The biggest Do I encourage - first and foremost – is that CISOs need to get out of the spectrum of IT as per Samarendra Kumar, Head- Group Information Security, InterGlobe Enterprises. “Don’t think of yourself as an IT security organization and restrict yourselves to a support function. The legitimacy of security comes from its impartial, unbiased approach towards driving the entire organization,” says Kumar.
What does the new-year of 2016 hold for the security world?
Concentration to build various platforms does not work today due to the flat use of processes and flat use of platforms in IT infrastructure. We are moving towards a model wherein the security investments will be done as per what is significant to the organization and how it can be protected. That will be the sole driver. We as an organization prioritize the security processes depending on the data type – secret or confidential, internal or public domain and so on.
Secondly, the model of overly restricting employees and partners too much around platforms will disappear. And we would be moving more towards the application layer combined with the end user computing. That’s the way forward.
Where would you place jargons like APT, IDM, DLP to name a few in hype cycle or reality?
I would say they are somewhere in the middle path of adoption curve. Neither are they completely useless nor are they ‘must to have’ for an organization. You can stack up all these technologies like IPS, NGF, IDS. But at the end of the day, you have to protect some assets in your company. For example NGF can restrict employees to Facebook, twitter. But you would not want to be bothered much about that aspect as they are not posting official posts on social media.
You cannot built-in the same state of security for diamond you hold, gold you hold and the plants in the garden. All are not equal in terms of asset value and the need for high-end security cover. The security solutions need to be prioritized as per the value of asset to be protected. However one can supplement and complement with adequate restricted alert mechanisms. Again, too many alerts are as bad as no alerts. The way the story of target is being sold is not that they did not have best of breed security. They could not restrict the alerts to meaningful alerts.
IGT (InterGlobe Technologies) deployed DLP across the organization last year which was a challenging project as there were no reference points. This was one of the first full-fledged DLP project in India’s aviation industry. The solution creates the use cases that help protect the data leakage but also does not create a problem for users and continue to give them good usage.
We built simple tool Ad Manager on our DLP solution which brought down the alerts at IGT to less than 50 alerts per day from earlier number of 20,000. That humongous number did not make much sense. Also we had a single policy leading to 100000 alerts a day. However majority of them were false alerts.
Deepening on the importance and data sensitivity of company assets, you need to prioritize, spend accordingly and build controls around it.
Mobile devices be it tablets, smartphones, wearables are compelling enterprises to adopt for IAM or IDM?
I have realized that any identity strategy built only for employees does not work. It has to traverse across the organization that includes vendors, partners, customers and other external stakeholders. All these identities converged into a single source and managing all of them is not an easy job. It is a gradual process and that’s how an organization is able to build a strong IDM foundation.
One should not try to shoot too much in IDM space. But pick applications selectively around two parameters which we have been doing for the entire group. I lead security for 7 group companies. The challenge was putting 600 applications for IDM would not work. We selectively picked 5 applications (total of 35) from each group company under IDM out of 100 to 200 apps per company. The two relevant criteria for IDM are critically of the application from sensitivity of information standpoint and secondly the mass number of users.
The two relevant criteria for IDM are critically of the application from sensitivity of information standpoint and secondly the mass number of users.
If an application needs to be tied for identity of 10 users then it does not make sense for IDM as simpler and faster solutions are available. But if the company has a sizeable population plus the sensitive information that needs accountability, then IDM makes logical sense. That’s what mobility is all about because if the application is secure though IDM then any mobility strategy or mobile devices can be rolled out.
Any Dos and Don’ts for peer CISOs building for a robust security posture at their organization?
The biggest Do I encourage - first and foremost – is that CISOs need to get out of the spectrum of IT. Don’t think of yourself as an IT security organization and restrict yourselves to a support function. The legitimacy of security comes from its impartial, unbiased approach towards driving the entire organization. Looking at true risk posture and reporting it back to the orgn and supplementing and building in security controls.
The legitimacy of security comes from its impartial, unbiased approach towards driving the entire organization.
If you say that you are an advisor to help you protect the business. If IndiGo runs a ticketing system and I work in an advisory capacity where I advise the business and also advice the IT team on security controls, the synergistic approach will be beneficial to the company. You will have 360 degree of whole thing rather than living in a cocoon in a silo of an IT support function. You should exist as a function like all other function like legal, finance as a separate entity of the organization.
Don’t try to do too much or too many things at one time. Look in for what is critical for you and your company. Put up a list of your 10 most sensitive information and then put the needed security controls for those ones before spreading all over the place. If you do that, you should be in good shape.
How do you manage to overhype of technologies by different security OEMs?
OEMs by all definition during my interaction with all OEMs as long as you are straightforward and candid about what choices you make, I have not had challenges. When I picked the DLP of the security vendor, the second in line vendor I made it very clear and explained them the reasons why I picked the vendor, and they were fine with it.
It depends on the comprehensive comparison you do before making the final choice. OEMs will sell that it is best for them. If the requisite knowledge of the subject and if you can communicate the same to the OEMs, then hype does not really impact you much.
A product is a product only at the end of the day. It is the capability of your IT team and business plans on that you can built on it and extract the best out of it. All the hype they do we can counter them with detailed knowledge and they go back with happy mind.
What fear factors will exist in 2016? Do you see rise of insider threats.
I would go with the old convention that insider threats can cause a more fatal impact. If an organization is operating with few information or IT people and their integrity is a question. That it can create more havoc than some external threat. We see internal threats to continue big time .But supplemental to that things like ransomware will rise. I see many companies already impacted and we don’t see any reduction in that aspect in future.