Businesses now increasingly recognize cyber security as one of the top risks for their organizations. In such a situation, the role of a chief information security officer (CISO) assumes center stage as they are faced with an ever growing threat landscape. There has been a spate of cyber-attacks and frauds across industries. Cyber security needs to be prioritized along with the business. There are a lot of new challenges faced by CISOs, predicated by phenomena such as hyper-convergence. Muqbil Ahmar (MA), Executive Editor, Grey Head Media speaks with Subhajit Deb, Chief Information Security Officer (CISO), Dr. Reddy’s Laboratory, over the challenges that face the industry today.
Q. What is the biggest challenge facing CISOs today?
Distributed environment is the biggest challenge facing CISOs today. Now, we are operating in a highly diversified and hyper converged IT landscape. You have systems hosted in your own data centers and you also have systems branching off. You have platforms which are either made by a third party or made in house. There are systems which run your data but hosted at some other place. You have systems on the cloud. You have technology partners, you have integration with different vendors. So, your systems are not only accessed by you and but your vendors and your partners. Plus, you have systems developed at your site with external data. You see there are different layers and that is the challenge. Had everything been in your direct control, you could have monitored and managed it. If everything is being managed by a vendor or a third party service provider, you can build the right agreement with all the right kind of clauses, independently on your own. But when you have a multi-diversified and multi-variegated technology, it is very difficult to control. The job of a CISO becomes very difficult.
Q. Hyper-convergence is a reality today. This is where most businesses are headed. What is the solution to such a situation?
What is to be done is to create a centralized platform for governance. So, no matter who is using it or where it is, anything to do with technology (including integration or vendor on boarding), security is consulted right at the design phase and not as an afterthought then the job becomes that much more easier. That is exactly what we are trying to do at our organization, so everything even remotely connected, get the architecture reviewed so that the risks can dealt with right then and there. And when you build a product and you do a cursory review and it can go into production. The flip side is that when you don’t consider security proactively, it can become a nightmare for any CISO.
Q. How important is maintaining basics for cyber security in a hyper converged environment?
I have been fortunate to have been tutored by the best of the cyber security professionals. One key lesson that I practice every day and implement in every organization that I work with is to keep things simple and always try and do the basics well before doing the advanced. It is very easy if you have a deep pocket and abundant budget to spend millions of dollars after a shiny firewall or an integrated platform. You name it and you get it due to the kind of budget that you have.
All of these would not work if there is a dedicated, focused, and organized attack on your organization unless you do your basics right.
Q. What do you exactly mean by the basics? Please take our readers through the various steps that you imply.
When I talk about the basics it would mean maintaining the fundamentals of information security in your software or hardware in time; re-commissioning your old hardware; ensuring all your PCs are accounted; ensuring anti-virus definitions are pushed out on a regular basis and somebody is mapping those compliances; ensuring security patches which are critical and high for you are pushed into the systems no matter what; USB and Website exceptions are controlled and not given at random. If we are able to do all of that tightly, make it as a habit and a regime, trust me, you would not need to invest millions of dollars in new solutions because at the end of the day all of that is an external peripheral layer. One chink in the armor and if your basics are not right and you will still get compromised.
Q. What new developments do you foresee in the space of cyber security in the future?
I see massive development in the next few years. Every organization, whether new or legacy, has undertaken the journey towards digital transformation. The senior leadership at the board too has noticed that digital is the way to go and not because there is hype and somebody has to catch a train. But they also see that there is a lot of value attached to it. I see the proliferation of new niche technologies like robotics process automation (RPA), machine learning and artificial intelligence. These terms will certainly become cliché in some point of time.
(Image Courtesy: www.pixabay.com)