“A CISO must be a strategic thinker, a decision-maker, and an influencer”

Khushru M. Mistry

Employees working remotely have been targeted by cybercriminals. Utilising personal devices for work has raised the organisation’s risk of a security breach due to cloud-based email, remote desktop programmes, online video/audio conferencing, and other technology designed to help with remote work. Nidhi Shail Kujur of Elets News Network (ENN) interacted with Khushru M. Mistry, Chief Information Officer & Senior Vice President, Information Technology, Eureka Forbes Limited to know how hybrid work culture has paved the way for an increase in Cybercrimes.

How has hybrid work culture paved the way for an increase in cybercrimes?

The risk is real and businesses are more vulnerable since malicious actors have exponentially increased their activity, causing a multi per cent increase in cybercrimes over the same period last year.

The dichotomy of employees splitting their time between secured office network locations vis-à-vis offsite locations introduces lax security practices and exposes the organisations to malware and significantly increases the risk of cybercrime.

Cybercriminals have been capitalising on employees working remotely. Cloud-based email, remote desktop applications, online video/audio conferencing and technologies designed to assist with remote work have increased the organisation’s risk of a security breach by using personal devices for work and downloading software (to do their jobs) not approved by IT.

How does Zero Trust help secure the data infrastructure of organisations?

Zero Trust is a strategic approach that secures an organisation by eliminating implicit trust and continuously validating every stage of digital interaction. The principles of “Deny-All, Allow-by-exception” have been accelerated by vetting at every stage of access.

Zero Trust ensures the continual validation and monitoring of end users, their devices, their implicit rights and their attributes. It enforces policies based on the “risk-weightage” of the user and the devices, complimenting the other compliance requirements before permitting or rejecting the transaction.

One-time validation is just not sufficient since the threat landscape changes based on user attributes.

All-access requests are continuously vetted before allowing access to enterprise or cloud assets. This is done based on real-time visibility of users, application identity and user attributes.

What does the board expect from CISOs? What’s your bucket list for modern CISOs to evade hackers and damage to reputation?

The board expects the CISO to report on the organisation’s ability to identify its critical assets, the cyber defence plan in place to protect those assets, to what degree the organisation is executing against that plan to manage risks/vulnerabilities, and the robustness of the cybersecurity crisis management Plan.

My bucket lists:
1. EDR/XDR-based endpoint security incorporation into every device used by our staff.
2. Zero-Trust Architecture enablement.
3. Cybersecurity training across the organisation – a yearly mandatory exercise with stringent testing.
4. Cyber wargame exercises and simulations with the participation of board and C-suite executives.
5. Simulation exercise of the cybersecurity crisis management plan – a yearly exercise with C-Suite.
6. Results of other initiatives to reduce risk and upgrade the company’s security posture.
7. Security integration with application development.
8. Patch management – dates, plans, frequencies.
9. The number of incidents and vulnerabilities.
10. The number of non-remediated risks and why they have not been remediated.

How, according to you, are Machine learning and automation impacting security strategies?

Cybersecurity has undergone massive shifts in technology and its operations with cyber data science driving the change. EXtracting insights from cybersecurity data and building a corresponding data-driven model, is the key to making a security system automated and intelligent. To understand and analyse the actual phenomena with data, various scientific methods, machine learning techniques, processes, and systems are used. Data is gathered from relevant cybersecurity sources, and the analytics complement the data-driven patterns for providing more effective security solutions. Cybersecurity data science allows for making the computing process more actionable and intelligent as compared to traditional ones in the domain of cybersecurity. Furthermore, with machine learning-based multi-layered framework enhances cybersecurity modelling, driving intelligent decision-making for protecting the systems from cyber-attacks.

Security automation evolved since it was practically impossible for security analysts to comb through, analyse and act on every alert. The overwhelming number of threats demanded an automated incident response to more rapidly identify and respond to a cyberattack or security breach. Security automation offered a systematic, machine- based approach that has further evolved into security automation and orchestration (enabling connectivity between security tools and workflows).

These strategies have given rise to SOAR systems (security orchestration, automation and response) that automate both responses and corrections.

What according to you is the future of the CISO role?

The role of the CISO has evolved from “Basement to the Boardroom” as indicated by IDC – absolute fact.

Cybersecurity challenges have forced the expansion of the role of CISOs beyond their traditional responsibilities. A CISO must be a strategic thinker, a decision-maker, and an influencer. It is no longer acceptable for a CISO to rely only on their technical knowledge to respond to cyberattacks of the magnitude we see today, nor is cybersecurity the concern of only the information technology teams anymore.

A CISO is now more involved in the overall cyber risk management of the organisation, risk mitigation and decision- making process. The CISO is closely aligned with C-level executives and the board of directors to keep them informed about cybersecurity risks and initiatives to mitigate the threat. The board of directors has become increasingly cyber-aware and expects the CISO to present the organisation’s cybersecurity posture to them more frequently than ever.

The future CISO will need not only the technical skills but will be expected to have a strategic vision and a more holistic view of the cybersecurity practices of the digital transformation underway within an organisation. Be cognizant of the regulatory changes (eg GDPR) and their impact on cyber practices being followed and changes.

One of the main roles of a CISO will be the establishment of a security framework, involving the identification of the right security hardware and software, explaining its requirement to the board and other C-level executives and implementing it. In addition, with different government and state regulations, it will be the responsibility of the CISO to ensure that all compliance requirements are met.