifying potential breaches and reporting them immediately, the age of hyper-connectivity doesn’t make this an easy job to do. This means that the (I)IoT that is well on its way to becoming an indispensable reality across organizations, leaves a lot of chinks in the armour that are just waiting to be exploited by the hackers.
There is a shift in the aims of attackers, from straightforward data theft to seeking to cause damage by targeting fundamental parts of critical infrastructure. Whilst the bulk of attacks will still focus on stealing data because it is easily monetizable, there is, however, a more worrying type of attack on the horizon, and that is infrastructure sabotage.”
Sanjay Aurora, Managing Director, APAC, Darktrace
“The Internet of Things (IoT) allows for infinite connections to take place. Offices are now equipped with Internet-connected air-conditioning units, smart coffee machines, and video conferencing systems. But this means there are more avenues for cyber criminals to slip into the organization unnoticed. Our digitally interconnected world means that network boundaries are more porous than ever, and the resultant security vulnerabilities may remain unbeknownst to the security team. Yet, security for IOT devices are an afterthought, which makes it difficult for the security team to detect and remediate potential threats in a timely manner,” said Sanjay Aurora, Managing Director, APAC, Darktrace.
“There is a trend of adoption of AI by attackers. Traditionally, if you wanted to break into a business, it was a manual and labor-intensive process. But AI enables the bad guys to perpetrate advanced cyber-attacks, en masse, at the click of a button. We have seen the first stages of this over the last year – advanced malware that adapts its behavior to remain undetected. It won’t be long before we see full blown AI-powered malware in the wild and we enter a true cyber arms race,” said Sanjay Aurora, Managing Director, APAC, Darktrace.
Facing Insider Threats
Not all challenges to Security come from external factors or from the ignorance of the internal forces. Insider Threats are a very real Security Threat faced by the businesses.
CISOs will have a hard time safeguarding the company’s data from external breaches, if they are also constantly worried about Insider Threats. Therefore, it is important for them to have a mechanism to deal with the insider threats, so that all they have to worry about are the external hackers and not being torn apart from within.
Commenting on his strategy for mitigating insider threats, Amit Dhawan, CISO, Birlasoft, said “Insider threats are real and we understand the risks associated with that. We support numerous businesses worldwide and cover several international regulations. Any kind of loss or disruption is not acceptable to the organization, and I feel this acknowledgement, is the first segment of the strategy. The associated controls, which form the next, include administrative and technical capabilities, along with deterrents in the form of censures. However, in my opinion, the most effective strategy and real implementation depends upon training or awareness of people, and even their managers, who will always be the first to notice the tell-tale signs. The detective controls, and their knowledge to the employees helps the case further.”
What is the Solution?
In such a scenario, being a CISO is hardly a cake walk. With a huge number of security solution providers available in the enterprise market, and a real threat right at their doorstep, the CISOs need to make a quick and an informed decision that maps out the security framework of their organization.
Security vendors across the industry are of the opinion that Technological forces like Artificial Intelligence, Machine Learning, etc. will play a crucial role in the Security trends in the coming years.
While allowing and restricting access to certain content and application for employees is the go-to strategy that is followed for cyber security, this does not solve the problems for many CISOs. The challenge is to allow employees to use business critical SaaS applications while ensuring such applications are not misused in any manner. ”
Sonit Jain, CEO, Gajshield.
“Visibility is key to cyber security and the technology that will spearhead the cyber security space in coming years is something which will help in creating advanced visibility of network to organizations. Contextual Intelligence is a technology that deep dives into a SaaS application and creates context beyond just the application data for an advanced visibility. Machine Learning based on contextual intelligence will also help in identifying and protecting organisations from zero-day threats and data breaches,” said Sonit jain, CEO, Gajshield.
Rather than focusing on traditional threat-centric approaches, organizations need to deploy security innovations that deliver risk-adaptive protection, which allows enterprises to dynamically and automatically adapt enforcement based on the changing levels of risk and focus on the interaction of human beings and critical data. ”
Harshil Doshi, Strategic Security Solutions Head, Forcepoint
“As security threats are becoming complex and insider threats loom larger than before – behavior analytics will be a major trend in 2019. Not only will User and Entity Behavior Analytics (UEBA) solutions be attractive to customers – but embedding behavior-based decision making will become the cornerstone of all existing cyber security solutions, such as NGFW, DLP, and Cloud Security.” said Harshil Doshi, Strategic Security Solutions Head, Forcepoint.
Having said that, there is a need to acknowledge the complexities associated with the use of AI and ML in the Security framework of the business. Their implementation might not always serve to alert the CISOs. Sometimes, it might just mask a red flag. Addressing this issue, Amir Moin, Head of Product, Smokescreen said “Consider a UEBA solution. It ingests a lot of data to establish a baseline of behaviors. It then flags any activity as suspicious that deviates from the baseline. This is a great application of AI & ML. But under certain circumstances this could also end up baselining the behaviour of malicious insiders as normal. So, after deployment if a high-privilege system admin goes rouge, the UEBA solution will not flag their behavior as anomalous.”
Talking about the crucial decision of selecting a security solution, S Sridharan, VP & CISO, NCDEX, said “Perfect security solution is a myth like cyber resilience. We may try to identify less false positives but more accuracy in the solutions. I will focus on use cases, success of poc, support service availability and business continuity needs, etc. for selecting the best tool. There are security products which comes with preliminary condition to enable some security risks like enabling cache, macros, etc. This needs to be validated. User friendly is one more concern. As a CISO, cost and meeting regulatory requirements is critical for any product.”
Summarising the strategy to face the Security question, Rajesh Maurya, Regional Vice President, India & SAARC, Fortinet said “Organizations need to begin by anticipating attacks by implementing zero-trust strategies, leveraging real-time threat intelligence, deploying behavioral analytics tools, and implementing a cohesive security fabric that can gather and share threat intelligence, perform logistical and behavioural analysis, and tie information back into a unified system that can pre-empt criminal intent and disrupt criminal behaviour before it can gain a foothold.”
Keeping the organization’s data secure is a constant struggle. No matter how hard the CISOs try, by the very nature of Technology they cannot attain a point of absolute Cyber Security. Though what they can achieve is a state of optimum security by providing against the potential threats and minimizing the losses should there be a security breach.
External Link: Security: The Never-Ending Battle in a CISO’s life