Enterprise Security is complex, and ever evolving. CISOs frequently face challenges in justifying the cost of security, and in choosing a specific security tool. Ashutosh Jain, CISO, Axis Bank, explains how CISOs can justify the economics of enterprise security to the business
The cost of security should not only be considered keeping in mind the breach scenario but also the digital roadmap of the organisation. This sheer aspiration of companies to connect with their customers, employees, shareholders and other stakeholders, through digital means brings along with it, an inherent risk of security too. The investments in these digital solutions also brings the cost of security under its realm.
As a natural progression, the question arises on the rationale for investing in security when on a daily basis, there are no major security incidents involved. It¹s the same reason as to why protection like seat belt and helmet exists. Similarly, there are a plethora of security procedures in various industries like airlines, manufacturing etc.
The bottomline is information security becomes a part of the business when it is thought about simultaneously with the digital path the company has visualised. Hence, security no longer remains an afterthought.
Challenges for CISOs
In the wake of increasing digitalisation, availability of the required IT security budget is not a challenge for CISOs. The challenge is the lack of understanding in deciding why a particular security tool is useful. Many security professionals lack the skill of recognizing, understanding the
problem and then having the right viewpoint to find a solution.
Often, they end up buying a particular product because a company in the same space has bought it. The same applies not only for products but also implementation partners. There is no sound rationale. Just because, a peer has bought a product from a particular vendor; hired services from a specific implementation partner, certain Infosec professionals do the same. A number of these professionals still cannot grasp, what is an Intrusion Prevention System (IPS) and why is it required?. They have a misconception that an IPS is unnecessary, when a firewall is already installed. The truth is, IPS is critical for certain deep packet attacks on the network.
One needs to understand how the attacks are carried out, detected, trapped and then remediated. But unfortunately, this understanding is missing in some CISOs. The end result — CISOs land
themselves in the tangle of buying products that others are buying. Consequently, and naturally, there is no RoI and as a result, no budgets are allocated for any other solution. It¹s a vicious
cycle. CISOs should have an in depth understanding of the security products. Right talent should be hired before building teams with complementary skillsets, who can get to the root of the problem and take the right decision. Budget is not a constraint if these prerequisites are in place. Money will never be a roadblock if the problems are understood in its entirety and a close to foolproof solution plan is proposed.
Security: Not a function, but everybody¹s job
Security should be inculcated in every practice and function of the IT department. For e.g. developers should understand the importance of secure coding. This helps in managing security right at the root, i.e at the coding level. Understanding the different ways in which the code can be
compromised and then looping security, can be a best practice. The network admins can explore secure network architectures. Every function in IT should think from a security angle to whatever they buy, do and implement. As far as budding security professionals are concerned, developing a deep technical domain expertise is a must.
Going forward, threat hunting and modeling professionals will be in demand in the future. While there are many professionals getting into security testing but from a security architecture, threat modeling and cloud security angle, there is not much talent available. These areas require a deep intellect.
CISO reporting structures
The CISO function is becoming equivalent to other CXOs, so much so that in some organizations, the CISO directly reports to the board and not the CEO. This development is in the aftermath of the recent spate of ransomware attacks and also due to the imposing threats that lingers as cybercrime has become more organised. However in the BFSI industry, the CISOs are supposed to report to the respective CXOs as mentioned in the RBI guidelines. It is either to the Executive Director or the Chief Risk Officer. The board members are extremely concerned about cyber security and many direct questions are asked. They do ask the right questions and ask for relevant advice. This is becoming an industry wide phenomena. The members are also pointing to the right directions on managing the security posture. India is much better placed in this respect than many other countries.
Potential of AI in solving security issues
AI and ML has huge scope in solving the information security challenges and there are vendors who are already claiming ML capabilities in their solutions. Even hackers are trying to use AI to stage attacks. The defendants in this case, will have to do catch up. AI has tremendous potential but capturing the data from various nodes is critical. Data can either be captured, processed from one point or at various nodes. Endpoint behaviour analysis tools exists and we use some of them also. There are deep tools, with advanced analytics capabilities that can process data centrally too. AI will have an edge over other tools in segregating the false positives from the suspicious traffic.