The list of challenges that keep the risk managers on their toes continue to grow with each passing day. Among many others, information and business risks are perhaps two of the greatest risks facing the businesses and the risk professionals in today’s volatile and unpredictable socio-economic landscape. The linkages between political, economic, social and cyber risks have become obvious. CISOs have to be more cautious than ever to comprehend the evolving risk landscape and have to shun the conventional approach in order to protect their businesses from fatalities and losses.
As we move into the future, the sophistication of risks will challenge even more and failures in tackling them well will lead to irreversible damage in various departments. The stakes are very high. Most security threats and risks that we witness today are unheard of and unconventional. They influence the overall security and risk posture of an organisation very profoundly. There is a compelling need for preparing to improve the resilience to safeguard businesses. The global cost of cybercrime has also breached many thresholds. According to authentic reports, last year as much as US$600 billion — about 0.8 percent of global GDP — was lost due to cybercrimes. If we scrutinise the numbers for a moment, it has more than doubled in the last four years.
That makes cybersecurity a highly dynamic and critical domain which needs to evolve with the changing threat landscape of today. Both the number and the variety of cyberattacks, which are also growing exponentially, will keep the risk professionals worried and occupied. Moreover, in past few years the industry has witnessed a tremendous infusion of new technologies on the pretext of agility, speed, direct-to-customer approach and digital transformation of businesses. That is one of the reasons why the traditional perimeter, which had a defined boundary and was safeguarded well with appropriate technology tools, has almost vanished.
Bharat Panchal, Senior Vice President, Head – Risk Management, National Payments Corporation of India (NPCI) talks about the challenges facing CISOs and the latest trends in cyber security in the Book Titled “Accelerating Enterprise Innovations”. The following is an excerpt from the same book in which he comments on the few radical changes he has witnessed:
Boards Understand Criticality of Cybersecurity: There has been a strategic shift in terms of thinking and implementing cybersecurity. With the globally alarming data breaches in recent times and their impact – reputational and financial – the corporate leadership is compelled to give cybersecurity its due importance in the boardroom. They are more aligned now and have accepted that cybersecurity is one of the biggest business priorities not to be taken lightly. Once the board level committees assign this kind of priority to cybersecurity, other things start falling in place such as preparedness, budget and skilled manpower. The industry has begun witnessing this radical shift recently and this will only gain momentum as the risk surface gets wider and more attacks surface.
Amalgamation of People, Process and Technologies: Due to the dynamic nature of cybersecurity and the need for creating greater resilience, we have started witnessing an amalgamation and better coordination between people, process and technologies, which earlier worked in silos. In earlier times, there was either not adequate budget for cybersecurity and risk mitigation or it was just a tiny percentage of the overall IT budget. Security was an afterthought and worked in a reactive mode. However, things are changing now. Most progressive organisations take a business-driven security approach now. This has helped change security from being reactive to proactive. More preventive controls are now in place to detect threats and respond to them either before the breach or in less time after the breach. That is how concepts like Red Team, Orange Team and the Continuous Monitoring Team have emerged in the past couple of years.
Growing Awareness: Though not seen as a significant priority, building organisation-wide awareness on cybersecurity and data privacy has started getting attention. With GDPR in place and many local data privacy/protection measures coming into effect, there is a heightened attention paid towards creating awareness that is driven very systematically, especially in organisations which are heavily regulated. While technologies do a lot of preventive acts, cybersecurity is still primarily about people and their basic hygiene. If people share usernames and passwords or organisations don’t patch the updates issued by the software companies and application vendors, no technology can rescue. It also depends on how we educate our customers and partners, which today form the part of an extended enterprise. Though very little has been accomplished in this direction, I foresee it becoming big in future.
This shift, that was described in the above three points indicates a change in our approach. We are moving from merely threat prevention to threat detection and proactive response. This may require a commensurate change in technology deployment too. Without the technology deployment, it will not take off. It requires investment in futuristic, much automated security operations centres (SOCs) as the risk and security teams are swamped with millions of security alerts every day. Even Gartner says that by 2022, half of the current SOCs will transform into modern SOCs with an integrated incident response, threat intelligence and threat-hunting capabilities. That’s very critical to keep the bad actors at bay and prevent the colossal damages. It may be too early for many organisations but data security and governance frameworks also need to kick in at this stage.
Excerpted from the Book Titled “Accelerating Enterprise Innovations“