Information Security: At the onset, set the philosophy and strategy right, says N. Raman, Group GM – CISO, ONGC
The industry will always be replete with multiple vendors and partners offering solutions, products, solution suites, but what is more important is the articulation and exposition of a security strategy and philosophy the company should adopt to secure the company’s information and physical infrastructure
The enterprises should set right, the security philosophy instead of focusing on security solutions, products, softwares, etc. The technicality of security should not be primary. In many occasions, information security is taken as an afterthought, whereas it should be seen as a business and a board function and not a technical function.
Security is a board function now
The information security and cyber security should be integrated. “It should be embedded right from conceptualising to the disposal stage, for e.g. zero trust is currently a widely discussed topic,” says N. Raman, Group GM – CISO, ONGC.
Usually, on an ongoing basis, for e.g the operations department implements a solution for cost reduction or improving efficiency and then it is being brought to the IS department, as an afterthought for the sake of compliance. This is not the right approach. “There is a mad rush for acquiring solutions to immediate challenges and then gaps remain, when compared to regulatory requirements, which is a big challenge,” says Raman.
The corporate ecosystem is growing up to the realisation about CISO being a board function and relatively more important than other corporate functions.
To listen to more views from N. Raman, Group GM – CISO, ONGC, click on the below link.
Balancing growing digitisation and security requirements
ONGC comes under the Critical Information Infrastructure (CII) category. “Recently, requirements have come-in to integrate the operations technology (OT) with the internet. This is a major challenge as it amounts to security repercussions,” says Raman.
There is a demand from the government for growth in digitisation to ramp up business productivity, coupled with the onslaught of security regulations of unprecedented nature. It’s imperative to balance the both, which is also a major challenge for government organisations. The benefits of cloud computing is driving government adoption of cloud in one of the many options that cloud is offered however it has it’s own share of security challenges too. The current staff is also ill equipped to handle the changing technology landscape.
IS initiatives at ONGC
The oil major is setting up an information security operations centre (ISOC), which will be operationalised soon. Moreover, threat gathering is an area that is being done with the help of the Govt, and IS vendors. “In case of breach incidents reported in the media, the remedial measures should not be taken on the basis of paper cuttings. One has to see the full picture and have a look at the hashes, IPs and domains, etc. Additionally, we are also getting feeds from National Critical Information Infrastructure Protection Centre (NCIIPC), CERT-in and MHA. Security feeds play a major role and provides insights about the global cyber threat scenario,” says Raman. The processes are being put in place in this direction.
ONGC is also in the process of laying out an initial set of baseline guidelines from the regulatory bodies for securing the OT systems. Initiatives on the people part of the people, process, technology triad are being taken. The endpoint security is of paramount importance and thus the VAPT tests will soon be exercised. In an already established process of simulating the exercise of sending phishing emails, the plan is to continue with the programme.
The regulatory regime issues lengthy guidelines and regulations, which equally applies to the OT systems, thus the company is mulling on simplifying some specific guidelines on OT. Even, globally, the regulators have not come to a crystalline and conclusive regulatory approach.
On the adoption of cloud computing, Raman says, it is more suited to the customer focussed industries, where demand elasticity is higher compared to the oil industry. “It’s also important that the skills of the employees are upgraded to matchup to manage the cloud system and we are in the process of getting skill certifications. Even the world over, our kind of organisations hasn’t gone for cloud adoption because of lack of demand elasticity,” concludes Raman.
N. Raman, Group GM – CISO, ONGC was expressing his views during a vRoundtable organised by Express Computer partnering with Forcepoint
If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]