Chief Information Security Officers (CISOs) always have had a tough job in any organization. They have to develop the strategy and defend the enterprise against an ever evolving threat landscape as well as a variety of other things. As a defender, a CISO has to defend plethora of operating systems, data bases, application, servers, network devices and so on. Moreover, attackers are getting increasingly sophisticated. This is not all, with the advent of new technology and platforms such as the Internet of Things (IoT) and Cloud environments, security risks are increasing mani-fold and becoming more complex and therefore harder to defend. Information security, which was more from a perspective of network security earlier, has now matured to application security and crisscrossed the OSI layer. In this fast changing environment, what strategy should a CISO adopt to keep his job running efficiently?
According to Vijay Radharishnan, CISO, Mahindra Financial Services, security practices need to be more focused towards the customers and organizations must follow ethical mechanisms in order to keep the various security risks at bay. He thinks the basic architecture of the IT infrastructure has to be robust in order to thwart attacks and hacks.
“As far as the IT infra architecture is concerned, you have vulnerabilities as far as the memory page architecture is concerned. If somebody goes and hits that, anybody can fish out that data just by visiting the memory page without anyone hacking the storage or network,” reminds the CISO.
Particularly, with the focus shifting towards data security in a big way these days, data has to be secured as an entity. It inevitably becomes vulnerable if it resides on a flawed component. In fact, hackers have been able to exploit vulnerability in the compute component. He says that the fundamental architecture for any device is now flawed, whether it is cloud, on-prem, or application.
“These days the entire architecture is under question and is flawed due to issues like meltdown and spectra in the compute architecture. As far as the cloud architecture is concerned, the memory page is crucial. You are sharing the same compute memory pages with several other people. There is no Chinese wall between shared services. Once you come to the compute, any entity which is using that cloud model will be using the same compute,” adds Radhakrishnan. The CISO further adds that unless the underlying architecture is robust, no one can claim to securitize the data.
However, even after doing all this, there is a basic question: Can a CISO ensure a foolproof system? Vijay Radharishnan, CISO, Mahindra Financial Services, says that this is an impossible task as the technology is evolving fast. Therefore, the CISOs need to have the right processes for access management, log management, among other things. They need to always have a strategy ‘before’, ‘during’, and ‘after’ an incident. These basic steps should keep them in good stead.