Data classification and then securing the data with necessary controls will be the focus area for CISOs in the coming year, says Rishi Rajpal, director-Global Security, Concentrix. He expects more governments to implement stringent laws on the lines of GDPR for data privacy. With more than 20 years of experience in the cybersecurity industry, he specializes in risk management, security tools and technologies, compliance, and privacy.
In an exclusive interview with CSOOnline, Rajpal talks about the focus for Concentrix as well as the security industry as a whole.
What does the current year hold for IT security for Concentrix? Which are the security technologies that Concentrix plans to invest in 2018 and beyond?
While we have moved into 2018, we will continue to execute foundational security processes like patch management, vulnerability scanning, OS hardening, and review of logs in an effective way. We will also continue to mature our advanced security tools like SIEM, DLP, CASB, PIM etc. Proactive monitoring and maturing our SOC operations using external intelligence and fine tuning will be one of our focus areas.
“Of late, there have been massive changes in technology and in its adoption. The rate at which data is increasing, its prevalence and availability have spread and increased multiple fold. This provides the scope for multiple data leakages, and securing sensitive data becomes a challenge for any CISO.”
You have time and again said that while focusing too much on emerging technologies and the latest security tools, you tend to forget the basics in the process. Can you elaborate on what are the basics that each company should follow to be secure?
Companies often spend too much time, money, and effort in new and emerging technologies without having foundational controls like patch management, OS hardening, vulnerability scanning, and network security in place. New technologies are made on the lines of proactive alerting, automated ways of finding gaps in the environment. I am personally not against any of these technologies; but they will add more value with strong foundational controls in place, and take maturity to another level.
The basic and fundamental premise for security should be to apply controls proportionately to assets critically.
What are the biggest challenges for a CISO in the fast-changing tech world and how do you manage to overcome them?
Of late, there have been massive changes in technology and in its adoption. The rate at which data is increasing, its prevalence and availability have spread and increased multiple fold. This provides the scope for multiple data leakages, and securing sensitive data becomes a challenge for any CISO. The main task therefore is to identify what and where the data is being stored, and how securely it is being processed. Data classification and adopting necessary controls based on this classification then becomes important so that effort and money can be spent in an effective way.
Also, security awareness within the internal team and among employees must be driven effectively to prevent any unintentional data leakage. With advancement in technologies and in new tools, retaining talent within the organization is becoming critical. Organizations should identify talented junior staff and look at expanding their careers by providing adequate training and support to develop their skills. By doing this, organizations can ensure the availability of good talent regularly and use them effectively.
What big security trends do you foresee in 2018?
In 2017, cybersecurity breaches hit organizations worldwide and affected numerous endpoints in the IoT chain. Apart from the Equifax breach and Yahoo's account hack, ransomware like WannaCry, NotPetya, and Bad Rabbit posed huge challenges for organizations.
In 2018, ransomware attacks will continue to increase and evolve. Hence, we can expect more instances of spear phishing and whaling wherein top executives of organizations and high-net-worth individuals will be targeted. Also, with greater prevalence of bots/automation, as well as increase in cloud, mobility, and IoT implementation, the threat vectors will increase further. It is therefore critical to develop an effective strategy to curtail the threats. There have been many new regulations on security and data privacy like GDPR coming into force. We can expect more governments to implement stringent laws to govern and secure personal information and sensitive personal information. I definitely foresee an increase in industry-specific regulations from law makers in the future.
With increased awareness for the need for cybersecurity, organizations have started increasing their budget toward cybersecurity. But is it actually put to use?
While big organizations have started purchasing tools to address cybersecurity risks, the middle-level and smaller organizations are yet to decide and take effective steps in this area. Also, wherever security tools have been implemented, organizations are dealing with false positives and false negatives. Security professionals should ensure the actual alerts don’t get lost in the thousands of false positives. The need is to strike a balance between the false positives and false negatives. Also, while organizations are purchasing tools, not many are spending time and effort in KRIs and KPIs to define and monitor the performance and effective usage of these tools.
What is the barrier that IT decision makers face in planning long-term cybersecurity strategies?
Technology is evolving at a faster pace, and its implementation is even faster. But one of the main barriers in its implementation is the lack of awareness. Cybersecurity discussions must be at all levels since people themselves can be an attack vector. Investment in the right tools depending on the risk profile of the organization is a must. In fact, identifying the right tool itself is very critical. There should be more frequent collaboration between organizations and law makers in this regard. Similarly, there should be more openness within the organization to facilitate information sharing and to develop long-term strategies.
There have been various recent attacks that have made the outlook toward cybersecurity quite evolved. Do you see a change in the way it is being treated by the enterprise heads?
The cybersecurity landscape and threat vectors are changing at a breakneck speed due to fast-changing technology and its fast adoption. Organizations should develop newer, more evolved incident response teams to foresee and face such attacks in advance. In the future, I think more organizations will move from a reactive approach to a more proactive approach toward threat handling. Increasing volume of automated attacks will also require more number of organizations moving toward automated response to attacks and near- real-time threat detection and response.
Companies like Bajaj have started a cybersecurity insurance and the topic of special insurance has been around for a while. Your take on the problems faced for this and the need for it?
Globally, many large companies have started taking cyber insurance coverage. In India, however, the penetration is very less. Changes in regulatory compliance, the security threat landscape, and the frequency and nature of cyber-attacks is leading more companies to go for cyber insurance. But the cyber insurance industry is also evolving and is yet to mature because insurers themselves have low awareness of cybersecurity terminology. The methodology for computing risk assessment needs to become more evolved. Also, the costs, cyber insurance coverage, and the premiums are based on the industry the organization belongs to, the type of services provided, data risks and exposures, security posture, policies, and annual gross revenue, all of which need to be further standardized.