Regulation, Reputation & Revenue are important drivers for effective cyber security: Dr Yask Sharma, CISO, Indian Oil Corporation Limited
In an exclusive interview with Express Computer, Dr Yask Sharma, CISO, Indian Oil Corporation Limited (IOCL) shares his thoughts on the future of cyber security in the light of the pandemic and how it can be managed effectively
As the popular saying goes, “you can’t manage what you can’t measure”. How do you measure security and how important it is to know your adversaries?
This question has been very widely discussed in countless technology forums. So in my opinion, knowing the adversaries is important. Not just us, but if you look at the current landscape amongst the security professionals around the world, they are probably going through the same situation; they may know a bit about the adversaries and also are aware of the fact that a lot of money is being pumped into this.
I believe that security or defense is a function of skill, time and money. And if one attains the abundance of all these three factors that would ideally be a safe environment for any organisation to thrive in. Unfortunately, the attackers and the defenders usually lack in one of these factors, time being one the factors that a defender may lack.
Therefore knowing that these attackers are well equipped and have a lot of time in their hands, we must be well prepared in advance and with the appropriate knowledge.
Also, if you look at big organisations which deal in critical sectors, the security professionals there are always at war and risk.
And, talking about the measure of security, I do not think there is a need to measure security. But if you talk about the fact that since how long have you not been penetrated or breached, that could be different. I think more than being worried about the measures of security, we should rather devote our time in the preparedness, anticipation and having prompt solutions to the risks. I strongly believe that the security aspect is a continuous game and if one wishes to be completely safe then there is no rest.
Cloud has seen rapid uptake in the times of the pandemic. What are the benefits of cloud native solutions?
According to me, the cloud has been in existence for a while now and I don’t think that there is any room of doubt when it comes to the benefits offered by the cloud. And yes, in the last two years the usage of cloud has massively increased and many companies have chosen to move from on premise to cloud networks.
One of the most crucial benefits that the cloud offers is the flexibility of expansion. But I still don’t say that all organisations should move to the cloud as somewhere I still believe in the old thought process of having a part of the critical infrastructure has to be on-premise, due to the fact that the security is in front of me gives me more confidence and trust in the process.
One very important factor for security professionals is to adhere to the compliance part, which can also be termed as regulation. There are multiple drivers for security. Regulation, Reputation and Revenue are said to be the three R’s which are pertinent for effective security. I think regulation plays a very important role, especially for the organisations which are larger and have a lot of data.
Another important factor that the cloud offers is enhanced security, but I still think that it also comes with some costs and risks attached. As, if I am looking to secure a very critical application, then I would have to clearly define my requirements and then take the solution from the cloud. So before choosing a cloud or on-premise network, it is far more important to know what kind of security you are looking for.
- Cyber security has witnessed a change during the pandemic. What do you see as the future of cyber security?
I do hope it remains promising as my career is dependent on it. Now to answer your question, with or without the pandemic, cyber security has been in this moving goal post environment; the goal keeps changing and the skills need to be changed every now and then.
The solutions that we have in the cyber security domain are reactive in nature. If you notice the solutions that are being offered in the market to cyber security professionals to work with are those that are catering to the problems that are already surfaced, implying that we are always reactive in nature and one step behind the attacker.
So I feel that we need to invest more time and money in predictive analysis or trying to predict the potential risks and be ready to tackle it efficiently when the problem arises.