Businesses are becoming increasingly sensitive towards recognizing cyber security as one of the top risks for their organizations. In such a situation, the role of a chief information security officer (CISO) assumes center stage as they are faced with an ever growing threat landscape. Particularly, there have been a slew of cases of cyber attacks and frauds across industries. This is true especially for the banking and financial segment. The top management of companies realizes that cyber security needs to be prioritized along with the business. On the other hand, businesses also expect that initiatives taken in this regard are not counterproductive or affect agility adversely. All of this makes a CISO’s life tough. Muqbil Ahmar (MA), Executive Editor, Grey Head Media caught up with Amit Pradhan (AP), CTSO, Chief Privacy Officer and SVP – Tech Security, Vodafone India Limited over challenges and issues that face the industry today.
MA: The threat landscape keeps evolving rapidly these days. What steps do you think are necessary in order to mitigate advanced security threats such as zero-day exploits and ransom ware?
AP: Strong security basics consistent across the technology landscape is required to strengthen the security posture of infrastructure and thereby the environment. Secondly, usage of anomaly detection tools and a strong threat intelligence function within an organization shall provide a better chance to address and mitigate zero-day exploits, ransom ware and other advanced threats. This means ensuring 100% patch implementation in smaller cycles, coverage and effectiveness of end-point security and in-depth monitoring of connectivity channels, Anti-APT solutions, etc. will provide more visibility to the network and system. This, in turn, shall help prevent, detect, and respond to advanced threats.
MA: Do you think the use Artificial Intelligence (AI) and Machine Learning can enhance security defense efforts?
AP: It is becoming increasingly difficult to ignore AI or cognitive computing initiatives in cyber defense and cyber security. The amount of security data generated with the numerous tools that are developed and deployed has started causing significant concern to CISOs for the lack of decision-ready insights. While SIEM, Big Data and Analytics are evolving, the dependency on human logic, event interpretation and manual validation are slowing one’s ability to proactively detect threats and quickly respond to them. Additionally, how does one ensure that organizations keep learning and building organization-specific intelligence? AI seems to be the answer to most of these challenges today at a theoretical level. Proper adoption of AI technologies, relevant use case and the consideration of required time for maturity to get accurate outcome shall ensure exceptional usage of AI capabilities.
MA: Does it make sense for an organization from a financial and resource perspective to outsource information security?
AP: Outsourcing security services has the same business drivers as any other function. The security risks with outsourcing can be categorized into two types, namely, service risks, and vendor risks. Service risks are the inherent risk of outsourcing and security controls may not significantly influence the risk posture. Vendor risks however are dependent on a vendor’s commitment and maturity for security. Vendors have the opportunity to invest in security controls to mitigate vendor risks. The decision and extent of outsourcing security are similar to other functions considering the commercial aspect, resources, and the area of core expertise. However, one must note that the final accountability for security and therefore the liability associated lies with the organization’s top management team. The extent of outsourcing, level of decision-making and distribution of responsibilities need to be balanced between the insourced and outsourced teams.
Moreover, during litigation or judicial proceedings, an organization must have the ability to demonstrate effective forensic data retrieval and integrity of data. As we move towards automation of security processes and build a framework of decision-making, increased number and type of security processes, technologies and management can be outsourced. With any kind of outsourcing, the key to extract the maximum benefit depends on how strongly the organization is able to govern the outsourced environment to meet the agreed SLA and thereby meet the objectives of outsourcing.
MA: How do think cyber security will impact the business in the context of today’s threat landscape?
AP: Businesses are becoming more sensitive towards recognizing cyber security as one of the top risks for their organizations. The statutory regulation in most of the countries, including India required the board to mention the top 10 risks. Especially with so many recent cyber frauds in the banking and financial segment, the top management has come to recognize that cyber security is worth prioritizing with business. The business however expects that any initiative taken in this space must not be counterproductive and agility averse. While the CISOs struggle to keep the business safe with the changing threat landscape, the recognition from business and management does not necessarily translate into a tangible investment for most of the organizations. All organizations today have “Digital” as a key strategy initiative which essentially aims at a better go-to-market strategy, lower turnaround time for new projects, unification of customer service channel for better experience, customer profiling and customer preferred services. If one looks closely at all these requirements, one common theme that emerges is how to deal with the increased customer data and use of customer identity. Business, however, fails to encourage integration of cyber security at the design and concept stage and treats it as either the last gate/stage before go-live or as a separate cost to be managed by a different function called cyber security.