“A highly secure digital enterprise instills confidence and trust in customers, which in turn drives business and hence revenues,” Aiyappan Pillai, IEEE Senior Member & Founder, Congruent Services in an exclusive interview with ITSecurityWire.
ITSW Bureau: As pandemic effects seem to be slowly receding, what steps enterprises can take to secure their IT infrastructure for the new normal?
Aiyappan Pillai: Digital transformation essentially creates a virtual platform for any business process, which automates transactions and becomes the repository of data, both confidential and non-confidential. As the attack surface has increased significantly, cybersecurity concerns have also grown. There are more points of vulnerability in the digital ecosystem and the sheer volumes pose an additional challenge.
Organizations have moved physical assets into on-premises computer storage or into a private cloud or maintain hybrid models. While internet access adds a point of vulnerability, even private networks leased from service providers are vulnerable, though to a far lesser extent.
Data breaches can be prevented by ensuring rigorous enforcement of the security policy in an organization and its partners by ensuring adequate training and awareness on data protection, implementation of appropriate security software and keeping them updated, data encryption, and backing up data regularly. Continuous risk assessment, audits, and data security testing is a parallel activity that will help organizations proactively identify and plug gaps, thus securing data.
Read More: Maintaining Customers’ Trust over IP
If a data breach occurs, mitigation actions begin with containing further breach by taking systems off-line and limiting further access, fixing the vulnerability, analyzing the damage for initiating reparative actions, reaching out to the affected parties with clear messages, contacting online sites to scrub off leaked data, initiating an audit and conducting data security tests.
ITSW Bureau: How can enterprises effectively secure their hybrid workforce from the emerging and evolving cyber-attacks?
Aiyappan Pillai: A zero-trust approach is recommended to implement cybersecurity solutions for a combination of enterprise systems and end-users while being agnostic to the actual location of stakeholders. A combination of policies, processes, and cybersecurity tools is required to operationalize this approach. Essentially, access needs to be authenticated at every stage, even if it is through a VPN. Multi-factor Authentication processes are a must. Policies must ensure that minimal access rights are provided by default unless approved otherwise.
Enterprises need to re-think the digital perimeter of their organization. In the pre-pandemic times, the majority of employees operated from fixed locations managed by the enterprise. Digital assets and access tools were largely co-terminus with the physical location of the enterprise. Hence, the focus was on securing digital assets and access within this set up with facilities for secure remote access for mobile employees.
With the ratio reversing in favor of mobile employees or those operating outside the enterprise premises, there is a need to extend security protocols to cover each employee that access tools – irrespective of their location. Enterprises are adopting public, private, and hybrid cloud services in larger numbers.
The new paradigm of work dictates robust end-point security measures for all devices and tools that are used to access the digital enterprise, irrespective of whether they are personal or enterprise-owned devices. To be effective, complementary action is required on the policy front, employee and partner training, cybersecurity technology implementation, and security enforcement. The security policy must be updated to cover a continuously changing perimeter. Furthermore, it must also include employee agreement permissions to manage/ monitor office partitions/apps on personal devices. MDM and MAM solutions are available for the same. Each organization must choose security systems that are appropriate to its business.
ITSW Bureau: What steps can CISOs take to make a strong case for cybersecurity to their counterparts that will not only help to drive the revenue but will also help the enterprises achieve their long-term goals?
Aiyappan Pillai: While the case for cybersecurity seems implicit, RoI needs to be demonstrated just as with any other office tool. The fundamental question is whether the enterprise can survive a cyber-attack that may result in loss of customer trust, service disruptions or denials, major financial setbacks, or lawsuits. It boils down to the impact on the financial stability of the enterprise and its continued viability. The risk arises from insiders as well as from outsiders.
A highly secure digital enterprise instills confidence and trust in customers, which in turn drives business and hence revenues. Quantifying the potential loss of business due to diminished customer trust, financial fraud, service breakdowns, and attendant lawsuits would help to justify the expense of implementing cybersecurity measures.
The risk of attack for a particular industry will determine the cybersecurity implementation requirements. The domain of business would dictate the level of stringency of security measures. Cybersecurity must be implemented in a calibrated way. While a basic level of security is common across industries, each domain brings with it specific requirements. Only a stable and digitally secure enterprise can aspire to continue and thrive in business in the long term.
ITSW Bureau: What does the upcoming year look like for strengthening the cybersecurity infrastructure of an enterprise?
Aiyappan Pillai: Given the spread of digitalization and dependence on the internet, cybersecurity needs prime focus in every industry. It is not just the CISO team that manages cybersecurity, but it is the responsibility of every employee and partner.
The mix of resources possessing combination skills and specialist skills would depend on the size and scale of digital operations. A key requirement is for resources that can appropriately adapt generic cybersecurity skills to a specific industry domain. The rigor and focus depend on regulations and compliances required for each industry domain. The challenge is to identify professionals that have a clear end-to-end understanding of cybersecurity threats across systems. A combination of cybersecurity and computer forensics skills is an asset. A combination of security skills in the IoT and Cloud domains is also desirable.
With our digital lives taking center stage, professionals need to have an in-depth understanding of the current and common web vulnerabilities. They also require strong analytical and diagnostic skills. Hence, the relevant cybersecurity certifications are a plus. There is a greater need for cybersecurity roles ranging from Penetration testers, IT Analysts for Application Security, Network Security, Infrastructure security, EPS, IAM, SOC to Compliance, Audits, and Risk Management. Enterprises would prefer to hire professionals who can combine many of the above-mentioned skills and abilities in their roles and apply them to solve technical issues with a holistic understanding.
Cybersecurity is a hygiene factor in the digital world. While one tends to think of technology trends, the fact remains that cybersecurity is only as good as the weakest link in the chain, which is the human actor. This actor is responsible for the right practices both as a user as well as for ensuring that systems are cyber-secure.
IEEE Senior Member and Founder, Congruent Services, Aiyappan Pillai is an Information & Communications Technologies (ICT) professional with IT and Telecom life-cycle experience in strategy, planning, execution and operations as well as a career spanning over 25 years. He has helped in executing transformation programs centered around digital enablement and ranged from Outsourcing & Offshoring programs, introduction of Service Provider & Enterprise IT Systems, Network Operation Centers and deployment of mega Telecom Networks and Services using various technologies.