Tell us in brief about your career as a CISO/Security professional. How have you seen your role evolving with time and pressure?
Well I started my career in 1995, as a system administrator and over the years advanced myself in Customer support and in to Networking before moving into the information security domain. At some point of time in my career, I have worked as part of a vendor team, as part of a business organization and also with a regulator and thereby it gives me a good understanding of the challenges from all sides of the table.
Over a period, I have seen myself in roles related to operational security, security management and as well as cybersecurity regulations. In my experience, the role of information security has evolved over time from being a support function to being a business enabler, which in a way brings on a huge sense of responsibility and commitment to the role.
As a CISO, what kind of gap do you see in the enterprise security space today?
From a technology perspective, we have long passed the time where passwords and packet firewalls was considered as good enough security!
However, at the same time the threat landscape has changed completely, companies have found to be lagging vis-à-vis the capabilities of the threat actors. This has necessitated a change in the cyber defense strategy adopted by the enterprises. Organizations are now moving from a Prevention and Protection Strategy to a Detect, Respond and Recover strategy.
Easier said than done, the new strategy requires new capabilities and skills to be developed within an enterprise. This includes skills such as Log monitoring and analysis, incident handling, digital forensics, resilience etc.
What would be your expectation from a security solutions/services provider?
Well some of the things that I expect from a security solutions / service provider are:
- Strong and long-term commitment and security focus on the product / service delivered.
- Focus on research and development, building innovative solutions.
- SLA driven service
- Transparency in terms of the providing Supply-Chain assurance for the product and ethical breach /vulnerability disclosure and closure.
- Local or locally based solutions / service providers. There is a lot of focus this days on cloud-based services and Data Sovereignty is a thorny issue, so service providers that handle data locally could be preferred over others.
When it comes to security, we all would agree that there is nothing as 100% secure. But, as a CISO how do you gear up to best protect your organization from an outsider as well as insider threat?
I believe the trick or rather the essence is maintaining a fair balance. There is no silver bullet solution; CISOs have the delicate job of managing security across the organization. To begin with, the most important thing is to create the right governance and management framework. The CISO should be able to translate the security in to a business lingo and establish communication vertically (CXO) and horizontally across the organization. Creating awareness and sensitivity about InfoSec amongst the management as well as the users is the key.
Currently there is a strong focus locally, regionally and globally on regulations. The CISO needs to ensure that the organization is in compliance to applicable regulations (local, regional and global). This may entail working with the legal department.
Building a strong team with defined roles and responsibilities is another factor. I personally put a strong focus on people and processes. Technology is the easiest thing to do. Having said that the technology chosen should be balanced and aligned to your security strategy. The technology should imbibe controls that help the organization prevent, protect, detect, respond and recover from potential attacks.
Digital forensics (DF)— as a concept and demand— is evolving quite rapidly since the last few years. How effective a tool can this be to nab the cyber intruders?
DF is part of the “Detect and Respond” strategy. I believe should an organization make a decision to go after the intruders or pursue a legal case (this may be mandatory for certain critical sector organizations by law), then DF skills and capabilities come handy and become essential. Further, the skills can allow an organization to do a deep analysis on the Threat actor and identify their Tactics, Techniques and Procedures (TTPs) which may help in mitigating future attacks from the same threat actor.
Currently, the skills and expertise are very niche, and are usually sourced through a vendor and only the bigger and large organizations try to build these capabilities in-house.
Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of the organization where the author works.