Enterprise Security – You need to be loved to get yourself hacked.

How has security information changed for Brick and Mortar Company and industry at large?

Information evolves from data. Three pillars of Information are Confidential, Integrity and Availability. Due to spread of standards like ISO27001, HIPPA, GLBA or EUDP / UK Data Protection Act these information are getting now classified properly into “confidential”, “sensitive”, and “public” in general. Due to this, people are more aware about the difference between private data and the corporate data. Based on data classification policy and according to their depth understanding, they try to protect the information. The unintended users often we call as hackers or attackers or an insider instrumental to corporate espionage are now well organized, financed, motivated and sophisticated in breaking enterprise network to collect the corporate data. Only difference between earlier times and now is the speed which information is getting shared or transmitted outside and moreover to targeted intended recipients and also there is more “Unknown-Unknown” component where challenge is growing day in day out to prevent the same in timely manner. For example in OTT like WhatsApp, Viber, etc user don’t know whether their data is getting stored and how same is further used. Facebook or any social media platform is also falls under same category. To encounter this challenge, people and enterprises are more cautious in use of internet, social media and especially net banking , using of credit card and sharing of personal data. Introduction of Data Leakage Prevention Program or even introduction of two factor authentication ,facial recognition or verbal password are getting deployed by an enterprise to secure the data so that it cannot be misused by hackers for ransom ware or industrial espionage.

What are the key differentiators?

Onus to protect Physical Security of an individual still lies with Government but same is not the case for protection of net / cyber security of an enterprise or individual due lack of clarity of connected laws, geographical boundaries etc. So when it comes to exposure of information in Internet, enterprises do initiate and deploy appropriate patches and hardened their infrastructure and applications to avoid possible vulnerabilities. Deployment of IDS, IPS and AV are also an order of the day and old school good method to enhance security. DLP, SIEM, NAC and introduction of strong ISMS policies are the key differentiator in current system as against past to secure the IT Security Posture.

How has been the security landscape changing with technologies like ISMAC (Internet-of-things, Social Media, Mobility, Analytics, Cloud)?

Wherever information is more exposed to Internet the threat of misuse is more.

IOT, it is a combination of pre-programed hardware’s like sensors etc with matching web based applications to do the jobs like RFID, Scanning etc. For example if your plant maintenance is managed through IOT and if it is not secured then intruders may get hold of your entire plant maintenance schedule, details of machines deployed, production data etc. and then it would be a means for severe data leakage and ultimately lead to industrial espionage.

Social Media are very luring things to anyone from personal to enterprise. One of the biggest drawback is once it is published you cannot take it back even if it is deleted because someone may by that time had already taken a snapshot for further usage. Enterprise do nowadays deploy Social Media Policy in order to create awareness to employees about what can be shared and what not. Links and other URL attached in social medias are most vulnerable and security is one biggest issue here. Any wrong post can create severe impact on personal as well as corporate reputation. Moreover there is still, a question mark how the personal information is secured in particular platform like Facebook, Tweeter, Instagram, Vine, LinkedIn etc. But it has obvious advantage and people should use it judiciously.

Mobility is combination of applications hosted in mobile application for the purpose of internal and external use. Until and unless BYOD or BYOL are implemented, corporate information access from personal mobile devices or laptops are still vulnerable and prone to leakages. This is more so due to deployment of more and more outsiders to support a Corporation where corporate IT security policy if difficult to implement. As regards to corporate apps hosted in Android, BB, IOS and Windows platform, secure coding techniques and MDM and MAM are the only solutions at present to protect information deciphered for unintended use.

Analytic is developed upon Big Data but its effectiveness is solely dependent on quality and authentic data thus we should think of Smart Data rather than Big Data. Until and unless the same is ensured, any predictive analysis will go wrong. Moreover due to leakage of personal information and usage pattern in the internet all the predictive analysis are done to guess customer’s future preferences. Moreover Analytic as Service and also Hacking as Service are the growing phenomenon where predictive analysis and contextual analysis are key to detect the pattern of attacks and kill the same at inception.

Cloud is just a replacement of ownership of your IT landscape starting from OS, DB, Apps etc. It is more like shifting from your owned house to a rented house with a strong belief that agreement is enforceable and optimum security is ensured due to certain best practices deployed by established vendors in the fray. It is all dependent on what type of cloud arrangement or platform we need to deploy based on corporate priority, budget and whether the contract is enforceable or not. Present legal and tax implications about cloud technology is still unclear though OECD is still trying to build something on it. Biggest challenge is the shift of mindset from permanent establishment concept to dynamic establishment concept in order create tax incidence zone.

How has CISOs role changed and evolved?

The role of CISO has changed to cope up the speed of the things that are happening in this space. As the hackers are already started making dent in corporate financial health structure and also to bring down reputation, CISOs are forced to make his footsteps into Board room. Thus CRO and CISO is now a common person who plays a role of watchdog for any IT Security incidents. It is established that in no ways, CISO can make it zero incident zone but he can certainly optimize this to a greater extent, subject to availability of adequate supports in terms of Capex and Opex Budget. To a certain level this is dependent upon corporate perception about threats and level of risk appetite. In reality talented work force is huge question mark even if your enterprise may able to procure all supported technologies to defend any security breaches. But I strongly believe critical success factor of any CISO depends how much he can convince an organization to roll out this Information Security Concept in three tiers i.e. I often called PPT, People, Process and Technology. All have to play their part in order to protect Corporate Security where end users role is most vital and crucial.

Views expressed in this article of post is purely an individual opinion in current context.