Demonstrating Security ROI: It's Still a ChallengeManagement Buy-in Is Still a Big Issue, Says BSE CISO Pandey
While the Eest has moved on from the flogged-to-death theme of management buy-in and security ROI, Indian organizations still struggle with getting security investments to buy tools and recruit personnel, although this is slowly changing.
"Many of these tools are very expensive by Indian standards and getting buy-in to invest in them from executive management that is devoid of security awareness is painful for many Indian organizations," says Shivkumar Pandey, CISO at Bombay Stock Exchange. "Risk-driven security is thus taking center-stage."
A technology boom of sorts is underway in India, he says, and the cyber risks are increasing exponentially. There is a strong need for collaboration and awareness of cybersecurity issues, he believes. The earlier situation where organizations could just depend on technology solutions and expect a reasonable degree of security is past. There is a need to stop taking just a tool-based approach and focus equally on people, process and technology, he says.
Pandey was a participant in a panel discussion on advanced persistent threats at the ISMG Data Breach & Fraud Prevention Summit Asia in Mumbai. The discussion titled "The APT Kill Chain - Its Defensive Opposite and Establishing Trust" took a real-world look at what aspects of APT are new and what can be done to contextualize an organization's response in the present landscape.
In this interview, Pandey shares some thoughts on the APT challenge and the takeaways he expects from ISMG's Data Breach and Fraud Prevention Summit.
Pandey has more than 16 years information technology and cybersecurity experience across industries, including BFSI, ITES and telecommunication. He specializes in information security management and has in-depth understanding of core banking systems and payment systems used by the banks in India. He is proficient in project management, including project scoping, estimation, planning, solution architecting and finalization of technical specifications. Prior to joining BSE as CISO, Pandey was associated with NPCI, Reliance JIO, SUD Life, Future Generali India, Kotak Mahindra, TATA AIG and Reliance Infocomm.
Following are edited excerpts from the interview:
Varun Haran: You are a speaker at ISMG's Data Breach & Fraud Prevention Summit in Mumbai. You are part of the panel discussion on the APT challenge. What is the biggest challenge you see for Indian practitioners from APT. What are your thoughts on the subject?
Shivkumar Pandey: Though we are taking about APT, the real challenge is the zero day attack that the APTs today are built around. There are many vendors in the market today that are providing APT defense technology, which are reactive in nature. Reactive is signature-based, which is fine when you are dealing with known threats. But in the case of the new or zero-day malware, it is claimed by vendors that behavior and pattern-based blocking is used and is effective. But does this really work?
In my previous stint as CISO of the National Payment Corporation of India, we have run simulations for APT defense where while the reactive, signature-based elements work fine, the zero-day defense is often a failure, as it is very subjective in nature. Given the trend we are seeing, APT attacks are on the increase and defense strategies to protect from APT is a must, at least to block the known vulnerabilities, even if it is a day before.
But APT defense technologies should only be considered if your organization already has a basic to moderate level of security. It's simply not worth it otherwise. Also, you cannot only depend on the tools. A hybrid model is needed. Because the risk is from the internal and external vectors. You need to focus on all three aspects - people, process & technology.
Haran: In the BFSI sector, what are some of the challenges being faced by the security practitioners?
Pandey: The biggest challenge Indian security practitioners are facing across sectors, in my opinion, remains management buy-in. The management's approach to security can sometimes be from an ROI perspective. The level of maturity is low, and it's looked upon by the management as a good-to-have. For many Indian organizations today, many of the tools prove to be just too expensive.
One proven way to get management buy-in is to put risk in the language the management understands. They can either accept and sign off on the risk, or they can face the consequences from an attack. This means taking ownership and making the management aware of the consequences of not investing in security. This usually makes the business sit up and take notice.
Need for Collaboration
Haran: What are your expectations from industry platforms like the upcoming Data Breach Summit? What is the InfoSec community's most pressing need?
Pandey: There is a big need for the community to collaborate. Most of the industry verticals today are so organized, and yet there is not much collaboration in this domain. In spite of largely remaining anonymous, the threat actors seem to be able to collaborate better than the good guys and this needs to be addressed.
Cybersecurity risk has increased immensely. India's dot com boom is just happening, so to speak, and the mass market ecommerce movement has opened up a lot of vulnerabilities which will prove problematic going forward. There needs to be a forum where people can share their different challenges and determine some common solutions for emerging problems and I think this forum, among others will play an important role in doing this.