CISO’s role has become more of a Chief Cyber Risk Manager
Earlier, the role of a CISO was more focused on technology risks and the CISO was more identified as a technologist, but with digital and payment ecosystem coming up, demanding regulatory expectations around cybersecurity and growing awareness about data protection among customers, a CISO’s role has become more of a CCRM's (Chief Cyber Risk Manager), says Sameer Ratolikar, Executive VP & CISO, HDFC Bank
As enterprise environments get more and more digitised, how is it changing the security dynamics ? Can you share what were the dynamics before and how is the scenario now ?
Based on few research papers, world’s 90 percent data is is generated in the last 24/ 30 months. There is clearly a information explosion and revolution in SMACP ( Social, mobility, analytics ,cloud, payment ) domains by emerging fintech companies. This has resulted in the change /shift in security landscape -be it security trends or security threats . Some of the positive security trends are following
- Cyber security in banks has become a business item and is a part of the board agenda now.
- with GDPR applicability and obligation, there is a clear focus on “customer data protection”
- Cyber resiliency has gained a lot of focus because people have realised that apart from protection against cyber attacks , detection and response are equally crucial for effective threat management
- Machine Learning and AI has gained lot of momentum as the focus has moved to “reducing the dwell time”
- New areas like automation in the incident response , threat hunting, aggregation of threat intelligence in a platform are becoming essential strategic tools
As we are witnessing the evolution in the security trends, threat landscape has equally become innovated , complex, sophisticated and advanced. DDOS attacks and malware especially have become aggressive attack vectors. Recent cyber incidents clearly endorses this fact . All these trends and threat landscape have given lot of visibility to CISO’s role and the function has become extremely important.
As a result, what is required now and are the enterprises upto the mark ?
My view is enterprises should develop the cyber security framework revolving around 4 pillars viz:- Protect, Detect,Respond and Recovery . Each pillar further would have a list of controls. This framework would breakdown the siloed controls and give good visibility over the cyber kill chain. This has to be backed by adequate organisation structure and a strong governance, measurement around it. I have seen banking industry especially doing well here and the focus is clearly on cyber security risks like credit risk, market risk etc.
Often, it is said, enterprises are failing to follow the standard security hygiene like people awareness, strong passwords, regular patch management, etc. Would you like to add more to the list as a consequence of rapid digitisation ?
I would not like to generalise the gaps. But, these processes are extremely crucial to manage the cyber threats effectively. If we recollect the WannaCry and Not-Petya incidents -they were mostly successful in the organisations where patch management either wasnt designed or executed properly. In addition to these processes, Inventory of authorised software and hardware, privilege id monitoring, vulnerability management, password management is also crucial.
Is budgets an issue ?
Budget is an issue when the case is not presented in a simple language but contains technical jargons. The IS budgets should be proposed in a business language to the board / senior management. If the discussion is about the business risk terms, like vulnerability in the business applications, impact of the breach (Dollar value), sophistication of the attackers i am sure budget will never be an issue. The budget could also be an issue when there is no clear prioritization in the risk management and everything becomes perception driven.
Are people still the weakest link ?
Yes. Very true. These days, hackers are targeting employees by sending a spear phishing mail, making them click on malicious attachment and planting a malware on their machines. Once the malware is planted it carries out a lateral movement and captures the credentials / carry out privilege escalation. Recent incidents clearly substantiate this. In today’s situation, when identity has become a perimeter and we are living in a hyper connected world, social media and other channels can create a data leakage issue if employees ignorantly upload any classified documents pertaining to their organisation. So, employee awareness on the compliance to the security policies, usage of technologies is crucial to ensure holistic and effective cyber security programme.
How Emerging technologies can be leveraged in security, esp. AI ?
To my mind, AI has a huge potential to detect advanced cyber attacks. With computing resources becoming easily available and cheaper, AI algorithms have found good and meaningful use cases. Today, people use SIEM to identify and block the attacks. But, with rising complexity in the form of unknown attacks, behavior anomalies there is a vast scope for AI. Few examples of this are: Sudden upload happening from user’s machine to internet, CnC heartbeat detection, process anomalies, RDP login anomalies etc .
How serious is the board of companies in terms of security ?
In regulatory companies like banks, telcos, insurance and stock exchanges there is a growing focus on cyber security because of the impact of breach. These organisations have created or are in the process of creating a sound organisation structure, investing on the security solutions, skills development and awareness. There is also a good governance framework through which the board monitors the progress on cyber security initiatives.
How will the role of the CISO change in the next 5 years ?
In my view, the role of CISO is changing now . Earlier it was more focussed on technology risk and the person was more a technologist but with digital and payment ecosystem coming up, demanding regulatory expectations around cybersecurity, growing awareness about data protection among customers, CISO role has become more of a CCRM (Chief Cyber Risk Manager), where information and cyber security merges with business continuity (cyber resiliency) and data privacy. As cyber security risk has become a business risk, CISO is part of the senior management meetings and important digital business decisions.
If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]