We have a well-defined information security governance framework, says V Swaminathan of Godrej Industries
In an exclusive interaction V Swaminathan, Head - Corp Audit & Assurance, Godrej Industries, discusses the security framework in the group, and highlights how India's first Data Protection Law will be impacting the group
Please provide the information security overview at Godrej Industries.
At Godrej Industries, we believe that information security can be achieved as a result of collective efforts between business, IT and the information security team. Support from the top management is crucial when it comes to establishing an effective information security framework. At Godrej Group, we have a well-defined information security governance framework with definite roles and responsibilities across each business unit. The stakeholders work in co-ordination with each other to implement the information security policies effectively. Transparency in the systems is maintained by presenting the updates on the current happenings to the management committees on a periodic basis.
How is Godrej Industries embracing digital security?
We understand the requirement for digital transformation for business visibility and productivity, by providing ease of computing and flexibility to our employees. However, the fact is digital transformation in any organisation undeniably opens up a new set of cyber risks and threats. In order to encounter the expanding cyber surface, we have devised a simple two-pronged approach. Firstly, we bring in the information security perspective and controls right at the design phase of any digital transformation initiative. Secondly, we believe in continual improvement of security measures which are adaptable and scalable as per the changing technology landscape.
Please provide some recent examples of innovations/projects driven by you.
In lieu of the constant technological advancements, we believe in continual improvement of our security framework. We keep on evaluating various tools and technologies for cyber threat hunting in order to build a proactive security framework. In the manufacturing setup, we think that IoT is the next big thing. It is a comparatively new technology, which is being tried and tested in parts. We have been looking into development of security framework for IoT, which will be integrated with our overall security framework. Moreover, we have recently performed review of SCADA and PLC setup in our plants, based on which we are revamping our security policies and have taken up multiple improvement initiatives.
How do you fit security within your corporate culture?
While an organisation can have all the advanced tools and monitoring mechanisms in place, information security initiatives can be effective only when the people recognise and acknowledge their responsibility towards it. We try to implement measures so as to create an all-inclusive information security organisation. We have a defined code of conduct, which is signed off by employees at the time of on boarding. We conduct regular awareness sessions across all locations on the changes in the Information Security landscape, its impact on organisations and how as employees we can be mindful of these risks. The group keep the employees updated by sending notifications on the current cyber security threats through our internal social media platforms. Also, there is a mechanism in place enabling employees to reach out to the information security team with subject matter experts and report their concerns or seek guidance as required.
What are the possible challenges in your industry and how are you mitigating the same?
In the manufacturing industry, information security is not highly regulated as opposed to that in the financial and banking industry. Accordingly, a lot of effort has to be invested in convincing the business for implementation of any new security initiative. To tackle this we periodically present updates on information security threat landscape and the corresponding solutions, which are followed by constructive discussions pertaining to value delivered by the solutions post which such initiatives are taken up for implementation. Also, in the manufacturing industry, implementation of information security controls at a factory setup is challenging. The workforce at the factory setup is more of operational in nature and so there is an inherent gap in the requisite information security skill set. To bridge this gap, we conduct periodic information security trainings at the factory sites and also conduct assessments to verify the design and effectiveness of these controls.
How will the new data protection law affect you?
At Godrej Industries, we give high importance to customer data privacy and the upcoming data protection laws will help us instill the same in our culture. With the introduction of general data protection regulation ‘GDPR’ we initiated the discussions and comprehensive assessments of our data protection framework. We perceived this as not just a compliance requirement but as best practice and accordingly we implemented these controls not only for our European customers but for Indian customers as well. So by the time Indian data protection bill was introduced we already had some of these internal controls implemented.
The new data protection laws are customer oriented and have a lot of specific requirements. These requirements might trigger changes in customer front-ending processes. We consider compliance to these laws important and as a group we might even consider partnering with external experts to ensure the complete compliance.