Our lives will always include some level of risk. Unless, of course, we never again engage in any activity. We all take risks as we traverse through the vast expanse of the internet. A certain amount of risk must be embraced to take advantage of the opportunities presented by the internet. And what better way to be ready than to explore the dangers, difficulties, and trends shaping the cybersecurity sector.
Sachin Kawalkar, Chief Information Security Officer – Global Head of Information Security and Quality, Neeyamo, who recently won the CISO of the year 2022 award at the third edition of CIO Conclave & Awards 2022, answers some real-world questions on the information security landscape, risk assessment, data security, and more.
How would you assess the current Information Security landscape globally?
Companies hurtle towards an ever-digitalized future with online transactions and Personal Identifiable Information (PII) traveling across the internet. Technologies are evolving, cyber threats are increasing, and regulatory compliances are mandatory. These complexities also morph into various areas with new risks and challenges. The question before businesses is: What is an effective way to navigate this mesh to create a safe and secured environment for their clients?
Over the last few years, every organization has had to transform at an accelerated speed, like migrating to the cloud, and new tools and technologies are introduced and deployed. However, many organizations did not involve cybersecurity compliances during the decision-making process.
As a result, these organizations must address the risks and potential vulnerabilities introduced during their transformation efforts. While also ensuring security and privacy, regulatory compliance, and cybersecurity resilience for this fast-moving environment.
What key information security concerns should remote organizations keep in mind?
With COVID, many new risks arise, especially with the rise in remote working. Physical connection, i.e., an office network, is always better than remote working regarding security. Data Privacy is another primary concern while remote working if desired controls are not in place.
Data privacy concerns in the age of remote work are inevitable. What steps can be taken to protect data organizationally and by an individual? Privacy Programs and associated controls must be implemented considering remote work risk. Organizations should develop a remote worker security policy to refresh and inform employees of what’s expected of them when working remotely. Regular awareness among employees will help control the breach of information.
Should every organization have a certified Quality Management System (QMS)/ Information Security Management System (ISMS)? Your thoughts.
Yes, it’s very much required to baseline the environment. The most important asset of an organization is information. To ensure confidentiality, integrity, and availability of valuable and crucial information and operational process in an organization, the implementation of ISMS is necessary. With rapid changes and the advancement of information technology, cyberattacks have emerged as a significant risk to businesses. To make sure we are always compliant with contractual requirements, regulations, and laws, Quality and Information security are an integral part of the business.
What is the importance of having a business continuity and disaster recovery plan?
If BCMS – Business Continuity Management System – is implemented, organizations are more likely to adapt and solve critical challenges due to prior planning, risk assessment solutions, and well-established alternatives. It helps organizations mitigate the damages and disruptions and help continue business operations with adaptability and efficient solutions during business disruptions or disasters. The pandemic is the perfect example for BCMS testing, and those organizations with well-established controls will sail through the situation. Moreover, it’s a contractual commitment and ability to demonstrate availability capabilities.
When it comes to risk assessment methodologies – should it be a one-size-fits-all approach or tailor-made for each organization?
Risk assessment can be tailor-made by different sectors and individual organizations to best suit their risks, situations, and needs. Organizations will continue to have unique risks – other threats, different vulnerabilities, different risk tolerances – however framework to achieve positive outcomes will vary. There are various types of risk assessments (Qualitative, Quantitative). While all risk assessments pursue to achieve similar goals and objectives, the ways that they pursue those goals can look very different. The structure and framework of your risk assessment process can be tailored to the unique environment and situations that make up your company’s risk or threat landscape.
Information security isn’t just on the company. How important is it for individuals to be aware of their role and how vulnerable they might be to cyber threats?
Information security is not just IT but also each individual who becomes an attack vector in many forms. If they are not aware of ISMS, they may be careless, they may be uninformed, or their actions might be malicious. Regular training is more important to educate employees to become more aware of the impact of their actions, e.g., phishing or cyberthreats. Information security isn’t just a technology problem; a host of personnel and procedural factors can create and amplify a firm’s vulnerability.
Are there any specific cyber threats that are on the rise?
Yes, cyber threats and risk are increasing and is a significant concern for many organizations unless they have implemented an excellent cybersecurity framework and compliant controls. Continued education and awareness to employees on cybersecurity are essential.
What are the key technologies that are being employed to combat the rising cyber threats?
In Neeyamo, we have zero tolerance for non-compliance and poor security hygiene across domains. We keep exploring and plugging in new tools and technologies, automation to reduce manual errors, review security architectures regularly, and block unauthorized software and rogue applications. The cybersecurity frameworks and Security operations centers provide a platform that can do everything required, such as protecting customers, threats and anomaly detection, and identifying the proverbial needle in the haystack.
What does the future hold for the Information security landscape?
Companies need to secure their networks, data, devices, and identities by adopting and adhering to Global standards and zero-trust frameworks, which will help companies secure internal information systems and data in the cloud. Regularly review technology controls and measurement compliances to defined frequency, training, and employee awareness on information security, data privacy, and cybersecurity.