Balancing security and compliance in today’s threat landscape
While the motto of data security is “monitor it all,” privacy is about “don’t monitor it all.” Compliance regulation has become the force changing CISOs prioritization and pushing organizations to balance security efforts with compliance. So, the question is, are data security and privacy conflicting goals? What do you think is the best way to achieve them both?
Seclore’s sixth annual security summit, Security Now 2022, held at Taj Santacruz, Mumbai, aimed at helping cybersecurity leaders in the country prepare for regulatory compliance and driving accelerated digitalization in a constantly evolving threat landscape.
Flagging off the summit, Dr. Gulshan Rai, former National Cybersecurity Coordinator and former Director General of CERT-In, highlighted how the advent of emerging technologies has increased the attack surface, enabling threat actors to propagate cyberattacks on India’s critical infrastructure.
Dr. Rai reflected on our state of cyber-preparedness amidst constantly evolving threats: “Cyberattacks during the Russia-Ukraine conflict and the recent AIIMS incident has forced us to think where we are.”
Developments in AI and the emergence of the metaverse will lead to a massive increase in the amount of data generated, giving rise to newer challenges that CIOs and CISOs should prepare to address. The former CERT chief underlined documentation will be crucial in enabling IT leaders to tackle emerging cyber threats.
Adding to the security challenges faced by India Inc., Seclore CEO Vishal Gupta pointed out that 60 percent of Indian firms today have unfilled cybersecurity positions. The skills gap increases the risk of data breaches, which in turn hampers many organizations from maximizing benefits from their cloud investments.
“Adding workforce is, of course, a solution to the problem, but that could take 5-10 years. A more ‘here and now’ solution is automation,” Vishal Gupta said.
Given that identity and data are the most critical factors in enterprise security today, Seclore’s CEO explained how centralized data security and a centralized identity platform could make the job easier for CISOs.
In the wake of India’s newly introduced data protection bill and CERT-In’s incident reporting directives, regulatory compliance has become a core topic in cybersecurity conversations. Isaac E. Roybal, Chief Marketing Officer at Seclore, led the discussion on the impact of regulatory compliance.
The panel, composed of cybersecurity heads from the government, BFSI, pharma, and IT sectors, discussed one of the most talked-about topics – striking a balance between security and compliance.
The emphasis, panelists opined, should be on security – compliance will fall in place if organizations are diligent in taking the right security measures. “Prioritization can be variable, but security must be consistent – it’s the basic requirement to remain in business,” said Manoj Shrivastava, CISO at Future Generali India Insurance Company.
In the following session, Syed Hasan Mahmood, a scientist at the National Informatics Centre (NIC), in his address, spoke about one of the biggest challenges in the enterprise today – cybersecurity being unable to keep up with the pace at which IT is growing. In addition, the emergence of a “borderless” and practically non-existent entry barrier has also contributed to the increased risk.
“In addition to perimeter and endpoint security, defense-in-depth and user participation are just as important in securing businesses,” Mahmood said.
To give a practical perspective on the present-day cybersecurity challenges, Seema Gaur, Sr. Executive Director-IT at IFFCO Tokio General Insurance, shared a true story of how fraudsters targeted customers via WhatsApp phishing campaigns by impersonating company employees.
She spoke about how business-critical data and PII belonging to policyholders are at risk of being leaked by third parties such as brokers and call centers. “Data exfiltration by departing employees is another source of cyber risk,” Seema Gaur said.
Conversations on data protection and control often lead to the question: Is there a tradeoff with compliance regulation? A panel discussion with CISOs from the pharma, BFSI, and IT/ITeS spaces highlighted how organizations can address and allay privacy concerns through segregation and data anonymization.
Panelists agreed that convincing end users of the necessity of cybersecurity measures is the first step to ensuring trust and earning a buy-in.
While technology is a key factor contributing to cyber resilience, the ability to make complex enterprise decisions that’s able to keep up with the pace at which security threats are emerging is just as important.
A fireside chat with Capt. Ritesh Wahi of the Indian Navy and Sivakumar Sathyamurthy, Director-Cybersecurity Operations & Resilience at the EDGE Group, discussed how organizations can achieve strategic speed.
Delegates recounted their experience on how C-suite leaders in organizations looked at ROI, but the emergence of ransomware attacks has changed security spending as we know it. Speed is no longer defined by “time-to-value” – it also includes “value over time”; the latter addresses prioritization.
Wrapping up the thoroughly engaging day-long summit, Abhishek Bansal, CISO of Max Life Insurance, in his closing keynote, spoke about how cybersecurity heads have emerged as superheroes in the current scenario.
Although data security can be complex in today’s environment, Bansal said that by introducing data traceability, access control matrix and sandboxing, and the utilization of detective controls can go a long way in achieving an organization’s data protection objectives.