Thursday Sep 19, 2024
Thursday Sep 19, 2024
Wednesday, 6 August 2014 00:01 - - {{hitsCtrl.values.hits}}
Q: Why do you think cyber security should be a board room issue?
Bavisi: I think it is obvious that cyber security is a board room issue. We have seen that as the world progresses towards technology and the way enterprises are raising technology, it is no longer a requirement but it is an enabler for profitability. If you don’t harness the power of technology then you are going to reduce the ability of an organisation to make money. In many cases if you don’t harness technology you might see the demise of an organisation. The organisation needs to look at multiple things such as comparative advantages, multiple usages, and ensure there is customer loyalty.
However, the bottom line is that with technology comes risks and one of the most eminent risks that is coming up now is the risk of cyber security. There needs to be a top down approach where efforts should be led by the board and be executed by the CEOs. If they are not interested then it would eventually lead to the demise of the organisation. Then we have an issue with the sustainability.
Dhakad: When it comes to the topic of cyber security being a boardroom discussion, I think one of the fundamental things that we forget about technology is that it is just not a tool for you to run your business and it is not something that you run at the back end. In fact technology is something that allows businesses to grow, keep systems transparent and develop relationships with their vendors and have that comparative advantage in the market space.
Today cyber security is so critical that if CEOs and the management are not looking at the type of IT system that they have in their company, they are in a vulnerable situation. Sometimes we forget that without IT, no system can function. IT is not a tool that will allow you to just send an email or store 
some data; we are talking about intellectual property and confidential data which is critical. If not handled well, CEOs might have to let go of their jobs because they are not giving enough emphasis to IT and are performing poorly in IT management. The CEOs don’t have time to go into the nitty-gritty of IT, insecure supply chains, unwanted software environment and unclean IT.
Sometimes the lack of review audits and security assessment enable vulnerabilities to sneak in from all directions. It is surprising how one doesn’t realise that when devices are connected to the internet it is not a safe environment. If perceived to be untrustworthy we all will be surprised on how dangerous and risky the world is today. That is why IT security has to be taken at the board level in terms of right investment and transparency, accountability to shareholder and employees.
You need to check the credentials of the vendors on the services they provide. This is something that cannot be delegated to the CIOs alone. The CIOs also have to step up and be at the board level to discuss how they are managing IT and the risks they are facing. To hide any incident that has happened is the most disrespect a CIO can do.
Lastly, when talking about an unsecure supply chain, we must realise that one of the weakest links to cyber security breaches is using unprotected IT systems. Our experiences in fighting cybercrimes have shown us that even if you install antivirus products in an unclean environment, the solutions won’t work. This is just not about storing data and sending information and creating documents. This is about financial help, business success and the trust you enable your customers, partners, vendors and shareholders. I would say that IT management is a top priority. Because the biggest threat you could face is not the competitors but the IT disruption.
Prasad: I would like to add my personal experience here. In India we had an unfortunate incident late last year where a system of an organisation was hacked and user information were stolen. This resulted in the CEO and CIO to lose their job along with banks suing that organisation for lack of security measures in place.
I was head of compliance at that time and there were regular meeting conducted to educate the importance of compliances. This organisation chose to live with those threats instead of treating them. The focus was on retail and IT was not given priority. So noncompliance has to be treated very seriously because it will have repercussions up to the top. Technology for technology sake will not work, but at top level when running a business the concern is about sustainability and market share.
So how do you leverage information technology to become more profitable? You need to be conscious of the fact that technology brings a lot of risks, so you need to strike the right balance. There is no walking away from security threats. If you have something valuable people will come and take it. It is not about ‘if,’ it is about ‘when’.
Kuznetsov: The points raised on the importance of cyber security are on one hand the influence of the current market and on the other hand it is the compliance. Security of an organisation is influenced by cyber security and business processes. All in all this comes to the question about the importance of 
Chief Information Securities Officers in an organisation. After databases were digitalised, everyone talks about who was responsible for information security so the importance of security today is about enlightening the role of a CIO as a person who can really affect and optimise the business processes in an organisation.
Q: Most companies usually have a separate person handling security; it is not usually the CIO. Who should the person handling security report to? This is fundamental thing lacking in organisations.
Prasad: IT reflects the seriousness and commitment an organisation has towards security. As a trend I have noticed is that now the security is being led as a different function and the head of that function is now reporting to the board directly. So it is like having more controls. The CIO has his own charter to ensure that the IT systems are up and running, whereas the Chief of Security is one who challenges the system and ensure it is secure. I have large organisation in India and across the globe moving these functions and making them report directly to the board and CEO.
Dhakad: We have seen CIOs reporting to CFOs. It is a very strange combination because the IT department is seen as a cost centre instead of a productivity division, so CFOs would only consider about how much money his department will have to deploy and invest. IT and finance need to have more access to management since this is not just about the cost.
Rajagopal: One similarity I have seen is that the problem lies in language. You have the board whose 
focus is profitability and market share, so they would see all kinds of ways to use IT to empower them. For example, they would think of implementing the ‘bring you own device’ concept and the idea would be taken down to the IT team and later get shot down (because they can’t ensure the security of all the devices). You have one group who has their focus on market share and profitability and another group that looks at vulnerabilities. It has to blend.
Q: How do you get the whole senior management engaged in the security of the company?
Bavisi: If you look at the way on how the modern world has transformed you will see a separation of powers. There is a judiciary, an executive, and a legislator. The legislator, which is the board are the ones who decide on the future of the company and the path it takes. Then come the executives, the CEO, CIO, and CFO. A lot of times the company will make the chief security officer report to the CFO, and sometimes they report to the CIO, sometimes they report to a chief risk officer, which makes most sense.
With the progress of technology and the rate at which the world is growing, you have allow the security team and make them part of the decision. So the board will decide on the milestones needed to be achieved, the executives will need to ensure that they meet the requirement. Across all three circles there will be an overlap and that is why you will see a CEO or CIO sitting in the board.
Q: An increasing number of Sri Lankan companies are considering going cloud and especially using third party services. So would you comment on the impact of cloud computing on cyber security?
Rajagopal: I think it can be adopted in a secure manner, but there are a few things that you need to ensure. You need to ensure that the cloud computing provider is transparent and a proper security assessment is done.
Dhakad: There is a lot of anxiety and curiosity in cloud computing and people wonder if it is safe. I think it starts with the cloud provider and with type of trust and transparency they provide. There are many cloud providers you can find for a range of prices and it is about having trust in it. I want to reflect on the four principles Microsoft cloud is focused upon. To make sure that the customers and their data are heavily protected we look into cyber security, data privacy, compliance, and then transparency. These four principles allow us to enable our customer to keep their data completely secure.
On the basis of these principles we consider that the data of the customers are multiple times better protected on our cloud data based centres. If not using cloud on premise the ecosystem takes the entire burden. And when you move to cloud, the maintenance cost falls drastically. We enable trust by way of enabling customers to have complete control and visibility to their data. You need to make sure that you conduct a due diligence when you choose a provider.
Kuznetsov: Cloud, mobility and bring your own device concepts are ones which proves that CIOs have to work directly with the board. When the security officer is reporting to the finance officer, he is almost trying to sell the product to him directly. Cloud security and computing is exactly where a CIO is fully competent and this is a concept where he can prove that it is safe for the company to get into. Cloud can be a secure environment and there are tools available for that purpose.
Q: The board depends on the compliance reports put forward by the departmental heads through the CEO. How will they rely on these and be satisfied that have complied with the same?
Rajagopal: There are many compliance systems for IT and they conform to a number of standards. Just as traditional accounting functions, the same concept for IT security is also there so that it looks at security and piracy, beyond the compliance.
Dhakad: This again reflects on unsecure supply chain and unclean IT environment. There is an ISO standard called Software Asset Management that came up in 2006. Because of the complexity of software and applications it was becoming difficult for organisations to manage those assets. First of all, software was never treated like an asset, which is where piracy comes in.
This standard basically is a best practice that allows an organisation to track the procurement of the software, its maintenance and usage. It allows in optimising the usage and check the risk management. This gives a clear report on the usage and allows the companies to make a clear decision on trust.
Bavisi: Just because you have compliance doesn’t mean you are secure. Compliance is not the destination. The destination is cyber security but many organisations fail to understand this. It is the responsibility of the CEO to ensure that it is not just about the profitability but it about security as well.
Q: Banks and financial institutions where there are customer-induced transactions and customers give away the passwords by phishing, what can be done about that? We are continuously engaged in customer education but still there is an issue, there is a huge reputation risk that banks systems are bad. How can this be tackled?
Rajagopal: Nowadays banks have got banners that say not to trust phishing and it has become a side advertisement. Users do not see it. So you need to see how you can create awareness into their process of logging in that really gives them no way to get out of it. Most of the times banks get in trouble because of the customers and the customers blame the banks for not having warned them. You have to think out of the box and find ways in which in no way they can say they didn’t know about it. The other important thing to do is to reduce complexity for the end user.
Bavisi: You cannot achieve security and speed and profitability and ease of use. These are all oxymorons that fight against each other. This is a massive problem and you have raised the right notes, which is education and awareness.
An out-of-the-box approach to have an online banking short training program that will teach the customer in protecting their money and at the end of it will be questions for them to answer to make sure they are certified to use online banking systems. You can’t have people who are a risk to the society to run complex banking systems.
It is a controversial subject since it involves regulation and money. The option will be for the bank to place options for the customer that if he cannot pass the online test he will have to sign a document where for any risk they will be held responsible.
Pix by Daminda Harsha Perera
Natalya Kaspersky calls for greater solutions to internal IT threats
By Shabiya Ali Ahlam
A top IT expert yesterday called for greater solutions on the area of internal threats since it an area that has received less emphasis despite the IT and systems protection having grown immensely in the recent years.
Addressing the Cyber Security Summit 2014 CEOs breakfast meeting via Skype, Kaspersky Lab Co-founder and InfoWatch Group of Companies Group CEO Natalya Kaspersky said: “In the recent years we have seen a rise in internal threats. While external threats also exist, systems are increasingly becoming vulnerable to internal threats since not many solutions are available for it.”
Pointing out that IT security problems are getting more and more important year after year, she stressed the need to understand how enterprises and individuals will protect themselves from different threats.
“It is important to find solutions for growing threats against complexities. While for external threats there are solutions such as firewalls and antivirus, there is a lot to be done to protect systems from vulnerabilities exposed through employees,” she added at the meeting that focused on making cyber security a boardroom agenda.
