Prashant Dhanodkar, CISO, SBI General Insurance Company, gives his views on the evolving role of security professionals in the new digital era
How is the new digital era impacting the role of CISOs?
In today’s digital environment, corporates are aiming to achieve strategic business goals with extensive use of technology. A CISO can no longer stay in merely a conservative and denial mode, but the role demands a CISO to be a critical business partner, an enabler and incorporating more responsibilities within the organisation. My part in the SBI General is to collaborate with the business, support each initiative with the appropriate cybersecurity controls and be a security mentor for the business verticals. I provide them a clear understanding of security goals and organisational risk management objectives. I assure business that they would have the last laugh with more secured service or product on platter.
How can CISOs stay ahead of cyber risks?
A CISO is required to revisit and refresh security policies and ensure they are up-to-date for new technological advancement and regulations like GDPR, Indian Data Protection Act and DISHA, etc. A CISO may strengthen the incident response plans and ensure compliance with global standards. The organisational security programs are to be aligned with security frameworks like NIST, ISO, SANS, or PCI DSS if they are not yet aligned.
In addition, CISOs are required to be fast and furious learners with a huge appetite, this would help in quick understanding of the emerging technologies followed by a fair assessment of cyber security risks associated with those technologies. In the longer run, every modern technology will catalyse the business growth if the coupled cyber risks are addressed appropriately. For instance, two/three years back, the cloud became the buzz word. Cloud adoptions were initially mired due to security myths. Over a period, organisations and the CISO community learned the cloud models, security features offered by cloud providers and the segregation of responsibilities between cloud customer and cloud provider. Today, cloud providers offer very aggressive and robust security foundation, which is much better than traditionally built in-house security capabilities. Had the cloud technology been understood quickly, the initial time could have been well utilised in leveraging upon the cloud value offerings which come with enhanced security.
The Internet of Things (IoT) is projected to be a US$ 3 trillion industry with 50 billion devices in use by 2020. However, the fact is 70 per cent of IoT devices are laden with vulnerabilities, making them highly susceptible to cyber attacks. Every CISO should be worried with the associated risks these connected devices impose on the organisation.
Prior to the adoption of newer technologies, a CISO should strongly advocate secure by design approach. And post adoption, the NIST philosophy – Identify, Protect, Detect, Respond and Recover should be followed in letter and spirit. Uplifting of SOC capabilities would come handy as next-generation SOC facility would help a CISO to stay ahead of emerging threats. Machine learning and artificial intelligence are already fuelling SOC technology and tools, and strengthening the detection capabilities. The AI enabled SOC with early detection capabilities is the key to mitigate the cyber threats.
How are you mitigating the risks, and linking it back to the business benefits?
A threat source is an actor in the cyber parlance. A CISO needs to play the role of a resilience officer for the organisation. A resilience officer is required to mitigate the risks by countering those threat sources. CISOs should work with the objective of converting the cyber security department into a profit center. The visual demonstration of revenue saved by successfully defending the attack would be helpful for a CISO.
How real is the security skills gap?
The cybersecurity skills gap is a much debated topic today at every possible forum, however one must understand at what level it exists. In a country like ours, vast number of engineering/technology graduates are supplied in the services industry every year. I find abundant skills at the entry level, may it be in VA/PT, SOC analyst or security technology management. Junior security professionals are full of energy and do have an appetite for learning. Most probably, the industry is lacking senior overarching leadership with right business acumen who can put multiple pieces together to create a robust cyber ecosystem. The cyber leaders capable of visualising the correct security roadmap that suits the business best is the need of the hour.