Strategies for Cybersecurity Risk Management - Leaders Speak

The COVID-19 pandemic and recession have further raised the bar for cybersecurity risk management and compliance teams by creating more responsibility while diminishing resources. It is critical to consider cybersecurity in terms of human-device and process together. We can no longer separate them and treat each aspect separately. This can be best thought of by abstracting away infrastructure and systems and elevating cybersecurity to focus on the data and users who work on that data. Security risk management is an ongoing process of identifying, analysing, evaluating and addressing your organisation’s threats. We have spoken to various leaders in security segment to understand their point of view about cybersecurity risk management.

The Evolving Landscape of Cybersecurity Risk Management

Cybersecurity risk management isn’t simply the job of the IT security team; everyone in the organisation has a role to play. Often siloed, employees and business unit leaders view risk management from their business function. Regrettably, they lack the holistic perspective necessary to address risk in a comprehensive and consistent manner.

This approach will allow organisations to apply controls, supervision, protections and importantly responses in a more holistic manner, tied together with the concept of Zero Trust. Cybersecurity risk management strategy used to focus on securing systems and networks within our control. With the rise of the Cloud, remote-working and rapid application development, we no longer control many of the systems, networks and even the devices that an organisation deploys.

In the present era there is no traditional network edge, networks can be local, in cloud, or a combination or hybrid with resources anywhere as well as users or devices accessing these resources from anywhere.

“Zero Trust architecture requires organisations to continuously monitor and validate whether a user and their device has the right privileges and attributes. It also requires enforcement of policy that incorporates risk of the user and device, along with compliance or other requirements to consider prior to permitting the transaction. One-time validation simply won’t suffice, because threats and user attributes are all subject to changes.”

--Radhakrishnan Pillai, CIO, SRL Laboratories

"Most organisations would benefit from a zero-trust approach. It will take time, effort and money, but considering the risk associated with compromised security frameworks, it will undoubtedly be worthwhile. Implementing a zero-trust network can be a massive affair. Instead of looking at the pinnacle we need to reach and stay back, I will advise every CIO/CISO to focus on little, consistent efforts toward reaching "ZTN" one day.”

--Sugeesh Subrahmanian, Associate Director, Speridian Technologies

“Managing risk across the enterprise is harder than ever today. Modern security landscapes change frequently, the explosion of third-party vendors, evolving technologies and a continually expanding mine-field of regulations challenge organisations.”

-- Amit Shah, Owner, TAS Technologies

 “The industry is growing, moving forward with more and more investment on technology. Earlier, the chief information security officers had a tough time convincing the management to allocate a separate budget for data protection. However, now the issue is not the same anymore. Business owners started understanding the need for security as they started understanding the correlation between security and revenue loss.”

--Ramesh C R, CEO, Safezone Secure Solutions

“E-Business in India is less to-do with electronics & more to-do with emotions. Enable zero trust approach to modern secured living. The art of simplifying the risks involves using devices, network, data, applications and all user entities. Zero trust is not a form but a formless principle and practice.”

--Dr Suresh A Shan, a CIO in the Auto Finance Sector

This means we have to rethink our approach and if we place the users and data at the centre of the strategy, we can abstract away some complexity and have security that follows the user and the data wherever they exist.

Sugeesh Subrahmanian, Associate Director, Speridian Technologies says, “Although the term 'zero trust' may appear to be negative, in today's world, trusting any element of an IT landscape is not the right approach. A large cyber-attack can ruin a company's revenue and reputation, given the data protection regulations that are being introduced around the world, it can result in legal action from the state, possibly from numerous jurisdictions. As a result, cyber-attacks are no longer only about losing crucial data or experiencing protracted disruptions; they have taken on a new dimension in terms of impact, and every company should be thinking about how to improve its security on a regular basis. Internal threats are clearly the root cause of the majority of cyber-attacks in today's world. Internal threats can be targeted or intentional, or they can be due to negligence or a lack of awareness, but businesses cannot afford to take any of these chances."

Amit Shah, of Mumbai based TAS Technologies, calls for a new approach. According to him, in the modern landscape of security risk management, one uncomfortable truth is clear managing cyber risk across the enterprise is harder than ever. Keeping architectures and systems secure and compliant can seem overwhelming even for today’s most skilled teams.

“With this backdrop, it’s become critically important for the organisations to employ a risk management process. Identify and assess to create your risk determination, then choose a mitigation strategy and continually monitor the internal controls to align with risk. Keep in mind, re-assessment, new testing, and ongoing mitigation should always play a prominent role in any risk management initiative,” he adds.

Below are some key cybersecurity risk management action components all organisations must keep in mind –

• Development of robust policies and tools to assess vendor risk
• Identification of emergent risks, such as new regulations with business impact
• Identification of internal weaknesses such as lack of two-factor authentication
• Mitigation of IT risks, possibly through training programs or new policies and internal controls
• Testing of the overall security posture
• Documentation of vendor risk management and security for regulatory examinations or to appease prospective customers

However, with the help of analytics, collaboration/communication/issue management tools, and third-party risk management frameworks, smart and successful organisations will continue to hold their own in the battle to manage IT risk and maintain security across the enterprise.

Moving forward

The industry is growing moving forward with more and more investment on technology. Earlier, the chief information security officers had a tough time convincing the management to allocate a separate budget for data protection. However, now the issue is not the same anymore. Business owners started understanding the need for cyber security as they started understanding the correlation between security and revenue loss.

According to Ramesh C R, CEO, Safezone Secure Solutions, “The myth that security is meant only for large organisations has gone. Today even a small restaurant chain taking up orders to honour tablet phones have great potential of security threats similar to that in large organisations. Thus, I feel that security or zero trust for that matter is not an individual responsibility. It has to be a part and parcel of any organisation.”

“In my opinion serving clients across various sectors, I feel we are in a phase of customisation. Every single sector discusses different security threats. So the Indian channel community should be smart enough to provide tailor solutions for every single account,” he concluded.

--By Swaminathan B