The BPO industry is one of the fastest growing segment in ITES industry which has grown in terms of volume and size over the last two decades. Like any other industry the BPO industry is vulnerable to any kind of cyber-attack as criminals are adopting sophisticated practices to target and siphon off millions from the government, business, and consumers. The challenges are lot more in terms of handling huge volume of data and implementing privacy laws particularly in a BPO. The Chief information officer (CISO), has the power to drive cybersecurity strategies to protect consumer data and follow compliance across all levels.
DynamicCISO spoke to Satya Machiraju, CISO, Qualfon Technologies, Bangalore where he vividly explains his views on various cybersecurity postures and practices adopted in a BPO set up.
He elaborates how a CISO works in association with business, IT teams and other teams to ensure that right controls are built by planning ahead, procuring new solutions and implementing new process to secure in the right manner. The security postures adopted are mostly determined by the kind of data the customer or client want to safeguard. This includes the necessary controls that are going to be kept in place for different kinds of data e.g. for regulatory data, or HIPAA data etc. Implementing necessary controls should meet requirements from compliance prespective, contractual obligation prespective of the business as well as cyber security posture of the company.
As a CISO how challenging it is to ensure Data privacy?
Data privacy is very critical to any business operation both from company and clients prespective. This is done by ensuring that right controls and role base access is put into place, limiting access to privacy data. We also increase monitoring of any system that post processes or stores any sensitive data by implementing multi factor authentication and log monitoring for the same.
The security gap assessment is a key component and bringing the business to understand what data needs to be secured to understand the additional costs associated along with the necessary regulatory requirements to protect that data. We also make sure that no data is stored or accessed beyond what is required as could it bring additional costs to protect such data in our systems.
What are the steps you are taking as a CISO towards GDPR compliance in your organization?
If you view the process from security stand point there are various phases to it and before a client or the company gets impacted by a certain regulation, we as team have to spear head the entire practice by ensuring right assessment towards the needs of new regulation and privacy laws in relation to client or business needs.
We continuously work to improve incident response, threat detection and overall cybersecurity posture. This includes the process of notification where the end users or end customers have to be notified if there is a hack. We have worked on high level pointers including any new regulation or legal requirements that came into practise. Currently we are expecting to comply more with GDPR, PCI, HIFFA data and other privacy laws where we can move ahead.
What are your take away as CISO over cloud security and steps taken to ensure security of such sensitive data in the cloud?
Moving to cloud is a business call and a CISO needs to ensure that the business gets protected which ever solution they adopt and adapt. It is important to identify the right cloud provider who also meets our internal business and internal security requirements.
By adopting the right cloud solution we can post any of our core application either of our customers or clients, and ensure there is a dew diligences carried out to identify the right environment to protect our data. Wisely choosing our cloud provider, building right controls and adopting the right process we can view the kind of data residing in the cloud and if anybody is trying to exfiltrate that data from the cloud. Wherever possible access to private/public cloud should be routed through the company network giving greater visibility without compromising on the security aspect.
What are the security measures you have adopted in securing the data that is in migration from one cloud environment to another?
From security prospective the right encryption has to be done while the data is in transition from one cloud environment to another. Assuming the data is critical the keys are kept separate and proper controls are placed. We also make sure no trace of data is left behind for someone else to take over and wiping out all data is important. This is accompanied by certificate of either disruption or deletion from the cloud providers to ensure no data remains with them even after five to six years after being moved out. Otherwise we can be in the limelight for all the wrong reasons even after ensuring that we did everything right in ensuring data security. Alternatively implement Multi Factor Authentication for accessing the cloud environment and improve the monitoring in the environment.
What steps you have taken as a CISO to strengthen your defence against any insider threat like past employees, hackers, agents or third party?
We have adopted the NIST cybersecurity framework, identified our Crown Jewels and prioritized what matters most from business prespective to secure the most critical database. Implementing the controls from a risk point of view enables to block threats at the right time and ensure the data is protected. Monitoring and securing business functions and other infrastructure are equally important specifically the Crown Jewels where our intellectual property, customer data or any important information could be residing by enforcing the two factor authentication and heightening monitoring. We also implement controls to prevent employees who handles sensitive data from exfiltering data by limiting access to paper, USBs, mobile phones or any other recordable devices by adopting stringent policies.
How important is skilling and security related training in your organizations from cyber security perspective in present scenario?
We take great pride in our internal elements and we realized that awareness training or information related training are not only important from our compliance prespective but to strengthen our weakest links which are people at any point of time. Unless we address our weakest links whatever we build either from technology point or cybersecurity point everything will be immaterial.
We have introduced a robust learning management system where we covered various micro modules at all levels which targets specific areas in imparting knowledge and training. For e.g. we have our agents who support health care industry and their training module includes imparting knowledge regarding healthcare regulation practices from security perspective and right controls they need to adopt including responsibility towards protection of data. We have a process to rate the size of programs based on predefined security method and reward the program head as it keeps them motivated, forming a culture of cyber hygiene in the organization.
If you can elaborate how the usage of AI and ML has benefitted in mitigation of cyber threats in your organization?
Introducing component of AI and Ml especially in our set of environment has resulted in faster detection of threats or anomalies which normally for a human eye will be time consuming matter. This includes weeding out clutter and focus on with what is more relevant.
From identifying anomalies way ahead and weeding out the same before it entangles and manifest into a breach from cyber security stand point was one of the benefits we have received. The second is enabling our baselining, making our ML more interactive, reducing the requirement of human resource to monitor events only to the extent that matter most.
How do you see as a CISO see the new age evolving threats hitting the BPO industry?
Present day BPO threats are unique originating from the data provided by the client and bought into our system or environments. Another area of concern is the sponsored hacktivism as present day BPO’s have access to a lot more information, creating a likelihood of major security breaches. Clients adopting newer technology to capture more data through the CRMs are being accompanied with newer and evolving threats .
CISO’s need to see that cyber security is business centric in terms of finance and management perspective. Cyber security is seen as business enabler aligned to the business in present day says Machiraju.