While speaking with CISOs and security experts globally and in India, one question that came up repeatedly was, “Where should CISOs focus their time in 2021?”
Hence from CISO Platform in association with TIE and CIIE.co, we are doing a series of panel discussions with CISOs and Security Experts to learn about the key security trends.
Our first session in this series was with the experts of the BFSI sector. The panel was hosted by Sanjay Jain, CIO at CIIE and Partner at Bharat Fund. He was previously the Chief Product Officer of the Aadhaar/UID program and has been among the key people who helped develop India Stack. The panel speakers were – Babitha B, CISO, CSB Bank, Biju K, CISO, Federal Bank, Anuj Bhansali, Head Trust and Safety at Phone Pe, Balram Chaudhary, Head IT, BOB Financials, and Bikash Barai, Co-Founder at FireCompass.
The discussion focused upon finding the key reasons for breaches in 2021 to what regulation from RBI as an authority is changing the security posture of the banks. Below is the summary of the discussion for your reference.
One needs to consistently test one’s assets and enable the right security infrastructure. It’s tough because security needs to be continuous, it’s like going to the gym, one needs to work every day to stay healthy. While for the bigger attacks one can’t prevent it, the strategy here needs to be detect, respond and recover
Change In The Threat Landscape Over Last Few Years
There have been numerous breaches that the industry has seen in the last few years and this was one of the first points that Sanjay brought out to the panel. There has been a lot of change in the last year considering work went remote, people had to deal with open ports and shadow IT. Each sector had to go through its own challenges.
Anuj mentions that currently, the rules of security are merging. Earlier the CISO and the IT were separate organizations, today there are three parts, cyber risk, data risk, and product risk. End of the day there would either be a brand reputation loss or a data loss. Consumers are concerned here because they want to be confident that their money is safe. He mentioned that he sees the whole process of cybersecurity to be merging into a single risk factor and that is an individual risk or company risk.
In the last year, the industry has seen unprecedented change, there was a large-scale deployment of work from home and the perimeter of security literally vanished. Biju talks about the pre covid era where the patching tools were considered a luxury but today it is suddenly a necessity. As a CISO the focus was to provide a safe work from home environment so that confidentiality and integrity were maintained.
While the cyber-attacks are not new but the frequency of the attacks has increased with attackers using sophisticated methods. Babitha says “one reason could be the fact that the world has moved towards digitization, the other is the attackers have been using innovative ways to exploit the vulnerabilities and misconfigurations in the system. Currently, with work from home being the new normal, the organizations are losing the visibility and the controls of the assets. Most organizations have taken the necessary steps such as personal VPNs, two-factor authentications, and geo-locations. Organizations need to change their security architecture based on the business environment to cope up with the current times”.
Balram Chaudhary, Head IT, BOB Financials thinks the technology and the threat landscape are changing side by side. One needs a couple of applications to consume the multi-cloud environment. At the same time, there are some legacy applications that will continue to function. With work from home being the new norm, it becomes integral to manage the multi-cloud environment. Organizations need to create zero-trust network architectures, that will enable employees or users to work from anywhere.
Bikash Barai, Co-Founder, FireCompass throwing some light on the subject mentions that cybersecurity is a war zone and battles here are lost because of two things, one reason is small but very tough to handle and the other is big and there is nothing one can do about it. The smaller reasons are the ones that cause most breaches, like misconfigured assets, open databases, open ports, and shadow IT. We have seen at least half a million open databases. These databases can be easily configured and made available on the dark web. The second kind of attack is like zero-day attacks, for example, Solarwinds/FireEye breach, where the attackers did ample research to breach the system. And most certainly these are the kind of attacks that one can’t prevent.
However, having said that preventing smaller attacks is possible but hard. Bikash says “One needs to consistently test one’s assets and enable the right security infrastructure. It’s tough because security needs to be continuous, it’s like going to the gym, one needs to work every day to stay healthy. While for the bigger attacks one can’t prevent it, the strategy here needs to be detect, respond and recover”.
Sanjay mentions that discipline and hygiene are two main elements to combat security failures.
Currently, with work from home being the new normal, the organizations are losing the visibility and the controls of the assets. Most organizations have taken the necessary steps such as personal VPNs, two-factor authentications, and geo-locations.
RBI Guidelines For The BFSI Sector
RBI has always been the authority that has taken regulations for cybersecurity very seriously for the BFSI sector. Sanjay directed a question to understand if the regulations that are given currently are enough for the industry, or is there something more that can be done.
The speakers agreed that RBI has enables the banking institutions to harden their security posture. The first framework was introduced in 2016 when banks did not give priority to security, compared to today when most banks have taken this up as a mandate or as a need of the hour.
This makes RBI very proactive and providing a basic framework for all institutions to be compliant is a big move. Having said that the speakers also pointed out some of the cons to these regulations.
Some of the things mentioned during the discussion on this were:
- The security guidelines are mostly interpreted by CISOs with their own knowledge. This is why all banks will not do the same thing to improve their security posture. It is open to interpretations.
- The bare minimum that the regulators want the banks to do becomes the only guidelines for the banks
- The regulators need to more specific in terms of how the regulations need to be implemented for having uniformity across the industry.
- There has to be a clear guideline in terms of what if the industry actually takes a hit, what should be done.
Bikash mentions that while there are guidelines, the interpretation might differ. If a doctor prescribes a man to stay on the treadmill for 20mins every day, the man can interpret it as sitting on the treadmill. Same way if RBI makes it mandatory to do red teaming for banks, it’s not clear what’s the frequency it suggests. So regulations are good but the actual change happens when the organization wants to change and that change starts from the top or when the business thinks this is a must. Today security is a market driver, which is forcing institutions to embrace it.
He also mentions that security needs to be done from its true perspective and not from a regulation perspective. Presently you can do testing 4 times a year but that’s not going to help because the adversaries are attacking every day. So whether the regulator tells you to move to continuous testing one thing but having the sense of understanding why it’s important and doing it for yourself is another.
CISO Priorities For 2021
Sanjay directed a question across the room to our speakers to tell us about their priorities this year. And below are some of the top priorities that are listed.
- The RBI mandates and guidelines have made the top management in the banks fully aware of security risks and reputational risks. So regular testing and audits will be one of the top priorities.
- Deploying new tools and technologies in the organizations to manage detection and risks, vulnerability, cloud security posture management, email security, dark web monitoring, etc was counted as another top priority.
- Reducing shadow IT was also counted as a top focus. Along with incident response strategy, in terms of how fast one can recover if they are compromised.
- Conducting cybersecurity drills to train the employees to handle real-time scenarios.
- Take a risk-based vulnerability management approach.
- Move towards automation and continuous monitoring.
The panel signed off with a combined take on how the industry needs to collaborate to manage the risks together.
To hear the complete recording from the panel discussion. Click Below.