How to make your company secure in today’s digital age
CXOs
agree building a strong security set-up is challenging, but it’s crucial if
firms want to profit from digitization
Mumbai: Digitisation is rapidly changing
business models, but as the world gets more and more digital, it is being
exposed to graver security threats as devices get increasingly connected. In
this context, senior executives (CXOs) across sectors such as banking, financial
services and insurance (BFSI) and manufacturing participated in a round-table
conference in Mumbai on 27 May organised by Cisco in association with Mint
to discuss ‘Enterprise security in a digital age’. The group was unanimous that
building a strong security architecture is challenging, but crucial if
companies want to reap the benefits of the digital era. Here are edited
excerpts from the two keynotes and round-table discussion:
Be prepared, security threats will only rise: IDC
With
businesses continuously being pushed to digitize faster, building a strong
security ecosystem is crucial to accelerating the pace of digital
transformation and overall growth of the individual companies, according to
Jaideep Mehta, managing director for India and South Asia region at research
and advisory firm International Data Corporation (IDC).
Mehta
said that security is the digital accelerator and an enabler rather than
something holding back digital transformation.
“Security
is not just about risk mitigation. As the boundaries of an organization
expand—whether through mobile devices or through partners and
distributors—security plays very much an enabling role other than something
which is holding you back,” he added.
With
robots replacing human workers, and 3D printing and artificial intelligence
starting to revolutionise the manufacturing sector, technology leaders should
be cautious of the risks these technologies are opening up, Mehta said.
Systematic hassles will emerge down the line, and equally, risks are being
created which will be challenging to manage, he added.
“There
used to be a time when cyber-attacks were a big fat virus running across all
over the world. Those used to appear in newspapers and all the rest of it. Now
what is happening increasingly is a much more targeted approach,” Mehta said.
He
pointed out that to counter modern-day and future threats, firms need to start
thinking in a more holistic manner, apply analytics in detecting the
vulnerabilities of the system and understand the pattern of attacks.
A
significant percentage of stolen data has actually ended up with employees of
the organization, most of which are being poorly monitored, cautioned Mehta.
Companies should be making aggressive investments in monitoring outbound
traffic and catching anomalies, he said.
“Hackers
and the bad guys are getting better and better in spotting the one weak link in
the chain and attacking right there. You would have the best of technology in
the world but if your CEO’s password is 123—Best of luck. Unfortunately, that
is still the most common password in the world.
“I
will stick out my neck and say that all organisations at some point will get
hacked at some point or the other and when you do that procedures,
technologies, resources you have put in place should be able to respond to that
intelligently and minimize the damage. What kind of risk management are you
putting in place there? It is an opportunity for most organisations to improve
themselves,” Mehta said.
Security
architecture needs long-term perspective: Cisco
Companies
need to take strategic steps and put safety mechanisms in place in a holistic
manner to counter the growing number of cyber security threats that are getting
more advanced and sophisticated, according to Pravin Srinivasan, lead, security
sales at Cisco India and SAARC, or South Asian Association for Regional
Cooperation.
“The
flip side of digitization is that it opens up to a lot more security threat...
Once you try fixing one problem, something else opens it up. It seems fairly
obvious that we should open up our organizations and allow mobile device
access. But the fact of the matter is you have to take a lot of steps before
doing that because security threat is a growing concern,” Srinivasan said.
How
can one use security as a business enabler?
According
to Srinivasan, understanding the behavioural base is the only way to look at
security threats. “What is it doing which it is not supposed to do; where is it
coming from; is it coming from source that is not trusted? Has it gone to
another place that’s not trusted? That’s the kind of information that one needs
and that is visibility”.
Srinivasan
said that safety mechanisms and systems should be as broad-based as possible
and should be threat-focused, failing which a lot of risks will be posed by
data branches as well as remote offices. “Traditionally, the approach is, I’m
moving to the next generation firewall. So I’m going to put a next generation
firewall at my perimeter and that will give me a lot of visibility. But is that
sufficient? Probably not,” he said.
Srinivasan
insisted on the importance of having an architecture and long-term security
strategy in place to counter threats. “A security architecture means a couple
of things. One is it’s long term—3-5 years’ perspective. There is a definite
road map about what needs to be done. Where are the gaps today and where you
need to go. You have to have an architecture for collaborations and
applications you are going to build,” he said.
Lastly,
he said organisations should look at outsourcing the security services to a
third party which has the expertise in the field, as there is a limit to what
in-house professionals can do to protect systems.
“We
have to look how best we can do to get the best of resources outside the
organization. Because threats keep changing every day. So it’s impossible for
an in-house organization to keep tracking all the threats. When you have
organisations outside who are looking at it globally, obviously they are having
a much deeper focus and people who are able to look at different angles,” he
said.
“Sometimes
there is paralysis because of too much of analysis. The point is we need to
start somewhere. Finding that one person to do everything is a fairly utopian
idea. In security, we need to realise there is a limit to what one can do.
Start somewhere, start small and realise where to outsource and whom to
outsource to,” Srinivasan said.
What
BFSI executives say
"There are two types of
organizations. Those that know they are being hacked and those that do not
know... no matter how thick we have already set the wall, you cannot conquer
this field of security. It is important for all organisations to build a strong
cybersecurity response team with necessary tools and a strong skill set.
Secondly, you need a platform specially in a large organization such as
financial services where you can correlate that information and data that we
collect on a daily basis."- Munish Mittal, chief information officer, HDFC
Bank Ltd
"We are out there putting our
solutions and applications, but customers are their own enemies today. We have
tried very hard by putting out ads and spreading awareness about phishing but
we keep reading articles about customers giving away PIN numbers. The other
harder part is that we love to download everything that says it’s free; what
ends up happening is that people are putting a lot of malware in their phones.
On the corporate side, we face challenges because specially in the middle and
smaller markets, awareness about some of the risks is limited; we have seen a
number of cases where either email accounts of customers have been hacked, or a
similar sounding email has been sent to customers, changing supplier bank
account detail, and inadvertently customers sent money to incorrect bank
accounts."- Vikram Subrahmanyam, managing director, Citicorp Services
IndiaLtd, and head of operations and technology, Citi South Asia
"We speak about preventions and
we speak about tools, etc. But what is more worrying is that we don’t get the
right resources to tell us whether there is an attack in the organisation or
even afterwards. We, too, have a hard time finding an Indian partner to help us
in building encryption within our required areas."- G.Shenoy,chief
technology officer, NSE
"While we are aware about
security threats to our systems, we are still not there in terms of how we are
trying to mitigate these threats. Right now what we are doing is more reactive.
Nobody has looked at building a security architecture in a holistic manner. We
have to look at the architecture and figure out what we have and whether we
have covered everything or the things to watch out for?"- Anup Purohit,
chief information officer, Yes Bank Ltd
"I think there has to be a way
IOCs (indicators of compromise) can be shared among various organisations.
Locally, everybody sees some specific indicators of compromise at the end point
or at the network areas; we need to share that information locally within the
country. Right now, most of the IOCs that are being shared are detected from
countries such as the US or UK. There is a tussle between machine learning and
the talent which is available to consume the kind information which is coming
in. We are defaulting at finding the real talent that can analyse the
information."- Ashutosh Jain, chief information security officer, Axis
Bank Ltd
"Losses, due to cyber theft, turn
into millions of dollars. Insurance is the back stop and it is probably the
most efficient form of capital that I have seen. To buy a million worth of
insurance which is contingent capital, it can be triggered or called upon under
certain situations. The average cost would be about $4,000-5,000. This is half
a percentage of cost of capital (which is about 6-10%) if companies were to
keep that risk on their own balance sheets."- Anup Dhingra, practice
leader, financial and professional lines, Marsh
What
executives in manufacturing sector say
"Pharmaceutical is one of the
heavily-regulated industries around. So the kind of impact that loss of data
could have is different from what other industries and sectors could have. We
are a heavy research and intellectual property (IP)-based industry. We spend
about 12% of revenue on research and development. As an industry, we have been
acquiring a lot of companies and expectation is to get integrated from day one.
And most of the companies that we acquire come with their own legacy
infrastructure and legacy security set-ups. We want them integrated from a
business perspective and do integrate them from an IT perspective standpoint
but we are still leaving significant holes all around the world and these are
vulnerabilities that get exploited."- Mayur Danait, chief information
officer, Lupin Ltd
"There is a growing awareness,
but the point is to think about it in a holistic way when approaching security.
One big challenge is that vendors and service providers have their own
solutions—these are never holistic. Even the managed service providers talk in
bits and pieces. So the challenge is to first conceptualize what we want and
then have an offering around it."- Pankaj Bhargava, chief information
officer, Pidilite Industries
Other
sectors
"It is good to have a platform
approach theoretically, but every time I feel that I have got a homogenous
environment, our organization goes for another new acquisition. I have to go
back and re-create all the work and make sure that it is homogenous again. It
is easy to talk about a platform-based solution, but it is complex... the
reality is it takes time, to figure out what you’re really looking for."-
Gaurav kataria,chief information officer, Cyient Ltd
"I don’t think there is dearth of
funds but again the nature of spending is always becoming reactive. Two years
back when I joined my company, we saw about 60 attacks a day. The biggest
(DDOS—distributed denial of service) attack what we had in India is about 40
gigabytes (GB) and last week we had an attack about 90-100 GB. So it’s ramping
up phenomenally."- Vishak Raman, associate vice president/global product
management, MSS and CDN, Tata Communications
"People need to pay attention to
smaller things than the big ones... it’s the little gaps which the hacker is
waiting to exploit... that’s where investment is needed."- Sunil Mehta,
senior vice president and area systems director, Central Asia, JWT
Source | Mint – The Wall Street Journal | 12 July 2016
Regards
Pralhad
Jadhav
Senior
Manager @ Library
Khaitan
& Co
Best
Paper Award | Received the Best Paper Award at TIFR-BOSLA National Conference on
Future Librarianship: Innovation for Excellence (NCFL 2016) on April 23,
2016. The title of the paper is “Removing
Barriers to Literacy: Marrakesh VIP Treaty”
Note | If anybody use these post for forwarding in any social media coverage
or covering in the Newsletter please give due credit to those who are taking
efforts for the same.
No comments:
Post a Comment