CISOs should think strategically and align business priorities with security, says Uday Deshpande, Group CISO of L&T
In the light of the changing technology landscape, it’s very important for CISOs to adopt a particular security framework. This will instill a basic information security discipline among the various stakeholders in the enterprise environment, feels Uday Deshpande, Group CISO, Larsen and Toubro
The barrage of evolutionary concepts like blockchain, AI, etc are enhancing the efficiency and productivity of the organisation. As a parallel, these digitisation initiatives are also bringing along challenges on the security front.
It’s becoming challenging for CISOs to protect the content that is getting exposed online, because of a multitude of data streams getting generated due to digitisation. Most organisations are moving towards a perimeterless environment, which is blurring the boundaries between the company’s internal and external environment. The data’- both structured and unstructured, is getting exposed online. The Information Security (InfoSec) professionals are finding it increasingly challenging to secure this information in absence of effective discovery and classification machinery. The regulatory environment is also active and the data protection law, which has many similarities with the GDPR will also make it challenging in terms of identifying the personal data and then giving the adequate protection layers to the specific information such as employee and customer sensitive data.
At this juncture, when there is a shadow IT environment, because of the increasing scope of interconnectivity between different digital platforms, it is becoming difficult to get the visibility of the data – where does it reside, in what format and who is the custodian.
The adversaries are also becoming very sophisticated. “The last year belonged to ransomware. This year, many instances of hacking computer systems for coin mining have been reported. Coin mining doesn’t cease the company operations but hampers overall productivity,” says Uday Deshpande, Group CISO, Larsen and Toubro.
So what is becoming important for CISOs ? Agility to detect and respond to these incidents. The key is reduce Mean time to detect (MTTD) and mean time to respond (MTTR) to the best extent possible so as to reduce impacts of the incident.
Importance of a base level security framework
In the light of the changing technology landscape, it’s very important for CISOs to adopt a particular security framework like NIST, SCIPC, ISD, Information Security Forum, ISO 27001, etc. This will instill a basic information security discipline among the various stakeholders in the enterprise environment. The discipline should be measured and maintained on a sustained basis. Some of the important domains of information security – end user, network, software, internet, should have stringent controls and organisations as a part of the security framework should have mechanisms to measure the effectiveness of the controls put in place. The need is also to improve upon the existent practices on a regular basis.
“The most important aspect is not to have these practices being conducted as a routine task, for the sake of compliance and just to tick mark the doables, but to implement, embrace and measure them in letter and spirit,” says Deshpande. It’s found in many organisations that inspite of having acceptable usage policies, many executives ask for exceptions. It’s important to have a dedicated arrangement for such cases. The executives should be clearly communicated that the exception will be given but only with the caveat that the data flow in their device will be monitored. Unless these policies are not clearly communicated and adhered to, people will continue to make mistakes, whether advertently or inadvertently. Thus the primary role of the CISO in the organisation is to review the effective implementation of information security policies. The CISOs should measure, improve and report the findings to the management through risk governance.
Create your own framework
Deshpande also suggests CISOs to create their own framework. One size fits all frameworks might not be possible and give the desired results. “The CISOs should pick only those controls which are really applicable and fits the company’s requirements. The relevant requirements from different frameworks, like NIST, ISF and ISO 27001, etc, should be collected and put together into the customised framework and implemented, in the best possible way in an automated manner, which very well fits the requirements of engineering industries,” he says. The reason being, the sites of engineering industries, at times are located in far fetched areas. There is hardly any technology involved and thus to monitor them becomes challenging. In these scenarios, automation helps. Moreover, it also helps in actively measuring the different parameters of that site over longer durations and with complete accuracy. Otherwise, there are chances of the local officials fudging the data.
The key is to measure the effectiveness of the customised framework. “You can only mature what you have measured and acted for improvements,” states Deshpande.
IT security budget
These frameworks ask for technology tools, which have costs involved. The CISOs might not always get the required budgets. “A few years back, the budgets were incident driven. An information security breach incident would probably help in getting budgets approved. However, over a period of time, information security has gained the mind share because of the personal breach incidents like credit card frauds, Facebook related breach incidents, email phishing, etc. There is much more acknowledgement of the potential of the damage these incidents can have on the organisations too,” says Deshpande. This wasn’t the case earlier. The board wasn’t taking information security seriously and nobody was interested in talking about the threat.
The CISO now is getting ample support from the board. This refers not only for the IT security budget but also for getting the related manpower. The visibility of the CISO and the InfoSec department is increasing in the board and as a result, budgets are generally available with adequate reasoning. The main challenge for the CISO, is to justify the budget asked for. The best way is to measure the cost of the incident and justify the budget. The other ponderables for the CISOs include selection of technologies. There are a plethora of options available at the end user, network, periphery and at the cloud level. The key is to collaborate with the right combination of technologies, for them to work with synergy. For example, in case if there is a breach at the laptop level, the information should be shared automatically at the network level and with the required firewalls to block similar traffic.
Inculcating a culture of security
Security is 20 per cent technology and 80 per cent human. Before any new technology implementation, security has to be thought of at every stage of the process – designing, testing, production, etc. Every user in the IT chain is a key stakeholder in security.Without diluting the importance of technology tools, the human aspect to information security is crucial. Without the active and alert participation of the employees, customers, etc, organisations will keep on suffering from cyber attacks.
Generally, it is found that there are many instances of requests from key employees and in some cases from senior management to have USB access, access to the social media sites and email sites which may ultimately infect the systems. Similarly, if the developer introduces a cross-site scripting or SQL injunction vulnerability because of not following a disciplined approach, it may lead to site crash or data exfiltration attack. A discipline has to be strictly followed, that the code should not go into production without testing. An end-to-end secure SDLC has to be followed and practiced. It’s important to mention that security is always top driven and the senior management should act as role models.
(The views expressed in the article are personal and should not be considered representing the views of the company)