“A CISO doesn’t need to be a technology expert but should be aware of all the latest technologies”

Subhash Singh Punjabi

An important function for a CISO in an organisation is to provide strategic guidance on the cybersecurity program. Along with providing leadership, a CISO is responsible for ensuring that organisations adhere to cybersecurity standards, policies, regulations, and legislation. To know more about the evolving role of CISOs in relation to business results, Nidhi Shail Kujur of Elets News Network (ENN) interacted with Subhash Singh Punjabi, CISO & Head Enterprise Architecture, Deepak Fertilisers and Petrochemicals Corp, Ltd.

How do you anticipate the CISO function evolving in relation to business results?

A CISO is now more involved in the overall cyber risk management of the company, mitigation of risks and the decision-making process. The CISO is now closely aligned with C-level executives and the board of directors to keep them informed about cybersecurity risks and initiatives to mitigate the threat. The Board of Directors has become increasingly cyber aware and expects the CISO to present the organisation’s cybersecurity posture to them more frequently than ever.

Today, having only technical skills is not enough for a CISO. They are expected to have a strategic vision and a broader perspective of what’s happening in the cybersecurity space. A CISO doesn’t need to be a technology expert but should be aware of all the latest technologies and security areas that can impact the overall business.

One of the main roles of a CISO is establishing a security framework. This also involves identifying the right security hardware and software, explaining its requirement to the board and other C-level executives, and implementing it.

The new normal of work from remote locations has profoundly impacted the role of a CISO. Since there has been this paradigm shift in the operations model, IT security has been one of the major concerns for the organisation. CISOs now must x`step up to ensure their organisations can smoothly transition while embracing digital transformation.

CISOs have a key role to play in any organisation. Once considered a technical role, CISOs today are influencing the other C-suite leaders in the organisation, thus forging key leaders for the future of cybersecurity.

Considering the trends from 2022, how do you envision the industry’s cyber security initiatives changing in 2023?

Hackers can expose your personal information or even shut down your entire business operations for any number of hours or days. The growing sophistication of these attacks has led various organisations to clamp down on cyber criminals—the back-and-forth affair defining the cybersecurity trends we’re experiencing today.

Security deficiencies are costing for-profit and non-profit organisations billions of dollars in losses. Plus, with companies shifting to remote work since the pandemic began, they have become more vulnerable to attacks from hackers.

As per the Global study most common cyber-attacks experience by companies are as follows:

  • Phishing attacks are now highly localised, Geo-targeted and more personalised. About 37 per cent of data breaches involve phishing activities.
  • Considering the above trend, phishing attack awareness with simulation in organisations is to be done at least twice a year.
  • User behaviour analytics is also a very good tool which needs to be deployed and exercised in all organisations.
  • In cybersecurity, the role of machine learning (ML) is growing and has now become more proactive. With ML, cybersecurity becomes simpler, more effective, and, at the same time, less expensive. From a rich dataset, ML develops patterns and manipulates them with algorithms. This way, it can anticipate and respond to active attacks in real time.
  • This technology heavily relies on rich and sophisticated data to produce effective algorithms. The data must come from everywhere and represent as many potential scenarios as possible. Implementing ML, thus, allows cybersecurity systems to analyse threat patterns and learn cybercriminals’ behaviours. These help to prevent similar attacks in the future and reduce the amount of time needed for cybersecurity experts to perform routine tasks.
  • ML makes cybersecurity much simpler and more efficient.
  • IT-OT security will be on top priority in 2023 and beyond as many organisations have started their Digital Transformation – Smart Factory initiatives.

What do you perceive regarding data protection legislation?

The Data Protection Act gives individuals the right of access to information about themselves, which is held by an organisation, and sets out how personal information should be collected, stored, and processed. It must be considered when information is published as it limits what personal information may be made publicly available and the information which can be released under FOIA. Data protection legislation only applies to living individuals.

  • The Data Protection Act 1998 includes the following requirements:
  • You must make sure that all your employees are aware of their responsibilities under the Data Protection Act (DPA) 1998.
  • You might have to register with the Data Protection registrar.
  • You must ensure that you monitor your use of data so that it complies with the DPA.
  • Particularly, you must ensure that personal data has appropriate access controls to ensure that no individuals’ rights are infringed. If you are going to monitor communications, you must perform this activity in an informed, responsible, and nonintrusive manner.
  • You must also make sure that data is destroyed in a timely manner.

What advice do you have for reducing the industry’s skills shortage for security professionals?
According to the ‘(ISC)2 Cybersecurity Workforce Study, 2019’ report, the number of security-related employees needs to grow by 145% to meet the current demand for talent.

Also Read | “The demand for seasons CISOs is on the rise and this requirement is going to grow in future”

The study, which included nearly 3,300 participants from across the globe, concluded an additional 4 million employees must join the current 2.8 million security pros to fill the void. Actually, the shortage of cybersecurity pros is getting bigger day by day.

To reduce the skills shortage for security professionals’ organisations should have clear security career paths. Programs such as apprenticeships and internships are essential to develop and build security professionals’ skills. Many students don’t learn about cybersecurity careers until they are in college. By this point, many already have their sights set on their chosen majors. Cybersecurity education and training should start as far back as middle school or even elementary school.

But career path planning shouldn’t end there. Cybersecurity is an ever-evolving space, so ever- evolving education is required. To be a desirable employer, organisations should help workers progress their careers by contributing to the cost of achieving security certifications, providing opportunities for employees to stay up to date on security matters and laying out a clear career path toward enterprise security roles.

Your growth plans for 2022 and beyond?

As of now, I have three points agenda for 2022 and beyond.

I should Act as an influencer and educator

In recent times, the explosion of applications and transition to hybrid work models has provided organisations with endless opportunities to transform, impacting everything, from the emergence of new business models to enhanced customer experience. Simultaneously, it has thrown light on the criticality of modern cybersecurity technologies and elevated CISOs role within an organisation because as we digitise, the threat landscape continues to evolve. Today, organisations face multiple challenges while operating in this environment, including complexity in connecting users to applications and data across various cloud platforms. Zero-trust framework, cloud-based security technology, and intelligent security automation have become vital tools in the CISO’s arsenal. For CISOs to continue to navigate the threat landscape, they must consistently reinvent and implement more sophisticated defence strategies in 2022 and beyond to mirror the increasing sophistication of the methods used by hackers. This means, CISOs will have to be both influencers and educators, as they are now on the leading edge of the strategic decisions being made in organisations.

I should build a security-first approach across the organisation

The role of the CISO is changing as cybersecurity moves up the corporate agenda and cybersecurity becomes the digital equivalent of business risk. In 2022 and beyond, the role will focus on security transformation as the lead for digital transformation across a business. It will identify and address the security risk associated with a shift in digital approaches and adoption. It will also be responsible for ensuring a security-first approach is adopted across the business, and that employees are educated and prepared to play their part in protecting the organisation from identity vulnerabilities or credentials theft. The CISO will be responsible for looking to the future to identify how the business maintains a robust cybersecurity posture by scaling its cybersecurity solutions as the threat landscape evolves and adversaries further develop their tools, techniques, and procedures (TTP). Finally, it will promote the power of crowd within the organisation to ensure the business has access to the best autonomous solutions being augmented by global threat intelligence and human threat hunting to stave off even the most sophisticated of attacks.”

I should encourage a culture of cyber awareness and hygiene

Attackers are leveraging trusted credentials to move throughout the network unabated and can accomplish much of their nefarious activity without raising a single alarm. For organisations to adopt an effective and robust cybersecurity strategy, CISOs should reassess the security requirements in a world where employees are remote, data and applications are accessed through a variety of company providers and personal devices and applications are residing in a combination of private and public clouds. Lastly, CISOs must invest in nurturing the next generation of cybersecurity leaders, to enable businesses to be agile and not compromise on security. As we look to the year ahead, security leaders must adopt a Zero-Trust intrinsic model and prepare to fend against the exacerbating risk of attacks. CISOs of the future can effectively implement a holistic cybersecurity strategy and encourage a culture of cyber awareness and hygiene for a resilient organisational structure.