How are emerging digital technologies impacting the role of CISOs?
I did like to call emerging technologies in Digital as the A2E suite. These technologies are Artificial intelligence, Big Data, Conversational Platforms, Distributed ledger & Edge computing. All these technologies not only hold tremendous potential to disrupt or transform current business models but also operate in the same realms of high volumes of data. In this globally connected data-centric world that is fueled by innovation and agility, both CISOs and regulators have an increasingly challenging job to protect the interests of consumers, businesses and the state itself. It is this ‘data’ that is driving CISOs to continuously calibrate their approach on one side and driving regulators to define data protection legal tools on the other.
Continuous media coverage of emerging technologies and cyber incidents has ensured that business leaders are well aware of the impact of cybersecurity on achieving business goals and reputation. That has led to CISOs going beyond their traditional responsibilities and they are now playing an active role in guiding the decision making process of digital businesses. At the same time, the toolkit of CISOs is getting smarter, affordable and scalable as well, gradually giving them better coverage and visibility.
As a CISO, what are the key challenges today?
Data breaches continue to increase across the industry, digital threats now have physical consequences, attack vectors are getting sophisticated… and the list goes on. But one key challenge that is standing out today across the industry is legal and regulatory environment getting complex across most major economies in the world.
New cyber laws and guidelines to protect citizen’s PII data and CII data across sectors are at different stages of development or implementation maturity across different countries, with many countries poised to control or restrict cross-border data transfer for certain data types. For global companies falling under multiple jurisdictions, it means increasing data localization and protection costs and data liability considerations.
Geographically agnostic nature of data ushered the world into globalization over the past few decades and now the same data is being reined in. This is posing a steep learning curve for both regulators and the industry.
According to a recent Gartner study, more than half of major new business processes and systems will incorporate some element of IoT by 2020. How should CISOs design or plan for a secure IoT infrastructure?
Let me take the liberty to respond with a viewpoint that may be abstract at its best but outlines key principle that we may need to secure increasing penetration of IoT in our lives. IoT, if simply put, are devices with human like senses or beyond in many cases, that are connected and may have intelligence to help life or processes become easy and intelligent. IoT generates data that can be deemed sensitive and can be manipulated if not secure, to cause disruption or damage of varying degrees. If such IoT devices are part of critical infrastructure or constitute PII data in any organisation then it is likely on the radar to protect, both for regulatory compliance and from an organization security posture. But given the penetration of smart devices and the risks, it is about time when we need to equate PII with SII (Sensor Identifiable Information) and bring in similar privileges for SII as PII.
Since you come from an Industrial company background, can you tell us what are some of the key things that enterprise practitioners need to prepare to roll-out a secure Industrial IoT (IIoT) environment?
Unlike traditional data breaches, where it’s mostly about sourcing and selling stolen information, cyber-attacks on industrial and critical infrastructure are often motivated by malicious intent to disrupt operations, which can place people, property, or the environment at risk. Many, however, remain unfamiliar with this intensifying risk landscape and/or lack insight into how to apply cyber security practices, especially within Operational Technology (OT) or IIoT that run large factories or critical infrastructure.
Some of the hygiene preparatory actions that practitioners must adopt include understanding the differences between enterprise IT and OT environment from an organisational, operational, and architecture standpoint. Most companies in their early industrial security journey often take the misstep of conceiving industrial security as just another IT area to be secured. Another important aspect is to engage industrial security experts and control systems engineering teams early on. And the last but not the least, build an understanding of OT specific security technologies and frameworks that will play a crucial role in securing the environment.
What are the security strategies and approaches to secure Industrial IoT environment?
At the strategy level, securing Industrial IoT is not very different than securing Enterprise IT. Typically, it involves understanding the threats, identifying the risks, implementing security monitoring and defensive layers to strengthen the security posture. The difference lies in the implementation of the strategy in the Industrial environment.
Broadly, companies can start with creating a comprehensive security program that understands what needs to be protected. Program should have deep understanding of Operations Technology (OT) systems, enterprise systems, physical assets, network infrastructure and the dependencies between these components. One must also consider the possible consequences of cyber attacks to establish the baseline for the security strategy.
The cyber security ownership and responsibilities should be established clearly between the IT and the Operation team, under a common leadership. While IT teams focus on protecting data and systems, their OT counterparts must protect mission critical assets and control systems. One must lock down OT systems with right topology and protect them with intrusion detection. Right configurations must be applied to protect Industrial Control Systems (ICS) from outside attacks and IT systems should be fortified at the edge of the Internet for such environments.