Monday Nov 25, 2024
Thursday, 4 March 2021 02:34 - - {{hitsCtrl.values.hits}}
Keynote Speaker Dileepa Lathsara
Panelist Madu Ratnayake
Panelist D. Soosaipillai
Moderator Manil Jayasinghe
The Sri Lanka Institute of Directors (SLID) together with EY orgaEY Partner Manil Jayasinghe on ‘Security of Information Assets: What the Board Needs to Know’ recently to update the knowledge and understanding of board members on the increasing cyber security risks and threats to information assets of an organisation brought about by the rapid wave of digitalisation and resulting changes in the way organisations work in response to the on-going pandemic.
The webinar also discussed strategies and best practices on how best to mitigate these risks in securing information assets while ensuring business continuity, loss minimisation and quick, safe recovery in the event of a breach. The keynote address was delivered by
TechCert CEO Dileepa Lathsara and the panel comprised eminent tech and business leaders
Virtusa Executive Vice President, CIO/GM Madu Ratnayake and INED of listed companies D. Soosaipillai.
“It is important to define what information assets are so that security can be provided to those assets. Contrary to the misconception that information assets are only the application systems or the systems where staff work on and the data that resides on those systems, information assets include supporting infrastructure such as switches, patch panels, routers, servers and all other equipment, and application systems including confidential corporate information in those systems. It is also important to identify where corporate information is stored and who has access to it,” said Lathsara. “Boards should get involved in handling cyber security risk by firstly setting a security tone for the organisation so that everyone takes security seriously and also ensure that the required resources are made available. Boards can focus on the actual requirements of information security by adopting and adhering to security frameworks, standards, acts and directives such as NIST and ISO27000 series, PCI-DSS rather than having the IT security team re-invent the wheel,” he added.
He further stated that cyber security should be incorporated into the digital transformation chain and should not be a mere afterthought to be plugged in at the end. Cyber accountability is also important in that it is the organisation’s ability to demonstrate that they have good cyber hygiene to ensure, in case of an eventual attack, the ability to track back to a unique event/person or group responsible with admissible evidence which also aids in quick rectification and recovery.
He also emphasised that it is important to make informed and optimal investments in cyber security mitigation which can be calculated preferably as Annualised Loss Expectancy (ALE) as against ROI since security is about loss prevention and not about earnings where ALE is calculated as the cost of a security incident x chance that the incident will occur in a year.
Ratnayake said that it is essential and fundamental to have the right people in the security team led by a CISO (Chief Information Security Officer) and that cyber security is a journey and not a destination as security is evolving. The boards should comprise of members who have expertise on security given that most companies are going digital and the risk becomes crucial.
Panelist D. Soosaipillai said that the first thing is to find a security standard to be adopted in the organisation without which there will be limitless spending on security without knowing what the benefits are. The organisation should have a security vertical such as a CISO or IT Security, which is where the Boards will look at to establish ownership for IT security. He also suggested that Board does regular, if not half yearly Vulnerability Assessment and Penetration Testing (VAPT) by external third parties into the systems/security matrix of the organisation.
In conclusion, moderator Manil Jayasinghe observed that the area of cyber security is akin to a minefield and the risk levels have increased dramatically because of the need for organisations to open their systems to enable the work from home environment in response to the current pandemic. He also said that education, keeping up to date of what is out there helps a lot in identifying and mitigating risks and the procedures that need to be put in place to secure information assets. He concluded the webinar by highlighting that the area of cyber security requires constant real time monitoring especially in the scenario where organisations have adopted the work from home concept putting a completely
new dynamic to successfully securing information assets.