CISOs Fight New Threats with ResilienceAdvanced Threats Grow; Security Leaders Explore Options
Advanced persistent threats, distributed denial of service attacks and the rising demands of the Internet of Things - these are among the cybersecurity challenges facing India's security leaders in 2015.
See Also: Data Protection: Common Mistakes
And how do they intend to fight back? With new tools, services and an emerging focus on resilience. This is the message from security executives responding to the findings of a new report on emerging cyber-threats.
Security vendor Fortinet is out with its new Security Survey Census 2014, and among the findings: The top concern for Indian security practitioners is fear of increasing cybersecurity threats.
The study, conducted by the independent market research company Lightspeed GMI, polled 1,610 IT decision makers in Australia, China, India, Japan and South Korea. And the findings reveal the need for CISOs to protect businesses from the unpredictable and increasingly problematic challenges of cyber-attack, data theft and other IT security concerns.
In response to the report, ISMG sought comment from several Indian security leaders, who offered their take on how organizations must address the new wave of cyber-threats.
Sunil Varkey, CISO at Wipro Technologies, agrees that enterprises need to attain a new level of cyber-resilience, but he argues that any such initiative will involve a significant change management process.
"Change management issue with regard to deploying stringent security measures would require support from the top management," Varkey says.
The Indian Security ChallengeThe report indicates that organizations already are challenged to develop new services, drive improved efficiencies and exploit the value of their data assets, and security concerns only add to the burden.
"With IT security on the boardroom agenda, this and other challenges are clearly adding to the problems faced by senior IT professionals and questioning the ability of some organizations to exploit innovation while remaining secure," says Rajesh Maurya, country manager, India & SAARC at Fortinet
Maurya says security practitioners must act now to address the impact of the growing threat environment and increased scrutiny on IT security, re-evaluating their goals to ensure they strike the right balance and achieve resilience in the face of cyber threats.
Achieving the Right Balance
From tightening compliance pressures to emerging technologies and the evolving threat landscape, the Indian security leader faces myriad pressures. And security has never been a bigger topic in the boardroom. Krishnan N, CIO & head of security at Muthoot Fincorp, a Rs 10,000 crore financial services company based in Thiruvananthapuram, believes that the new waves of external attacks and internal data thefts impact business in a big way.
"I think organizations have to deal with internal threats and find ways to identify the gaps in the system to tackle unknown malware attacks," Krishnan says.
In response to these pressures, the Fortinet study says, organizations are investigating emerging technologies such as big data analytics, and biometrics,. They also are exploring new consumption models for IT security services which could respond to the current and future demands.
The single most important initiative that enterprises need to take to confront rising threat volume/complexity, as indicated by 40 per cent of the respondents, is to develop new and more stringent security policies.
Maurya sees security practitioners doing away with conventional perimeter-level security tools and planning to enhance security investments to deploy next generation firewalls. "I see CISOs opting for high-speed firewalling solutions, high-end application level security tools for data privacy and big data security needs," Maurya says.
Advises Krishnan, "Take security as a priority over innovation, given the vulnerabilities and sophisticated attacks, and build cyber-resilience." He referred to PEW Research that indicates a major catastrophe in 2015 affecting Indian enterprises in the form of the biggest-ever cyber-attack, which is clearly a cause for concern.
Outsourcing IT Security
Many Indian security practitioners believe that outsourcing some or all IT security functions will help create a tougher stance against growing cyber threats. According to the report, a majority of security heads from India find government enterprises and institutional agencies are adopting this trend in response to APTs and DDoS attacks, which stretch security resources.
According to Fortinet, some security operations such as firewall, email, AV/antispam, IPS are being outsourced. Additionally, activities associated with intermediate web application firewall, authentication, and wireless security and advanced ATA sandboxing, DDoS mitigation solutions are being outsourced to managed service providers.
However, security leaders are also laying down strict service level agreements with service providers with regard to detailing security measurement techniques and pre-empting threats and mitigation plans on a real-time basis.
V. Senthil Kumar, Head of IT and Security at the Chennai-based BPO and IT company Shriram Value Services, outlines the need for the CISO and outsourced partner to be equally responsible in strategizing mitigating techniques.
"The in-house administrator should be responsible for monitoring the infrastructure and applications, while the outsourced partner will control the environment through regular audits," he says.
In line with the trend, Muthoot Fincorp has outsourced its entire network management to Sify Technologies to ensure secured connectivity across its 4,000 branches.
In Support of Resilience
Security takes priority over innovation: 53 percent of security practitioners say they have paused or abandoned at least one new application, service or other business initiative because of concerns that IT security could not manage the risk.
The types of services, applications and initiatives involved in these instances include internal mobile apps, external mobile apps and introduction of new corporate devices/BYOD.
Most respondents and security leaders agree that IT security should be flexible, intelligent and resilient enough to always say 'yes' to innovation, rather than 'no.'
"Such resilience only comes through commitment to a cohesive lifecycle approach that confronts all the many facets of today's cyber threats," says Fortinet's Maurya.