Sunday, July 9, 2017

[Opinion] Its High Time ….



The recent spate of cyber-attacks has served as an eye opener for many organizations and individuals. Organizations which were using unpatched software had no security teams, no incident response policy and procedures etc. clearly were the ones who had to bear the maximum brunt of such attacks. There were many who did not get affected as they took the right steps at the right time and gave due importance to security and security teams in their organization.

Lots of points mentioned below have been long debated in organizations. But it’s high time that they are taken seriously and religiously implemented.


CISO/CSO should be a part of Board Meetings

In most organizations, security is still considered an IT job. The CSO reports to either the CIO or admin head or some senior business person. The organizations mostly appoint a CSO just to ensure that regulatory compliances (in some countries) are taken care of. They are really not interested in considering security a business driver. In fact, a lot of business people consider security or security teams as a hindrance to their dreamy innovations and ideas which they want to roll out (without testing) in the blink of an eye.

It’s high time that the organizations realize that CSO should have appropriate representation in the board meetings and the CSO should report to the highest authority of the organization. The CEO should have the CSO/CISO on speed dial on his phone. The recent attacks and increasing number of data breaches are a testament to the fact that security is no longer an add-on or just a regulatory compliance to be taken care of. It is, in fact, the next enabler of business.

By making the CSO a part of board meetings, the organizations can show that they really care about security. It improves customer confidence and showcases the seriousness about security. However, it is really important that CSO is given a time slot in every meeting to apprise the board of the current risks the organization faces and funding required if any. Just making the CSO a mute spectator in every meeting is simply not going to help.


Security Representative in Customer Meetings

It is often seen in most organizations that business people keep themselves at the forefront when either meeting with a prospective customer or an active customer. They are always of the opinion that security people should work in the background and should show a glimpse of their faces only if the customer insists.

It’s high time that there is appropriate security representation when meeting a prospective customer or an active customer. Customers are more focused and interested in learning as to how can you keep their information secure than understanding what technology or language ( java/python / c etc.) is being used to make the product. By making a security representation when meeting a prospective customer, you can showcase how serious you are as an organization in keeping the customer’s data safe and secure.

It’s high time that organizations realize that the most important parameter of getting new business will not just be agility or cost optimizations but SECURITY.


Security is Business Enabler

Most of the business people you meet always crib as to how security patches, updates, tools etc. have made their systems slow. Their productivity gets hampered only because DLP, proxy, HIDS, firewalls etc. run in the background and they are not able to get the full potential from their systems and staff.

They are not able to give wings to their new ideas which got in their heads while brushing their teeth in the morning as the security teams reject their proposals because of security issues.

It's high time business owners realize that security is no longer a hindrance to their operations or ideas. Security is a business enabler and all the tools deployed and patch updates are done in order to ensure that bad elements are not able to wreak havoc on your systems by demanding a ransomware or do a data breach.

If you want new business, be rest assured, that you will get it only when security is in place. If you consider otherwise, I challenge you to get a contract where you mention securing customer data as “We will think about it” in the RFP.


Ensure and Evolve Security Everyday

Many organizations are of the opinion that a Policy that they made decades ago is going to save them from a data breach. Some think that we must buy the most expensive tools and countermeasures available in the market and we’ll be the most protected organization on this earth. Most organizations also have a deeply ingrained belief as to “Who will attack me?” as my organization is not doing any confidential work.

It’s high time that organizations, as well as individuals, realize and clearly understand this fact that everyone is a target. The hacker is not going to spare you just because you keep only songs or movies in your laptop and no confidential data. The ransomware is not going to spare blocking your organization’s system because you are only manufacturing chocolates or baby powder.

Information Security is not “Fit it, Forget it” or “I did that a year ago” kind of an activity. It’s something which you will have to practice religiously every day. Why? The answer is simple. Just like you brush every day because germs come up in your mouth every day, similarly, new attacks and threats emerge every minute and you need to constantly protect your organization from such threats. That means analyzing your threat profile, risk posture, controls and countermeasures every day.

Considering and making decisions on risk assessment done a year ago is similar to crossing a bridge (with valleys on both sides) with your eyes closed; hope you get the point! You are bound to get burnt if you are not making decisions on real-time data.

In conclusion, the only point to drive across is that it’s really high time that organizations and individuals start taking security seriously. Although businesses take huge time to set up and become successful yet it only takes a data breach to make them bite the dust and perish forever.

Don’t become history, practice security…….

No comments: