As the cybersecurity market evolves, there will be an increased demand for experts who can combat cybersecurity risks on a strategic level. To understand why the demand for cybersecurity professionals has reached an all-time high, Nidhi Shail Kujur of Elets News Network (ENN) interacted with Ambarish Singh, Chief Information Security Officer, Godrej & Boyce.
How are the CISOs supporting businesses to deal with the constantly evolving cyber threat landscape?
It is a fact that businesses must constantly evolve and look for new opportunities to grow and expand. In doing so, technology is playing a key role in enabling and empowering businesses. With more adoption of technology, cybersecurity risks also grow. CISOs must think and work in multiple domains to ensure the business operates in a secure environment in fast-changing business models and so as the threat landscape. Some of the critical areas are having strong leadership support and sponsorship for the cybersecurity initiatives, good security governance, a good understanding of the business and an appreciation of the potential cyber risks upfront. To keep pace with the fast-changing landscape, CISOs are making sure that businesses understand the cyber risks of operating businesses, the cost of mitigating controls and residual risks if any. CISOs topmost priority today is enhancing cyber awareness among all users including leadership at all levels. This is helping and will continue to help CISOs in their cybersecurity journey to ensure smooth business operations.
When it comes to collective cyber defence, why is Cyber Innovation so critical in a digital-first economy?
With technology driving our lives, cybersecurity has become essential today. For business, it is the very foundation of every digital transformation journey. No matter how many security technologies we deploy, organisations are bound to face a cybersecurity incident, which could be of different natures and intensities. It is of utmost importance to have the right balance of cyber defence technologies, policies, processes, and skills to handle any security incident effectively to reduce impact. NIST has also put a lot of stress on having a balanced deployment of technologies and processes at each stage of the NIST cybersecurity framework such as Identifying, Protecting, Detecting, Responding and Recovering. Since the threat landscape is changing very fast, the attack surface is also moving along, to keep pace with security requirements, automation is the key. CISOs are working in many areas such as SOC where certain remediation activities are automated, Data Leakage Prevention (DLP) where RPAs are playing a good role in automating certain tasks, vulnerability management where we have certain technology which can automatically remediate respective vulnerabilities and many more. But a lot must be done to keep pace with the fast-moving threat landscape. Automation in security is primarily driven by fast changes in the threat landscape and skill gaps and it is the way forward to handle new threats which are and will continue to emerge.
We have seen that security as a service is a very attractive proposition to customers. What is your take on this?
It is a good move. Every organisation may not be able to have everything they want, to protect their digital assets and hence they leverage a strong partner ecosystem. Demand for cybersecurity skills at all levels is at a record high. The demand for seasons CISOs is on the rise and this requirement is going to grow in future. Security as a service for small to medium sized companies is helping at all fronts starting from CISOs, development of cybersecurity strategy, roadmap, skills they need, technology selection, implementation, strong governance and continuous improvement. It is a cost-effective proposition and a good opportunity for cybersecurity professionals to fill this major gap of supply and demand of cyber skills. This provides availability of a common pool of good cybersecurity resources to many organisations to meet their cybersecurity requirements. Security as a Service (SaaS) looks very promising as demand for this going to grow with a lot of regulations are about to come out in India such as Privacy regulations, Digital law etc. which will mandate organisations to have reasonable cybersecurity and privacy practices as a breach will offer a lot of penalties and reputational loss.
During the current landscape, how do you see security challenges that organisations are facing as they shift to a hybrid environment?
The adoption of new-age disruptive technologies and applications gives businesses a competitive advantage and establishes a very good reputation in the market. The cybersecurity risks associated with the digital transformation journey are also on the rise with more sophistication and complexity. The kind of digital adoption and migration we have seen in the last two years is unprecedented. This was mainly driven by the urgent need to so to meet remote working requirements due to the pandemic, and new business models which need new-age disruptive technologies such as Cloud, Data Lake, RPA, VDI, Chatbot etc. The way of working has changed in the last two years and I think digital adoption has broken the mindset of a lot of organisations mainly traditional ones. This adoption has brought a lot of cyber risks to the organization for which many organisations did not prepare well. That is the reason, we have seen a surge in breaches/ransomware attacks in the last two years. Many organisations are catching up to address their cyber risks and are at different stages of their cyber maturity.
What are the trends in the last six months regarding cyberattacks? How have they evolved?
Trend of Vulnerabilities getting exploited
During Post-Pandemic, many organisations are taking steps to address their cyber risks. However, the trend of breaches in my opinion is almost the same whereas ransomware attack is still on the rise and leading. Social engineering attacks (Phishing, Smishing, Vishing etc.), exploitation of vulnerabilities in an Internet-exposed application, exploitations of VPN credentials to infiltrate into the network, OT breaches and IoT attacks are some of the very prominent. If you see recent reported popular frauds such as Uber Breach, CEO of Serum Institute fraud etc. it shows that social engineering attack remains one of the major attack vectors. Employees have become more prone to such attacks in the current hybrid environment as they are using their own home network set up which is traditionally very much exploitable. Hackers are one step ahead of taking undue advantage of the current ecosystem and one of the very recent examples is that they are exploiting users in the name of upgrading SIMs from 4G to 5G. This was launched about two weeks back in India and we are seeing many users losing their money due to recent frauds related to 5G upgradation.
According to IBM 2022 report – All Indian Businesses – Data breaches have cost Indian businesses an average of Rs 17.6 crore in 2022—the highest amount ever, according to an IBM report called cyberattacks the “biggest challenge” in the industry. Industrial companies such as chemical processing, engineering and manufacturing—paid the highest for data breaches. The average cost of a breach was Rs 9,024 per record in 2022. Increase of about 25 per cent from 2021. Manufacturing is the second most targeted sector after BFSI.