In an interactive discussion with Express Computer, Keyur Desai, CIO – Essar Ports & Shipping and Head InfoSecurity, Network & Communications – Essar, shares his perspective on the latest digital trends happening in his industry, while highlighting that innovative approaches in enterprise security must explored to stop hackers in their tracks
Some edited excerpts:
How do you see the present scenario of digitisation in your industry?
Advanced analytics, Manufacturing Intelligence (MI), IoT (Internet of Things), connected cloud computing with flexible consumption models & advanced cyber security solutions are some of the tech innovations that are really revolutionising various industry verticals including Manufacturing and Marine sectors. Industry 4.0 marked its presence through integration initiatives between the traditional industrial solutions along with the latest technology trends.
“Digital Transformation” as the term coined for Smart Manufacturing – focuses on the improved Supply Chain, Go-To-Market strategies, Customer Centric approach, Intelligent Information Management Systems, Well Collaborated Workforce Engagement, Reduced Manufacturing cost, Improved Manufacturing Cycle time, Cyber Secured Risk Analysis and much more.
Over the past couple of decades the focus has been more on the plant automation while enabling accuracy & productivity irrespective of the extreme working conditions. Data Analytics of the connected assets has added the visibility quotient thereby increasing informed decisions with simulations & predictive analysis. MES (Manufacturing Execution System) has played a vital role in better planning and data driven decision making concept.
As the Head for InfoSecurity, what are some of the challenges for you?
While the world is moving rapidly towards the Industry 4.0 digital transformation revolutionary journey, there is a word of caution as well – the advanced cyber threats have increased the operational risk for organisations. The Industry systems or in other words – OT (Operational Technology) & SCADA Systems have been traditionally not much geared up to tackle the advanced cyber-attacks and in this data connected world of IoT and AI (Artificial Intelligence) – the vulnerabilities of such systems can be exploited easily and the damage due to cyber-attacks can be devastating.
As the data goes digital, there has been a subtle increase in the cases of Cyber Crime that has directly affected the organisation’s reputation and its business strategy as well. There have been multiple cases of DDoS (Distributed Denial of Service), crypto-jacking, Malware & Ransomware attacks that have impacted & interrupted major online services of many reputed organisations in the last few years where the attack vector with magnitude has increased exponentially over the period of time.
Like any other crime scene, cybercrime also has more probability of insider threats than the external world and this includes data theft / leakage, malware injection, Man in the Middle attack and many more. This makes the situation more scary for organisations who’ve embarked their Digital Transformation journey.
Can you share some best practices that must be followed to maintain a robust IT security posture?
I personally feel, IT security is always a customised approach that needs to be shaped as per the organisation / industry vertical. While the basic InfoSec principles do apply on a larger scale, it still needs a better understanding of the overall IT landscape to ensure each & every aspect of data spread & information systems are covered while architecting the IT Security Strategy for the respective Organisation.
The risk based framework is a better way to set the baseline IT security controls for the Organisation. This can be very well referred using NIST based Cybersecurity Framework.
The overall IT Security strategy begins with the basic hygiene by keeping the IT systems, servers, applications & end points updated with the latest patches. A strong patching mechanism with better visibility gives a vital boost to the IT security posture. Application whitelisting helps bringing better control and also helps to a large extent in preventing the malicious software getting installed.
While the layered IT Security approach has its own benefits, one should also look for innovative approaches like Moving Target Defense, UEBA (User & Entity Behaviour Analytics), Automatic Intrusion Expulsion System to arrest the sophisticated intruders from lateral movement, identifying & eliminating the potential threats in real time scenario. A robust monitoring setup with AI & ML based solutions is one of the key initiative in identifying and arresting any malicious activity within the organisation. IT Security challenges will continue to grow, it is imperative for the Organisations to stay vigilant & resilient enough to detect, respond & remediate the incidents.
Importance of awareness as a good number of breaches happen either due to the insiders not following the security hygiene practices. IT Security Strategy is always a good mix of People, Process & Technology where the People part plays a very vital role. While Human is the weakest link in the overall IT Security Setup, User awareness to the basic hygiene helps to bridge this gap to a large extent. There has been a subtle increase in Social engineering attacks, spear phishing and advanced targeted attacks that can be prevented with a very well aware and alert end user.
A good mix of training tools & content helps in shaping up the Cyber Security Awareness Training programme. This includes continuous training schedules, cyber security awareness campaigns, timely communication to stakeholders, regular mock trials of phishing activities, internal awareness certifications, gamifications and much more.
Your view on IT budgets. Are CISOs getting enough ?
IT budgets have always been a challenge for any Organisation and it becomes even more challenging when it comes to budget for IT Security, especially in Manufacturing sector. It’s fortunate to be a part of the Organisation where the Senior Management is tech savvy and very well understands the importance of technology within IT & the perils of ignoring IT Security threats. However it is equally imperative to understand the IT pain areas within the organisation, evaluate effective solutions, articulate in a structured format and present it to the right stakeholders with a proper approach plan, budget requirement along with business risks & benefits.
I personally feel, in the recent past the business stakeholders worldwide have been quite aware about the Digital Transformation wave and IT Security threats – credit may be given to the ransomware attacks that shook the world with impact. This is also making the task of CIOs & CISOs bit easy in putting up the budget requirement in front of the management.
What according to you would be the top trends in 2019?
Some of the technology trends that should be in radar this year would be connected cloud computing with the mix of Public, Private & Hybrid clouds. Blockchain based Solution framework should see more traction in various different industry verticals. Chatbot based solutions that will minimise / remove human involvement in the routine tasks should be on the rise. MI (Manufacturing Intelligence) & IoT should be getting the right focus and with the increase in such initiatives – the advanced cyber security solutions will also get the right momentum.