Cybercrime is on an upswing. The cyber threat landscape is changing phenomenally. Every day every minute there is news trickling in of compromised systems. The growing global market in cyber-crime is projected to hit US$6 trillion by 2021. The past year was full of ransomware attacks such as WannaCry, NotPetya and BadRabbit. Experts say that things are only going to get worse. Chief information security officers (CISOs) need to have a fresh look at cyber security. Currently, they are playing catching up. Mitigating the risk quotient requires new approaches. With the General Data Protection Regulation (GDPR) coming in, privacy concerns assume center stage. Organizations faltering on the compliance front may end up paying dearly for their lapses. Currently, it is more of a defensive and reactive approach to cyber security, commonly known as incident response.
According to Meetali Sharma, Head, Risk Compliance and Information Security, SDG Software India Ltd., a CISO needs to be a lot more proactive in security and focus on zero-day attacks. In all this, getting the basics right is of paramount importance. “You know it but you still need to make sure that it is done. If there are some patches that have been released by Microsoft then you have to ensure that they are installed in the next 10 days as you don’t know which ransomware or malware may come up. Similarly, one needs to have security controls within the organization to make it secure. Moreover, the CISO needs to be on their feet,” says Sharma.
Sharma goes on to provide a checklist which according to her would keep the CISOs and their organizations in good stead as far as mitigation of cyber security risks is concerned.
One of the main things that every CISO needs to focus on is raising awareness of their employees as well as their customers. Educating your employees and making them aware of the risks is important.
CISOs need to continuously monitor their security posture. Even if few incidents happen, you still need to monitor it continuously.
Stick to the basics. Patch management is crucial in this regard.
Be proactive as the threat landscape is changing rapidly. They will have to anticipate and prepare. Threat intelligence is critical in all this. Appropriate response depends on how you correlate the right data in your environment.
There is a lot of remote work going on. People are on the mobile all the time and access applications through that. Then there are BYOD policies in organizations. You need to have stronger policies.
There has to be proper training of employees, particularly the junior ones.
There was a time when CISOs had a lot of budget. But things are different now. Management will push you to get cheaper technologies, with more value out of it to make costs go down. One will have to be particular of what kinds of tools you are buying from the market and going to deploy. Now, it is not easy to deploy a product and then remove it after a few days if it is not up to the mark. Make your choices prudently.
CISOs need to do proper risk assessment as well as the financial implications before approaching their respective boards. Tell them about the financial impact if the organization doesn’t follow your suggestions. Apprise them of the risks involved. Tell them that this is the need of the organization and the management will see the logical reasons for it. I don’t think that with a thorough approach, organizations would not agree to your proposals. My board has never said no to me.