We continue to invest in and build more competencies for cyber resiliency in this hybrid and meta world: Infosys’s CISO, Vishal Salvi
In an interview to Express Computer, Vishal Salvi, Chief Information Security Officer & Head of Cyber Security Practice – Infosys puts a spotlight on one thing that all organizations should have at the top of their agenda is building a robust cyber resilience program using the security by design approach, while also ensuring user experience and employee productivity.
EC: Can you elaborate on the growing importance of cybersecurity in today’s hybrid landscape?
Vishal Salvi: The switch to remote or hybrid working models along with the introduction of digital collaboration tools and techniques now require an expansion of the IT infrastructure – and a holistic enhancement of the existing security practices. The new way of working invariably comes with cyberattacks targeting devices outside of secure office networks. Employees working from home/anywhere rarely have robust firewalls, network intrusion detection, and other defenses that are built into their business premises. In such situations, cybersecurity success depends not just on how much organizations are willing to spend on security tools that need to be deployed but on clear policies defined to secure organizations and a strong inclination towards continuous implementation and enforcement.
EC: What are the vulnerabilities you are seeing related to current trending ransomware/malware?
Vishal Salvi:Organizations need to be cognizant of the fact that a hybrid workplace can make it difficult to detect and respond to anomalies, threats, and cyber-attacks in a timely manner. Ransomware and phishing attacks that occur targeting individuals in unsecured environments are most damaging. These attacks are known to have caused organizations to lose hundreds of thousands of dollars. While the tactics of hackers haven’t changed drastically, they have resorted to some intelligent categories of vulnerabilities such as remote code execution – arbitrary code execution, privilege escalation on the applications, operating systems, and browsers. There are Zero-day vulnerabilities and living-off-the-land attack which essentially entails that more and more hackers leverage native operating system commands for malicious purposes and to evade detection.
EC: What are the ways in which enterprises can balance security and convenience to optimize the workplace flexibility?
Vishal Salvi:Enabling employees to work from anywhere and simultaneously ensuring data security is every organization’s requirement. It is imperative to find a balance between security, agility, and quality. One thing that all organizations should have at the top of their agenda is building a robust cyber resilience program using the security by design approach, while also ensuring user experience and employee productivity.
With the hybrid work culture prevalent, moving to the cloud, providing seamless access to data, and securing it is imperative. Most organizations are on a quest to drive digital transformation through cloud and SaaS models.
Organizations are encouraging BYOD for employees thereby enabling them to use their personal devices for work related activities. If such devices get compromised, the data and crown jewels of an organization could be seriously jeopardized. Solutions such as MDM – mobile device management can be adopted to tackle such threats and safeguard organizations.
Also, adopting a Zero Trust Security strategy should be a pressing priority too. It essentially means protecting your digital estate by applying a “never trust, always verify” approach.
Along with this basic security hygiene, organizations must also create awareness and a culture of security among their stakeholders by providing extensive training, lists of dos and don’ts, best practices, etc.
EC: Why is it important to relook into the existing security processes and identify gaps in them?
Vishal Salvi:The hybrid work culture has led to many new opportunities and pitfalls for cybersecurity. If organizations are not on top of their security game, they may fall off the wagon completely and face repercussions in the form of regulatory noncompliance, reputational loss/ brand impact and financial loss, etc. Its critical for organizations to identify vulnerabilities and remediate them in time before any bad actor discovers and exploits them to gain an unrightful advantage.
While continuous improvement should be a primary approach, another few cyber security strategies that can be considered are tabletop exercises for cyber resilience, annual evaluation, and revision of best practices and procedures to add new methods and do away with obsolete policies.
These cyber resiliency exercises are usually carried out to evaluate the effectiveness and readiness of an organization across People – skillsets and awareness levels, Processes – efficiency & coverage and Technology – the ability to detect anomalies in case of a cyber event. Through this exercise, gaps are proactively identified, and relevant processes are set with apt know-how of actions to be taken in case of an incident.
EC: How is Infosys boosting the efficiency and efficacy of all technology assets for cyber resiliency in a hybrid and meta world?
Vishal Salvi: Infosys Cyber Security practice is powered by tools, methodologies, frameworks, and highly skilled resources. We continue to invest in and build more competencies for cyber resiliency in this hybrid and meta world. By driving an enterprise mindset towards secure-by-design at every stage of the business lifecycle, we minimize security risks while maximizing the visibility of the security threat, impact, and resolution. We also optimize cost and amplify reach while making our customers secure by scale, ensuring that our focus on innovating next-gen threat protection solutions in newer technologies will secure their business’s future. We actively resort to tabletop exercise and phishing simulation to build cyber resiliency. We resort to orchestration and automation, not only for threat, detection, and response but also for additional cognitive IT hygiene activities.