Today, Chief Information Security Officers (CISOs) are expected to manage risks that can pose the biggest threat to an organization's security environment. While building a SOC (Security Operations Center) is the need of the hour, it is important for CISOs to stay focused on the big picture, and to do so, they must find ways to tackle the challenges posed by a complex security landscape. It's a tall order but with the right approach, CISOs can transform the way organizations look at security.
In an exclusive conversation with Ayush Gupta, CISO, ShareChat, we discussed the challenges faced by the CISO while navigating the complex security landscape, and the strategies the organization should implement to reduce cybersecurity risk.
Q1. As cyber-attacks grow in sophistication and scale, the business impact from a security incident is increasingly wide-reaching. In today's environment, a security threat is a business threat. So, while the business moves forward in the next direction, what steps do you take to realign the security strategy to suit the next phase?
Since cyber attacks can come from anywhere, it is important for the CISO to cover all the points and develop a protection plan. CISOs must keep an eye on each aspect - people, processes, and technologies. Let me explain in a simple way - Consider a scenario where you have heavily guarded the organization from people's aspects like a 'social engineering attack', but then you realize that the attack has materialized due to server misconfiguration.
So, while the business may move horizontally, CISOs must look at the security impact it would bring (horizontally and vertically) and that's why there are various angles which you have to look for and then secure. However, I believe stepping in early and proactively on any new product feature, project, or vendor, is the strategic and winning key to solve such issues and pace up with an organization or product growth.
Q2. As a Head of Information Security, you play a crucial role in securing cyberspace and critical infrastructure for your company. Name three technologies that would change the security game, making it easier for a CISO to navigate the complex security landscape.
I believe, currently AI-ML is the frontrunner and has already started showing signs of potential growth if used appropriately and ethically. Predictive analysis can help mitigate the attacks faster and that's the reason all the security product companies have ramped up their efforts in this direction.
Blockchain comes next and I see more techniques or frameworks, for example, the zero-trust model, which can make managing security affairs easy.
Q3. To ensure security efforts have a positive business impact, it is important that CISOs understand each C-level leader's top business and security concerns. What is your view on this? How do you plan to take into consideration the different standpoints of the peer-level decision-makers?
That's a tricky one and I believe it has to be done in a certain way. So being a CISO, you need to have a strong understanding of business or product context as in why certain actions by someone lead to a certain impact. Once you have that understanding, it becomes easy for you to review and weigh all the security aspects of it which basically gives you the leaver to steer or influence the security among C-level executives, that if it is not mitigated now, it can really hurt the organization from the compliance/regulation point of view.
However, there could be some cases like a short-term fix is needed and, you think that something can be provided as a compensatory control that the organization can live by in the meantime, they implement a full-proof solution. Now doing that, if the organization can generate some revenue or user, that is the trade-off. CISO’s should be ready with a case-to-case basis to help. This way not only you are saving the organization from security compromise but instilling confidence executives people have in you as a business enabler than a show stopper. And lastly, frequent sync-ups with the leaders on the cyber risks eventually create a trust and security culture from top to down, between the leaders and the CISO.
Q4. Cybersecurity preparedness is considered an essential component of any organization's cybersecurity strategy. It can help to reduce the risk of cyber attacks by automating tasks such as vulnerability scanning, threat detection, and incident response. How do you plan to instil a sense of vigilance within the internal fabric of the company and what technologies do you leverage to detect such incidents?
We are using various security tools and technologies to detect threats at different layers. At the API level, we have Web Application Firewall, DDOS, and Bot protection enabled; in Cloud, we have Cloud Security Posture Management tool and Command Center protection enabled; at the code level, we have SAST, IAC scanners, and so on and so forth. Security rules are set to alert us if there is any breach of it, and upon investigation and interrogation with the stakeholders if it is found not justifiable, we promptly eliminate such rules before the situation takes any form of attack.
This way, not only does it instil vigilance, but also keeps them apprised for the next time to not repeat the same mistake. Some of the other ways we are looking ourselves from cybersecurity preparedness is performing a war room (a place, either in-person or virtual, where responders and stakeholders can gather to work through a major incident) or tabletop exercises within or with the help of third parties to assess from ransomware or business continuity perspective.
Q5. Additional comments & conclusive guidelines from a CISO's perspective.
Move towards proactive, preventive, automated approaches to arrest the security flaws/ risks at the initial stage and close the incident as soon as possible. Most importantly, keep on refining your cyber security strategy with time.
