How do you see the debate over the Govt’s stand on reserving the right to access citizen data by following due legal procedure? In the backdrop of the WhatsApp data snooping episode. How can enterprises safeguard themselves against such attempts? Your guidelines for CISOs.
I feel that a lot of conversation around data security and privacy, especially when the government and citizen data are involved, misses the deeper nuances of the argument. The need of the hour is for all stakeholders – the government, public representatives, industry leaders, and security experts – to come together and define a comprehensive data policy. While the regulation must protect the user’s right to their private data, it should also allow government agencies a means to gain access to this data in matters of critical public importance.
Regardless of the eventual conclusion of this particular debate, one thing is quite clear: organisations must secure their enterprise networks, particularly in light of the growing BYOD adoption at the workplace. WhatsApp is present on most smartphones used for communicating, sharing, and storing sensitive business information and is also used on larger devices such as PCs and laptops through web-based clients.
This makes it essential for CISOs to ensure that their workforce is aware of the need to keep their device OS and software updated and patched to the latest versions. Periodically rolling out in-house newsletters containing the latest security threats and best practices can help here, as can conducting awareness and sensitisation workshops across all levels.
Most importantly, CISOs need more in-depth visibility into their network security and health. The increasing integration of newer devices and the seamless interconnectivity that they facilitate are giving rise to a host of security vulnerabilities and threats. Reacting to these challenges in a timely manner requires CISOs to be constantly on top of their network profile at all times. This is only possible if they have real-time network visibility at all times – necessitating the deployment of state-of-the-art cybersecurity solutions that can enable seamless vulnerability mapping.
In general, in terms of data security. What are enterprises (CISOs) doing wrong and what are the remedial measures you suggest?
Visibility remains the biggest data security challenge that CISOs face. Ensuring seamless, real-time access to relevant security insights is essential for ensuring robust security operations. This is why CISOs need to implement cutting-edge vulnerability management and application security solutions, such as ESOF (Enterprise Security in One Framework) by TAC Security.
Through this AI-based vulnerability management platform, we help in-house security teams assess, track, and manage the various vulnerabilities present in their network on a single dashboard. Since the data is collected from across the enterprise IT infrastructure, ESOF is also able to analyse the network security posture in greater depth and present actionable insights that can be seamlessly implemented with a few clicks. Such solutions can help CISOs and their security teams streamline their operations while ensuring more robust threat defence across the board.
Many companies are building their API infrastructure. How can companies protect their API platform?
There are certain easy-to-implement and well-understood practices that you can apply to secure your API endpoints. To begin with, allowing API consumers to talk over ‘http’ or other non-secure protocols is not advisable as doing so puts the end-user at a significant threat risk. Man-in-the-middle attacks or packet sniffer tools can easily compromise passwords, secret keys, and credit card information and make them available as plain text. Making ‘https’ as the only option for API endpoints is, therefore, the most preferable option for CISOs – no matter how trivial the endpoint.
Other measures that can be deployed to improve the security profile of the enterprise API infrastructure include one-way password hashing and strong authentication processes. It also helps to implement input validation to verify the data supplied by a user or application and enforce IP address filtering, if applicable.
In the boardroom, what kind of questions should the CISO be asked to ensure a stable enterprise security roadmap?
On average, CISOs/CIOs spend around 30% of their time reviewing and analysing the nitty-gritty of security reports collated by their teams. And yet, they struggle to find the right answer when asked about the organisation-wide cyber risk by the board. This highlights the lack of an insights-driven approach to evaluating the enterprise security risk – something which platforms such as TAC Security specialise in.
I also feel that, more than the CISO, it is the boardroom that must be asked questions pertaining to enterprise security. How much are they willing to invest in managing security operations? Are they willing to adopt a security-first approach, even if it sometimes means that the business output and revenue might take a hit in the short-term?
The answer to these questions, in today’s increasingly digitally-driven world, must be ‘yes’ for any organisation looking to sustain and grow its business in the long run. The digital momentum is unstoppable; more devices, tools, and solutions will be integrated into enterprise networks as we work towards a seamlessly connected future. At the same time, the threat landscape is becoming more sophisticated with every passing day. Conversations around critical issues such as data privacy and data security are also intensifying.
In such a scenario, senior business leaders at organisations need to understand that security has become a critical boardroom imperative and must be treated as such. Every decision must be analysed from a security perspective. More importantly, organisations must foster a security-led culture across all levels within the workplace. That, in my opinion, is the only way to ensure a stable and robust enterprise security roadmap.
India lacks the required amount and quality of talent in the space of cybersecurity. All companies are fighting for the same pie. What’s your strategy to make sure you get the best from what is available?
Skilled talent, especially in the cybersecurity space, is hard to find. The gap in the demand and supply has also led to a substantial increase in the pay-scales for cybersecurity experts. This is why, at TAC Security, we prioritise hiring fresh graduates straight out of college as part of our three-pronged approach to talent management: hire, train, and retain.
Armed with the passion to continuously learn, unlearn, and relearn, these new-age professionals are eager to augment their skillsets. Over time, they gain domain expertise and become adept at addressing sophisticated cybersecurity issues, allowing them to mentor and guide the next wave of graduates. Senior cybersecurity professionals are also hired on a need-to basis to complement the growing scale of our operations. This approach not only helps in creating a sustainable talent pipeline but also ensures that our employees are able to achieve better professional growth – all the while maintaining the revenue bottom-line and improving profitability.
That said, there is a critical need for domain players to collaborate and take proactive steps to address the skills-related challenges within the Indian cybersecurity domain. Creating a dedicated industry-wide platform for attracting and training talent will be a good step in this direction and will ease the current skills constraints that the industry faces. This, in my opinion, is the need of the hour.
What are the current industry trends in cybersecurity ecosystem?
As the recent furore on the WhatsApp data snooping demonstrates, data security has become an important conversation in the cybersecurity domain. The need for more effective data protection and data security solutions is obvious and urgent, if recent cases of large-scale breaches across the world are anything to go by. The recent implementation of global data protection policies is indicative that the focus on data will only intensify in the future.
The growing BYOD adoption and tech integration at the workplace have also given rise to concerns around IoT security. Device OEMs and system integrators are already exploring partnerships with top cybersecurity companies to ensure more robust security at the hardware level. Service providers that offer digital services and solutions through connected devices are also looking to secure their API integrations, service delivery models, and partnerships. This makes it another lucrative area of opportunity for players in the cybersecurity domain.
How TAC Security ensures the safety of the IT infrastructure, Data & digital assets of Enterprises, Governments’ organisations & departments, PSUs, etc
Guided by the vision of “Securing Cyberspace: Securing Future”, TAC Security offers state-of-the-art products and services to public and private organisations across the globe. The foremost is ESOF, a one-of-its-kind security intelligence dashboard that uses AI-based algorithms to track vulnerabilities and provide actionable insights and solutions in real-time. As part of our security consultancy portfolio, we offer services such as security auditing, vulnerability assessment, and network penetration testing to enterprises.
Such an end-to-end provision of cybersecurity services and products helps us in minimising the threat risk that our clients face. We want to ensure that businesses can venture forth into a digital tomorrow without having to constantly look over their shoulders about existing and emerging security challenges. To this end, we are strengthening our product portfolio and have recently launched ESOF 2.0, a new and improved version of our vulnerability management and application security platform. We are also in the process of launching more innovative products, such as threat hunting, that cater to evolving market requirements.
Who are your biggest clients and where do you see the need for Cybersecurity the most?
As a cybersecurity start-up empanelled by CERT-In, TAC Security is offering its range of state-of-the-art products and services to more than 150 domain-leading organisations. Some of our most prominent clients include Bharti Airtel, Reliance Industries, National Payments Corporation of India (NPCI), DHFL Pramerica, NSDL, and HDFC. We are also working with several government agencies – both in India and internationally to secure their internal networks and assist in the creation of security-oriented policies.
The convergence of digital technologies and business processes means that no organisation, no industry can afford to ignore the critical business requirement that is cybersecurity. Many businesses are already taking steps to bolster their cybersecurity readiness and ensure that their operations, consumers, and data remain protected from threat actors.
However, while the need is present across all industries, we see the maximum scope of growth in sectors that are undergoing a rapid transformation on the back of digital disruption; this includes industries such as healthcare, BFSI, and education. We also foresee a huge growth opportunity for a cybersecurity player such as TAC Security in IoT security and manufacturing.