Decrypting Security Conundrum in 2016

Some of the biggest breaches in 2015 included – Vtech Learning Lodge Hack, Major Health insurers (Anthem and Premera), Ashley Madison, Office of personal Management, IRS, Experian breach affecting T Mobile.. and the long list continues.

The global security market is growing at 9 to 10 % CAGR while Indian market registered a 20% CAGR in last two years says Sivarama Krishnan, Partner & Leader Cyber Security, PwC India. “But from risks perspective the increased number of threats is a huge worry for most CIOs. Perpetrators become more active and the numbers grow for economic reasons or in the form of state actors,” he says.

How will 2016 define the future of security? Customer expectations and concerns about security and privacy will help to drive further investment and change than regulation, says Heidi Shey, Senior Analyst serving Security & Risk Professionals, Forrester.

How companies handle and protect sensitive data will be an important component of their brand and overall reputation. Data protection is now a corporate social responsibility, she adds.

In a Forrester report ‘Predictions 2016: Cybersecurity Swings to Prevention’, S&R pros (security and risk professionals) are predicted to increase spending on prevention by 5-10%. This is more of a signal that firms will return to a focus on the basics for cybersecurity, and consider prevention as important as detection and response, she adds.

In a Forrester report ‘Predictions 2016: Cybersecurity Swings to Prevention’, S&R pros (security and risk professionals) are predicted to increase spending on prevention by 5-10%. 

“We prioritize the security processes depending on the data type – secret or confidential, internal or public domain and so on. Secondly, the model of overly restricting employees and partners around platforms will disappear, says Samarendra Kumar, Head- Group Information Security, InterGlobe Enterprises (IGT). We are moving more towards the application layer combined with the end user computing, he says.

Security works in line with the business says Sujoy Brahmachari, Sr. General Manager – Information Systems & CISO, Hero MotoCorp as we run business driven IT and not IT driven business. He reasons, “Decide what your organization needs in terms of business applications to build the security posture. You cannot merely decide to deploy a particular brand of firewall or IPS.”

PwC’s The Global State of Information Security (GSISS) 2016 survey in association with CIO magazine clearly shows an increase of insider threats in India. It is 1.5 to 1 times which means 1.5 times of insider threat to one external threat. “Insider threat is not restricted to only company employees but extends to supply chain, service providers, contractors, customers and their partners of the ecosystem. Hence there will be more investments on technologies like DLP or GRC based solution for ERP etcetera,” says Krishnan.

“At Concentrix, Privacy, Security and Continuity is of paramount importance considering the interconnected and data-driven world. IT security has become a crucial function for modern information systems,” says Rishi Rajpal, Director – IT Governance (Privacy, Security, Compliance and Continuity), Concentrix Corporation.

Traditionally, IT security was based on strong perimeter defenses like Firewall, IPS, Content Filtering etc resulting in a hard fringe and a soft core. In a distributed, Cloud, mobile and always-connected world, this paradigm has completely changed leading to opening up the perimeter while still protecting the most valuable asset ‘Data’, he says.

Over ‘the’ hype

There are new threats emerging and there are new-age security solutions to the likes of APT, NGFW, SIEM, DLP to counter these breaches in the market. Are some on the hype cycle for 2016? APTs are a real threat globally, says Heidi.

Next gen firewalls are one technology of many that security professionals have to choose from regardless of region; ultimately we have to remember that it’s not just about accumulating the latest and greatest tools and technologies, it’s about your higher level security strategy and acquiring the appropriate tools to execute on that strategy. It’s how you use the tools, says Heidi.

Sujoy at Hero MotoCorp recalls, “When we started building our own IP like designing motorbikes etcetera few years ago, there was an immediate need of DLP solution. A CISO needs to have deep knowledge and the Pros/Cons of each solution.”

APT, DLP, NextGen Firewall will be considered hyped for organizations who are not keeping pace with changing threat landscape and work in isolation as ‘IT Security’ department without alignment to business, says Rajpal at Concentrix. “We have to be careful with network security, especially when customer data and regulatory compliance are at risk,” says Rajpal.

DLP is an important tool for security and privacy agrees Shey at Forrester as she adds that increasingly DLP is a feature embedded within other security tools. She however adds, “It is not, however, a silver bullet. To be effective, firms have to consider processes for DLP maturity and success.”

Kumar leading security for seven group companies had the challenge to enroll over 600 applications for IDM. Five applications (total of 35) from each company were selectively picked up. “One should not try to shoot too much in IDM. The relevant criteria applied were criticality of the application and the mass number of users. If the application is secure though IDM then any mobility strategy or mobile devices can be rolled out,” says Kumar.

Dos & Don’ts

One big area CISOs need to be worried about in future is envisioning a clear product roadmap as per Krishnan at PwC.  “Many security OEMS unfortunately are in the flux as many of the company’s product road maps changes frequently with M&As, exiting business lines etcetera. Any investment in security on long term has to be attached to the product strategy by end user organizations,” he says.

Heidi at Forrester suggests, “If you have not already, evaluate your security maturity and develop a roadmap for steps to take to reach the next level of maturity. Consider the types of security metrics that you are collecting and reporting to the business, and how these metrics connect to higher level business goals and initiatives.”

Siva points out, “Unlike an ERP with standalone functionality, security is completely driven by company’s business requirements. For example, DLP throwing thousands of alerts might lead to end user day that the product is not good. IT team need to work on the security product as humongous alignment is required between the product and the business needs.”

As cyber-attacks become increasingly sophisticated in engineering these attacks, CISOs face a daunting year ahead, feels Rajpal at Concentrix. “As custodians of sensitive customer information and business value delivery, the CISOs should have very good understanding of the latest technologies, changing threat landscape, but also able to communicate well within business in their language and the associated risks,” he adds.

“I encourage CISOs to get out of the spectrum of IT. The legitimacy of security comes from its impartial, unbiased approach towards driving the entire organization. CISOs need to have a 360 degree view of the whole company rather than living in a cocoon in a silo of an IT support function,” says Kumar at IGT.

Shey at Forrester says, “Assess your firm’s security and privacy culture, and attitudes around sensitive data handling and use; identify how you can improve and foster a culture that respects data security and privacy.” 

Rajpal at Concentrix says CISOs should continue to educate and spread ‘security is non-negotiable’ message which is not difficult in today’s scenario considering the media attention on data breaches.

While compliance is necessary and important, do not base your security strategy solely on meeting compliance requirements, advises Shey at Forrester. You’ll miss out on protecting sensitive data that doesn’t fall under compliance, and risk reinforcing the notion that security is a cost center rather than business enabler, she says.

In line with mobile, cloud, IoT, social and analytics that brings new challenges and opportunities especially in the area of IAM and regulatory requirements, we have invested in strategic tools in IAM and Security Information and event management (SIEM). Privileged Identity Management helps the monitoring and protection of privileged accounts and is one of the most important aspects of IAM, and cyber security today, says Rajpal at Concentrix.

Heidi at Forrester believes that there are many approaches that organizations can take for mobile and cloud security. “At the root of it, focus and bring the controls back to the data (take a data-centric approach to security). Gain visibility, and control the access and the use. The data is what ultimately matters here,” she adds.

However for the next couple of years, we do not see the instances or breaches reducing in countries like India, says Krishan.

“CISOs in past sold security in a negative connotation as /if you don’t do this, this will happen’. It is now sold to the board as ‘the value of this information is x and hence I need the money to protect it’,” says Sivarama at PwC India.

Yogesh Gupta is executive editor at IDG Media. You can reach him at yogesh_gupta@idgindia.com or follow him at @yogsyogi1