Anuprita Daga, CISO, Reliance Capital in conversation with dynamicCISO delves into what’s on her priority list for the next 1-2 years. She also throws light on the on-ground reality around the security onus on business functions and how organizations need to ingrain the security fundamentals into their business leaders.
Anuprita Daga: As a CISO what are some of your biggest challenges today?
Shipra Malhotra: With digital transformation, lots of new ideas are coming in, leading to change in business models and adoption of new age technologies such as cloud and mobility. As a result, we are operating in a perimeter less world today. Thus, the biggest challenge as a CISO is to ensure that security is built and ingrained into the entire digital transformation strategy.
Another challenge is around the shortage of right skillsets. Most of the resources available in the security domain are either technical or functional. We need resources that understand both business and technology and can balance both the skillsets.
The third challenge as a CISO is around working along with business – that level of relationship building, knowing business and then defining the program along with business.
AD: Talking of working closely with business, this is one of the key mandates for CISOs today. But, how far do you see business taking on the onus for information security?
SM: Although on paper we talk about business departments as data owners, in practice we are still lagging in it. Whenever there is a data breach are the business function heads called by the CEO, questioned and penalized as to why the data was not categorized as classified and why the policy was not being monitored? The answer is mostly no. It is the CTO/CIO/CISO who is called by the CEO, questioned and held accountable. So far, they have only been measured on the business numbers. It’s time that they are measured on business as well as any kind of security violation or breach for their business function. For example, if somebody has shared the password, then the function head should also be held accountable for it.
AD: How can organizations make their business functions more involved in the security strategy?
SM: It’s very important to include business functions as part of the whole security arrangement and also make them accountable for it. That is the only way to get data privacy issues resolved. So, just like we have a tech person and a governance person within the security function, organizations should also get a business person to be a part of it so that risk can be seen from the business angle as well. Also, the business leaders should be re-oriented to think about security and privacy right at the beginning while designing the business processes. This way they will be able to ingrain security right into their business design. This will also help build a strong security foundation for the organization.
AD: What are your priorities for the next one year?
SM: One of my major focus areas is enhancing our Security Operations Centre (SOC) and we are continuously working on that. A lot of focus is also going to be around the area of data privacy with a lot of emphasis on improving data classification and transferring of ownership to the business users. User behavior analysis is going to be another focus for us considering the proliferation of ransomware attacks and people bypassing the technology controls – whether they are going to some other sites or trying to access some data bypassing proxy. User behavior analysis is a part of our program to identify and address insider threats, which is a very critical area to be addressed. We are working on first carrying out analysis on our SOC and understand user behavior, following which we will define our whole program around countering insider threats.
AD: On the technology front, what role do you see AI/ML playing in enhancing enterprise security?
SM: Information security has become highly dynamic with multiple drivers that organizations today need security analytics to be more proactive than reactive. AI/ML will be most useful in having an early response in place to cyberattacks. It is an integral part of the next generation SOC. With cyber attacks becoming more organized and sophisticated, a lot of attacks will go undetected without use of AI/ML. Besides that, it can really help in effective fraud detection with the use of mature algorithms.