Feature

CISOs must invest in an effective GRC tool over anything else: Shubhagata Kumar

Shubhagata Kumar, Additional Director General and CISO, CBIC talks about what constitutes a robust security framework.

Preparing a future-ready cybersecurity protocol calls for a robust cybersecurity framework. In the event of a cyber-attack, the one thing that can help a business get back on track is a proper incidence response strategy.

And bringing this to the spotlight at IDG Security Day & CSO100 Awards was Shubhagata Kumar, Additional Director General and CISO, Directorate of Systems at the Central Board of Indirect taxes and Customs (CBIC), Govt. of India.

She started as an officer of the Indian Revenue Services; at the Central Board of Indirect taxes and Customs (CBIC), she went on to implement the first data warehouse in the central government. At the Directorate of Systems, Kumar was responsible for implementing ISO 27001 compliant security policy. Citing from her experience in rolling out the policy, she says that she found the company in violation of its own stated policy.

“At the CBIC, we decided that unless we adopt a framework, it would be extremely difficult as we have three lines of business,” said Kumar.

Watch Shubhagatakumar address India's top-notch security heads at the IDG Security Day & CSO100 Awards. Prefer to read the edited excerpts? Read on.

 

A framework’s fundamental function – ensuring IT meets its objectives
Kumar believes that as we start adopting concepts like DevOps, security ought to be in-built in all delivery projects. Additionally, security frameworks need to be tailored according to the business model and what requires to be protected. Kumar swears by the National Institute of Standards and Technology (NIST) framework, as the kind of resources available in NIST do not compare to other standards like ISO 27001.

The primary factor in designing a security protocol stems from identifying the right assets and managing them. The point is to ensure that nothing turns out to be a potential vulnerability. “The biggest problem in protection against threats is to get organizations to accept residual risk. The concept of residual risk is not easy to explain to the board,” stated Kumar.
“At some point, the risk of an incident occurring equals the cost of mitigation. This is the happy point at which we can stop protecting. To achieve this, we need to have robust systems in place to detect an anomaly. This is the most critical factor in any steady state organization,” opined Kumar.

She emphasized on the fact it’s not about the technology, but about the people and processes. In chalking out a cybersecurity framework, the most critical aspects revolve around identity, protection, detection, response, and recovery. She believes that if one can, the best strategy is to run systems from multiple places. “This is the only way to ensure that we can test our ability to respond and recover,” she said.

To combat insider threats, Kumar revealed that a privileged identity management solution, encryption of critical data, and having a real-time database monitoring solution are crucial to protecting data. Kumar pointed out that a service level agreement that chalks out the proper policy for patch management and bug scrubbing is of prime importance and cannot be ignored.

She wrapped up by highlighting the importance of Governance, Risk and Compliance (GRC), and why CISOs ought to put their money on an effective GRC tool. CBIC implemented IT GRC and Kumar shared that it turned out to be the most effective tool. In fact, CISOs should pick GRC over any other tool, she said. Additionally, the GRC tool integrated very well with all the processes – for instance, incident management and change management.