/dqc/media/agency_attachments/3bO5lX4bneNNijz3HbB7.jpg)
Follow Us/dqc/media/post_banners/wp-content/uploads/2022/01/Deepa-Zoho.jpg)
Deepa Kuppuswamy has over 20 years of experience in the software industry and currently spearheads the security team at Zoho Corporation. Her team designs and manages technical security and privacy measures within the organisation. Here Deepa Kuppuswamy talks about various dimensions of security.
What are the challenges of 2022 and what are the new opportunities with security professionals while meeting these challenges?
Deepa Kuppuswamy - 2021 was the year businesses continued to adapt to new working patterns, invested heavily in cloud-based digital transformation strategies and battled the increasing cyber threats (that were fuelled by the ever-expanding attack surface). In 2022, organisations need to plan their long-term security strategy to support the new 'work-from-anywhere' environment. This will be the year of focusing on cyber resiliency, restructuring the security program to adapt to the evolving business needs and identifying opportunities for improvement. Ultimately, the aim should be to balance the need for security, visibility, and control, along with providing a positive end-user experience.
Privacy by design and data protection will remain key focal points. Rapid digitisation has led to an increased regulatory attention from a data and privacy perspective. Global enterprises need to comply with various privacy regulations like GDPR, CCPA, Brazil's LGPD, South Africa's POPIA and upcoming privacy bills like PDP in India. The importance of DevSecOps - the practice of embedding security and privacy controls in the development pipeline, will also increase across security programs.
On the security operations front, the sheer volume of attempted attacks is increasing to such a point that it is impossible for human analysts to examine them all to identify real and serious threats. So, there should be focus on process automation to free up some of the security team’s time to concentrate on higher level analysis. Security professionals should look at AI/ML based technologies to play an essential role in powering this automation. AI/ML and humans bring different types of intelligence to the table - ML is very good in solving repetitive processes at scale, they don't get burned down like humans do while on the other hand, SOC analysts have to analyse thousands of events. Humans bring a different trend to the table; they are imaginative, understand the contextual awareness and good in judgement. So we need to link both to work together to achieve speed and accuracy.
With the hybrid work becoming popular, what are the new concerns regarding security specifically for the hybrid work system?
Deepa Kuppuswamy - Even as employees return to the office, we expect a future where many organizations will move to a hybrid work model. This hybrid world will be largely perimeter-less. For instance, an employee may log in from multiple locations during a given week, while working other days from inside the office. And in a home environment, work and personal tasks are co-mingled in one machine; corporate devices are used for personal projects, and work is done over home internet service providers. This might lead to cases like unapproved software installations, installations of vulnerable browser extensions, and browsing malicious sites in corporate devices. Moreover, employees may miss to consider company security policies and might have inadvertently disabled security controls, exposing their device to vulnerabilities and threats. A company’s entire network is at the risk of compromise if such a device connects to the corporate network.
Traditional tools like VPN are not designed to support remote access of this scale and do not offer flexible options for adaptive access control. They also introduce friction to the user experience. When employees can work both from home and the office, they expect a seamless transition and experience.
Zero trust architecture is well-suited for a hybrid work environment as it delivers solid security controls and a seamless experience for employees, through multi-factor authentication, and continuous authentication of the users and devices on a network, regardless of where they are located. Adopting a Zero Trust strategy is no longer an option, it’s a business imperative to remain secure in a hybrid future.
How can the MSMEs avail of security solutions with their limited resources?
Deepa Kuppuswamy - In today’s digitised world, cyber-security is a necessity for all large, medium and small enterprises. The MSMEs often lack the necessary resources and security policies to defend against cyber attacks, thus making them easy targets for hackers. We have also seen cyber criminals using MSMEs as the weakest link to exploit their connections to target enterprises in the supply chain.
The initial step for MSMEs is to look at covering the basics -
-
Asset management - You can't protect what you don't know, so it's critical to maintain a self-updating list of deployed assets in your organisation's network.
-
Strengthen remote access management
-
Deploy endpoint security
-
Adopt multi-factor authentication
-
Raise employee awareness within the organisation
When evaluating security solutions, MSMEs should look for enterprise grade effectiveness, and also additional factors like easy adoption, accuracy and lesser false positives, automated response provisions, limited administration, and intuitive features which are also simple to manage. This becomes absolutely critical as most MSMEs battle with lack of time and skilled workforce. MSMEs can also look at outsourcing their security needs to a specialized MSSP (managed security service provider) to rapidly supplement the organization’s capabilities in terms of cybersecurity.
Where does India stand vis a vis other countries in terms of providing security solutions?
Deepa Kuppuswamy - The Indian cybersecurity industry has witnessed significant growth in the past couple of years. According to a recent report published by Data Security Council of India, the cybersecurity services industry has grown from USD ~4.3 bn in 2019 to USD ~8.5 bn in 2021. The cybersecurity start-up and product industry also exhibited robust growth, attaining an revenue of USD 1.37 bn in 2021. The domestic market is also witnessing growth in demand due to widespread digitisation and there has been an increase in cybersecurity spending. Amidst this demand, Indian services companies are leveraging their global expertise and experience in offering end-to-end platform-based managed security services.
However, there is significant room for growth and improvement. We still need to invest in deep cybersecurity R&D and focus heavily on building niche product-based solutions. Unified endpoint security, SASE and Zero trust solutions, Cloud security, etc., are areas that have immense market potential and the industry needs to build the technical know-how locally.
The availability of skilled cybersecurity talent is another challenge the industry faces. Cybersecurity is an area that requires a multi-disciplinary approach to solving problems—security engineers, threat analysts, incident responders, digital forensic experts, ethical hackers, and risk and compliance analysts are some of the various specialised roles in a modern cyber security team. Upskilling the existing talent in these disciplines and training freshers in cybersecurity domain is essential to boost the ecosystem.