Until a few years ago, “cybersecurity” was a word limited only to the IT teams of your organization. But the high-profile data breaches and hacking attempts in recent years have made this “offbeat” word one of the most searched one across various search engines. Cybersecurity is no longer just a computer-related issue, but a real-life threat too. We have seen this from the very recent cyberattack on Florida’s water supply unit, which was aimed at poisoning nearly 15,000 people in the state.
To discuss the gravity of the issue at hand, we got onboard Pawan Chawla, CISO of Future Generali India Life Insurance Company Limited. Chawla has an overall experience of over 18 years in companies of diverse sizes and sectors including Banking, Financial service and Insurance (BFSI), FMGC, Business Process Outsourcing, E-Commerce, and Business & Technology Consulting. His core technical expertise lies in the understanding of network, web, thick client, and mobile application vulnerabilities and the ability to perform static and dynamic security assessments. Additionally, he has sound knowledge of CVSS and Bash Shell scripting to complement his understanding of regulatory and statutory compliances such as ISO 27001: 2013, NIST SP 800-53, PCI DSS v3.2, COBIT, HIPAA, SOX, IRDA’s Cyber Security Framework, and GDPR Framework.
This exclusive interview was conducted by CISO MAG’s Technical Writer, Mihir Bagwe.
Edited excerpts follow:
You have been in the field of cybersecurity for over a decade now. Leaping into this field has many origins. What’s your story? How did you land where you are today?
I started working with computers in the mid-1990s. Back then as a student, I had access to x486 machines of many kinds, various types of PCs, and other devices. Also, in the late 1990s, InfoSec was a subset of IT. Post-identification, what used to be called a bug is now called vulnerability. There was limited/no exploitation. In the early 2000s, I saw Infosec evolving as a professional field in itself. In the day, there weren’t enough information security certifications, except a few in the network domain like CCNA, CCNP, and MCSE.
I have always emphasized hands-on experience over certification. I always told myself, “Be an expert “from” and “away” from the keyboard. And that is how I began my journey. It was my quest that led me into this field.
To be in cybersecurity, an individual should have only one overwhelming passion, that is, ‘the passion to play with new technologies’
The state of cybersecurity in the strange times that we are living in today is far different from what it was a few years ago. What’s your view on the role of cybersecurity today for SMBs alike?
Cybersecurity has evolved vastly over the past 20 years, and one of the biggest changes is its ubiquity. In earlier times, we only had to worry about a computer being infected with a virus, whereas, now we live in a more connected world. Our homes, workplaces, and public spaces, smart devices such as speakers, watches, and smartphones are all digitally connected.
I remember the days when the discussion on cybersecurity was surrounded by the fact that we need to add more hurdles and additional layers of complexity into the technology.
It was argued that cybercriminals will have a harder time breaking into systems that were complex and had numerous barriers at the entry points.
However, things have changed drastically over the years. There’s a growing understanding of the relevance of behavioral science techniques, and a realization of how machine learning and data analytics can support cyber awareness, behavior, and culture programs. Cybersecurity is now being led this way.
Digitization was always on the cards for future growth. But the digital flux that came in the year gone by, many believe was not accounted for. Do you think this has thrown an open challenge for cybersecurity teams? If yes, then what kind of challenges are they facing?
We have experienced that the COVID-19 pandemic has accelerated technological adoption. Yet, it has exposed cyber vulnerabilities, the unpreparedness of businesses, and correspondingly, exacerbated the tech inequalities within and between societies.
Looking at the year ahead, it is critical to continue elevating cybersecurity as a business issue and develop more partnerships between business leaders and regulators. Just like any other strategic challenge, cybersecurity cannot be addressed in silos.
Here is a list of three cybersecurity challenges that should be considered and tackled in 2021:
Digital Adoption – Digitalization increasingly impacts all aspects of our lives and industries. After seeing rapid adoption of machine learning (ML) and artificial intelligence (AI) tools, as well as an increasing dependency on software, hardware, and cloud infrastructure this is one vertical that every business needs to take care of.
Dependency on Third Parties – We operate in an ecosystem that is likely more extensive and less certain than many may recognize. Organizations must consider the breadth of their exposure to third parties and must take steps to assess the real extent of their entire attack surface and resilience to threats. A cross-collaborative process involving teams across different business units is required to make sure there is an acceptable level of visibility and understanding of digital assets.
Lack of Cybersecurity Expertise – Cyberattacks like ransomware are growing fast and the COVID-19 pandemic has aggravated this threat furthermore. Preventative measures for ransomware or any other cyberattack should include preparations assuming that you are going to be hit eventually. Backup IT resources and data, and put in place measures to ensure continuity of operations. It is important to conduct regular drills and train the IT teams in realistic cyber response plans.
Speaking about cybersecurity teams, is the cybersecurity talent shortage a reality or myth?
The cybersecurity industry is facing a talent shortage, so yes, it is very real.
Companies are failing to find right resources with the right talent and skillset.
The problem is most candidates applying for cybersecurity positions do not have prior experience or an understanding of cybersecurity. Candidates think it is a buzz word which they shall add to their profile, hence they hit and try to get through a position in the organization.
A key contributor to such a shortage is the fact that candidates are underqualified. Even if qualified candidates exist, companies are struggling to find them and wasting resources clearing out applicants that cannot fulfill the duties of the role. Luckily, if you find a good trainable resource, it takes time for inexperienced workers to become truly “qualified” by gaining on-the-job experience in modern IT processes.
AI and ML technologies are considered “million-dollar” babies and being projected as the future of cybersecurity. But are they capable of filling the void of talent shortage? Or are they just means to enhance security measures?
The internet has become a part of our lives, growing every second with us each day. A new change takes place every day, making the current system obsolete. Adjusting to this change is not always easy. The risks associated with the internet are many and affect the security of individuals to a great extent. With the introduction of Artificial Intelligence and Machine Learning, processes are being automated. These technologies will make things convenient for internet users but at the same time also help hackers who use AI to organize multiple and synchronized cyberattacks.
AI and ML are data-driven approaches to make decisions with no explicit programming involved. It can help cybersecurity experts in analyzing high volumes of data sources and streamline it in many ways.
Following are the advantages of AL and ML:
Building correlation of events – Since cyberattacks are nothing more than various events, hence correlation of events becomes information for identification, execution, and protection. AI and ML help in correlating various data sets by organizing them in a specific pattern, scanning various possible threats, making a predictive analysis, and forecasting the next attack, with which we can take proactive steps to protect the same.
Data cleaning – Using data cleansing techniques, continuous auditing of data protection techniques can be done to safeguard the users and other relevant parties, checking if the restrictions placed are working effectively.
Threat actors’ detection – With the help of AI and ML, various malware and infections can be easily detected by setting up a security platform that has a built-in mechanism of scanning huge amounts of data, data networks and recognizing any possible threats.
Back in the day, communicating the importance of cybersecurity to the C-Suite was a task. But cybersecurity is no longer a corner piece in the newspaper, it has moved to center stage and there is a growing awareness of the monster beneath. So, has this changed the mindset of the C-Suite? And have they finally begun prioritizing it?
Cyberattacks on businesses are never going to end. As long as technology continues to advance, the sophistication of cyberattacks will increase. While such attacks are becoming sharper and more malicious, there are still a significant number of businesses falling victim to the same old tricks.
It is important to understand cybersecurity is not a CIO, CISO, or IT department risk. Breaches, leaked documents, and cybersecurity attacks impact the entire organization and can cause irreversible damage to its reputation and competitive edge. Thus, thwarting a cyberattack or breach is a responsibility that must be shared amongst all employees, and not just C-suite and board members led by the CISO.
The C-suite and senior leadership are now actively involved in defining an organization’s risk strategy and risk tolerance levels.
This helps in developing a comprehensive and robust cybersecurity risk plan for the organization. The C-Suite along with the CISO ensures that they know how their divisions affect the company’s overall cyber risk. Also, regular discussion with the company’s board of directors regarding these risk decisions now ensures visibility to all company decision-makers.
The C-Suite and senior leaders are now actively constructing policies rolled from the top to down to ensure everyone is empowered to perform the tasks related to their role in reducing cybersecurity risk. A top-down policy defines roles and hence limits the power struggles that can hurt IT security.
Apart from the fact that it helps maintain customers’ trust, why do you think businesses need to prioritize cybersecurity in today’s times?
We all agree cybersecurity is the need of the hour today. Cybersecurity needs to match the business needs by adopting the changing needs of stakeholders along with the right mandate to introduce new products or services. Similarly, businesses need to understand and involve the security team right at the beginning, not at the end. Businesses need to reinvent themselves to ensure smooth and continuous delivery.
Cybersecurity is a continuous, proactive activity, not a task or a single point in a process. It is a holistic strategy including people, processes, and technologies that integrates security at every level, instead of downstream, which is often too late.
With the acceleration in technology development, it is important to have adopted strategies that meet the increased throughput with the flexibility that will empower developers to focus on product delivery without compromising organizational risks.
Just as it is important to promote security organization-wide, businesses need to understand the full impact of an agile approach. Business functions shall integrate themselves as vital partners with diverse teams and support them in multiple ways.
To ensure security, investment is to be done in strategic automation across the software delivery life cycle (SDLC) to ensure the longevity of the security program in the organization.
You are now leading security operations for one of the top insurance companies in India. Can you give us an overview of what a cyber-risk policy or cyber-insurance covers? What is the primary reason to buy a cyber-risk policy?
A data breach not only damages just computer systems in an organization, but it also damages the reputation of the organization.
As technology has become increasingly integrated into individuals’ lives, the risks of getting sensitive and personal data compromised, including Aadhaar numbers, bank, and credit card information, will continue to be on a rise.
The term ‘Cyber Insurance Policy’ is used to define a range of covers in very much the same way the word cyber is used to define a broad range of information security-related tools, processes, and services.
My advice for your readers would be to cover the following points while opting for a Cyber Insurance Policy:
Data breach/privacy crisis management cover – This includes the expenses related to the management of an incident, the forensic investigation, the remediation, customer notification, call management, legal costs, court attendance, and regulatory fines.
Multimedia/Media liability cover – It should cover third-party damages that include specific defacement of website and intellectual property rights infringement.
Extortion liability cover – This includes losses due to an extortion threat and professional fees related to dealing with the extortion.
Network security liability – Should include third-party damages as a result of denial of access costs related to data on third-party suppliers and costs related to the theft of data on third-party systems.
Lastly, what piece of advice would you give to the modern-day CISO or a person who aspires to be one in the coming years?
Two pieces of advice:
Always remember a security leader is a seeder of building security culture in an organization. It is important to build a robust security culture that requires constant nurturing and development. As a CISO, it is your responsibility to nourish the same in the organization.
A strong security culture not only interacts with the day-to-day procedures of the organization but also defines how security influences things that an organization provides to others. A sustainable security culture is persistent, not a once-a-year event, but embedded in everything we do.
CISO needs to speak the language of the CIO, CEO, and what the Board speaks or understands.
Following are the practices which I follow:
Ensure not to use technical terminology – The C-suite does not want to know how things work, they want to be assured the system will always be up and running.
Present facts and numbers – Explain the problem through numbers and facts. Be a solution enabler, not a problem creator.
Business first – When preparing slides, talking with security employees, and analyzing field reports, always correlate that information with the core business of the company.
Talk business – When with management, I always refer to how actions will affect the company’s service. Explaining the impact in case of certain disapprovals is the most important part of the job.
Don’t scare – Data is important to be shared, share data in a way that allows management to make informed decisions like where is it best to place their security investment to mitigate their greatest risk.
Get to the point – Get to the point right from the start. The management wants to know upfront why you’re there in the first place.
About the Interviewer
Mihir Bagwe is a Tech Writer and part of the editorial team at CISO MAG. He writes news features, technical blogs, and conducts interviews on latest cybersecurity tech and trends.