Wish you all a very happy 2021 and be the year filled with success, good health and happiness to you and all your loved ones. With the year 2020 and the pandemic overwhelming us, we must be conscious of the increase in cyber security threats that is looming in front of us. Here are a few thoughts and considerations for the unenviable role of the CISO for a great start to 2021!
Make the management part of your problem
Senior management do not know the technicalities of how the breach occurs, nor they should need to know. However, they should be clearly aware of risks thereof. Ensure that the senior management/ board is completely up-to date of all risks. Increase your frequency of meetings and provide a crisp update of the open risks and how you are working to mitigate them with clear established timeline and dependencies. Costs and budget over-runs should be highlighted ahead of time. Bring in business friendly and business relevant cyber security metrics and report them periodically. This way the management is more forthcoming in providing the necessary authority and help prioritize your initiatives.
Get the appropriate budget
Budget definition and allocation on a percentage of IT spend, a percentage of cost of breach, a percentage of business growth YOY – various models exists. While each have its benefits and pitfalls, budget should be commensurate with your risk appetite. Continuing from the point above on having the management ‘onboard’ on cyber security initiatives will pave a long way in ensuring that an appropriate budget is allocated. Let us understand one thing clear. The world expects ‘more’ with ‘less’
Clearly identify your security partners
One of the top fields where the skills available and the market-needs gap is widening. It is expected that with the CAGR of 17% in cyber security (products and services), this area can become the CISO’s nightmare quickly. Relying on experts to do the job is also essential. This can be problem-solved by engaging the right eco-system partners to do your job. Security technologies, security governance, security operations are niche areas and picking the right partner will ensure that they stay with you and provide you the much-needed assurance and help address your problem by bringing in the right skills. Remember, it is not required to boil the ocean.
Evolve Your Security to Protect Your Remote Infrastructure
Secure your remote workforce by proactively protecting against zero-day malware and phishing, consider human and technological factors to avoid falling victim to phishing attacks. In response to the coronavirus pandemic, Gartner analysts observed a more than 400% increase in client inquiries related to remote access technologies for the months of March, April and May in 2020, compared to the previous three months. Furthermore, a recent Gartner survey reveals that 41% of employees are likely to work remotely post coronavirus pandemic.
Continuous monitoring for all critical assets
90% of breaches in cloud-based infrastructure was due to configuration related issues. Periodic assessment ( like once a year, once a quarter) may not be sufficient in today’s scenario. The new buzz word is continuous monitoring. Continuous monitoring of critical assets would be an aid to enable rapid detection of compliance issues and security risks within the IT infrastructure that could lead to compliance violations. This would help understand real-time changes to the infrastructure and with a good threat intelligence feed it is possible to address zero day attacks with much robustness with effective continuous monitoring.
Suresh Iyer: Co-Founder and CEO
Suresh has 28 years of experience in Information Technology, IT Security, Risk Management and Privacy areas. He has served in CXO positions in many global organisations like Ocwen, Altisource, Aditya Birla Minacs, eFunds and Bank of America. He is very passionate about Technology and Risk Management and has provided leadership in areas such as Technology Risk, Operational Risk, Information Security, Information Technology, Data Centre Technologies. He is an eminent speaker and panellist in many industry and security forums.