Rajpreet Kaur, principal analyst at Gartner, unravells several subjective issues relating to security, awareness, risk and trust:
Manoj Agrawal: What kinds of questions are frequently posed to you by CISOs?
Rajpreet Kaur: All businesses are doing digital, and that is the reality. All questions and concerns by security and risk management leaders are around digital. So, any decision which they are taking, they have to think it from a scalability point of view. They want to know what kind of tools, technologies, processes, staffing requirements they should have for the next 1-2 years? They also ask: ‘How should I design my leadership vision for security and risk management for my digital enterprise for the next 1-2 years?’ That is the foremost question.
Apart from risk heads and security heads, do you also talk to business heads and CEOs? Are the questions they ask similar or different?
Security always used to be an initiative for CISOs. And now what we have seen is that gradually the ownership has moved to CIOs in many enterprises. In traditional organizations, such as manufacturing organizations, I have been in meetings in which the board has attended the meetings and they have taken a keen interest to understand the business risks from a security standpoint of view related to their business drives. The first question they have is: ‘How can we be 100% fool proof?’ It is understandable that as business leaders they want to make sure that they are safe and there is no loss. They also have questions related to their own business risk. For example, if I am talking to a bank, they want to know what risks banks are facing globally. They want to know more about the vertical specific risk information.
Is that meaningful? Are risks industry specific?
Definitely. According to reports, manufacturing faces the biggest risk of spear phishing attacks. The criminals target the email addresses of CEOs and board of directors, because they think they will have some machine prototypes which can be stolen. So for each target vertical, there is a different approach, based on the type of data they are holding. For banking, is more of a personal information. For retail, it is credit card data. The biggest risk for manufacturing is that the hacker gets into the production system and stops production, which could lead to huge losses. For banks, they have to make sure that their transaction servers are always up so that the real time transactions are never impacted. So, the risks and
the required initiatives are different for each vertical. The threat landscape is also changing. More and more hackers are focusing on power grids, which was never the case before. Cars are being hacked because manufacturers are bringing in so much intelligence and they are exposing all this to the internet because there is a push to innovate and grow. We have to think ways around controlling it without being a preventer.
Now-a-days, security is a topic of discussion even in parties. When you are in such information gatherings, are the conversations around security different from business meetings?
Traditionally, security has been a very sensitive issue in India and hence clients take some time to open up about it. But they are quite open in talking to an analyst. In informal gatherings, the discussions are more pointed. For example, someone would say: “You know what happened yesterday…we found that our system got infected despite us having all the security set-up. Can you please suggest what to do? They are clear about the issues they are facing. They are open in highlighting breaches.
Apart from customers, what about aunts and neighbors and such people? Do they also talk to you about these kinds of things?
For a few of them…I am an IT specialist and they want me to fix their laptops. Many ask about a new mobile wallet and whether they should use it, and how secure it is. Housewives and parents are talking about such things. This shows how security has gone into each aspect of life.
Traditionally, there have been some differences between business and IT about strategies? Do you see similar differences between business and security?
A majority of them don’t. As a best practice to establish a strong leadership and effective vision for security risk management, one needs to establish governance. This is lacking in a majority of the enterprises. Who should be the owner of digital security? It is those who are the owners of information, ie, the business heads. This however is not the case in the majority. What happens when CISO is the owner of security, he will block everything, because his role is to secure all information. So, when business takes ownership of digital security, it will decide what is acceptable risk for the business and what is not, and what is better for the business. Once they decide that risk, then a CISO can decide what kinds of controls are required and how effective those controls are.
One of the things about technology security is that it deals with a lot of tangibles. Whereas trust, which is required to run a business, is very intangible. It is difficult to measure. You don’t even know what it is made up of. Now, CISOs are expected to deliver trust. How do you see CISOs moving up from security to trust?
We always highlight that digital security is a fine balance between risk and trust. Initially what kind of decision were made by security leaders: Should I allow this to him? The answer was yes or no – ie binary decisions. Now what has come up with trust is that we recommend to organization to create digital ecosystem based on variable trust model, based on reputation and context. For example, to allow a person to access a particular thing, first we have to know the current state of the person, what is his behaviour, what is the time, from where is he accessing, what is his reputation, what is his identity? Then we can have a trust-based accessed and also determine what kind of access should be allowed.
For example, we use mobile wallets such as Paytm or PhonePe. This is a very good example of variable trust based session. When we download the app, we can make some basic transactions until the KYC is in place, with which we are adding identity and reputation. But till then, the business is ready to take some level of risks and allow some basic transactions. After KYC, some advanced features are allowed. This a good example of variable trust-based model account.
Then there is behaviour analytics and user entity, to understand the behaviour of a person. For example, if someone had an argument with a boss, what is he going to go back and do on his system. If it’s an unusual behaviour, such as trying to steal some data or send some information, this is something to look at. So, behaviour is a very important aspect to establish trust and then make variable trust-based decisions. And this can be done by using technologies and having right processes in place. Many organizations have HR inspecting the logs to understand human behaviour.
