Indian Oil Corporation Limited (IOCL) is the country’s flagship Maharatna national oil company. Express Computer speaks to Deepak Agarwal, Executive Director- IT, IOCL to understand how the oil behemoth is driving digital transformation and focusing on cyber security measures. Few edited excerpts….
Please tell us about the digital journey of IOCL ?
The digital assets at IOCL have grown multifold and are worth more than they were before. They include customers’ personal, financial and transaction information. Obviously, the security around these assets varies greatly depending upon the financial and strategic value to the business, as well as the effectiveness of the security technologies and processes in place.
In your view, how have the dynamics of cyber security management changed, post the cloud becoming mainstream?
Although cloud is becoming an important delivery platform in the cyber security stream, we don’t see a very rapid transition from conventional on-prem model to purely cloud offering, specially due to the lack of complete trust on the cloud entities and the maturity of technology on the user side. But yes, surely over time this is going to be mainstream. We at IOCL are gradually moving to the cloud. Our large part of critical applications are still residing on-premise. We have our doubts on cloud becoming a main driver of digital change in the public sector. Cyber security is not solely a digital problem, it is a multi-layer challenge, one that involves the whole organization when creating a management strategy. Organizations need a risk-based management approach that implements an all-inclusive strategy to avoid and lessen risks posed by cyber threats.
How important is the role of the CISO at IOCL. Can you share your thoughts?
The CISO post is a must now as per the Government of India, being in a public sector company. With the recent advisory from Department of Electronics, each public sector organisation should have a designated CISO. IOCL comes under the critical infrastructure industry for the Government of India, we are directly monitored by CERT-In. They also have their security operation centers across India. For all the traffic from international lines coming to India, they have identified some critical infrastructure companies in oil and gas. IOCL is one of them. Most of the times, CERT-In keeps us informed about the identified threats. Hence, they become our first source of information. Over and above this, CISO, is a first line of information at IOCL for cyber security, mitigation and taking care of any emergency situation. He plays a significant role, but to meet the digital challenge, you must understand what is expected of you and what you aspire to.
What are the key concerns of a CISO ?
We have to protect our IT infrastructure from ransomware and phishing mails. Any cyber security attack brings bad reputation to the organization. Additionally, as more and more companies go on open platforms there is extensive technology integration happening on the business front. Investing in new technologies come with a challenge of securing these platforms across the fronts, be it hardware, software and end points.
Are you ready for the next plunge into new technologies like Artificial Intelligence and machine learning in security ?
AI is certainly a buzzword nowadays and is also running a risk of becoming only a marketing gimmick – some are already labeling AI as tech marketing’s ‘pixie dust’. Technology sellers want the customers to believe in the powers of intelligence, which obviously no one doubts, but the fact is that the current systems are nowhere close to what can safely be called as AI system. In true sense, we are yet to experience even prescriptive cyber security systems – AI enabled systems would be a natural progression from these. I think the very nature of problem in cyber security domain makes prescriptive systems difficult to implement. As in the case of metamorphism and polymorphism of malware, every malware looks different and therefore this variation in data becomes difficult for the current lot of cyber security systems to catch. AI as of now is not able to adapt to this variance. Today, AI isn’t perfect and can be fooled, but it is certainly making rapid progress. Even, attackers are using AI tools to counter these AI tools.
What are the top three trends you envisage in the next calendar year ?
I would like to see a single security solution, be it end points, internet, email gateways and APTs . Multi-vendors solution approach for security needs has to be consolidated. The second trend we see is a sharp jump in the IT budgets, and the large chunk of this budget will be spent on cyber security, at least 15-20% of the budget will be earmarked for cyber security as more and more customer services will be digitized. Public sector companies will be investing more on creating digital awareness through services like chatbots. Last but not the least, inroads in AI and machine learning. At IOCL,we will upgrade to SAP HANA that will allow us to explore new areas like AI, VR and supplier relationship. Lastly, we are preparing ourself for the future now.