Cyber security is hard. There are multiple reasons for that. Today, if you look at the people defending the infrastructure they are defending against a thousand things. Moreover, attackers are getting increasingly sophisticated with every passing day. With the recent spate of attacks and data breaches, cyber warfare is fast going to be a reality soon whether one likes it or not. So, the role of a CISO is challenging. Muqbil Ahmar, Executive Editor, Grey Head Media caught up with Sumit Dhar, India Head, Resilience and Global Resilience Partner at Barclays. Dhar comes with more than 17 years of experience in the cyber security industry. He has worked with EY and HP and has driven large projects. These days he is focusing on providing leadership to organizations and helping them define their roadmap and vision for information security and risk management resilience.
“Cyber security is incredibly hard. This is what I like to call asymmetry. As a defender you have to defend thousands of operating systems, data bases, application servers, network devices and so on. A big reason why cyber security is hard is that you are dealing with capable adversaries. It is not a small kid running a script at the other end. You are dealing with malicious cyber criminals, who have exceedingly good people on their rolls and tools that are truly capable. You need to have the right processes for access management, log management, etc. But as an attacker all you need is a single vulnerability. Cyber security is like a spectrum. People think you are either secure or not secure. But that’s not true. It is like a swimming pool. You may think that you are safe in the shallow end but that is not necessary. You can even drown in the shallow end. It is about your capabilities that define whether you are safe or not. That is true for cyber security as well,” says Sumit Dhar.
Challenges facing cyber security industry
One of the challenges that cyber security professionals or chief information security officers (CISOs) continue to face is that they are saddled with restricted budgets and still do not play a significant role in the boardroom.
“The first challenge is that today cyber security, even after all that has happened like the Equifax case or the Yahoo breach or the LinkedIn breach, is still not a boardroom concern. The second challenge is in terms of people. Getting good cyber security professionals is a challenge. The other challenge is the absence of a general culture of awareness. People will double click on an attachment from an unknown source. The third challenge is resources and budgets. Cyber security is still seen as a cost. Therefore, getting the right budgets and the right people is still a challenge,” he adds.
How does one solve the problems facing cyber security professionals?
Looking at the challenges, one does get a feeling that they are making the life of a CISO difficult. There is a need to find out solutions to them so that the industry can get its rightful due.
“The first thing is that each senior member of cyber security fraternity needs to sell the idea of information security to their respective boards. Unless you sell the idea, you will not be able to convince them and you will not be able to get the right budgets or hire the right resources. They need to have the ability to influence, persuade, and convince the board that cyber security is important. To sell this idea is absolutely critical. After getting the board aligned and getting the right culture in place, comes the question of technical capabilities. People may have a different opinion on this. There is no defined capability that says this is the right kind of CISO and this is not. But in my opinion, CISOs have to be technically capable. They need to know the domain inside out.”
“From there, the next thing flows automatically: ensuring a set of technical controls in an organization. If CISOs are not hands on or if they are not worked in the trenches, this can become exceedingly difficult. Those CISOs may be at a slightly superficial level. They may not be able to drive the value that an organization requires. Technical controls and a CISO who is technically sound is a requirement today. Having said that, industry folks will tell you that cyber security is a journey, it is not a destination. So, it is ongoing. You have done this, then there will be three more things to do and the journey continues. As long as you continue doing that you continue to enhance your security posture. There is nothing like 100% security but by doing these things you will become more secure as part of the journey,” adds Sumit Dhar.
Subscribe to our newsletter for all the latest updates and special offers.
Click Here To view archive additions