The last couple of years drove organizations worldwide to undertake digital transformation quickly. As per 2021 benchmark survey found that even in the high-risk COVID era, 65% of global tech companies manage risks reactively.
That increases their risk exposure and leaves them vulnerable to costly data breaches at large scale. This change has underscored both the value of data and the need for data privacy.
GRC Governance is making sure that the day-to-day organizational activities and critical capabilities are aligned with the overall business goals of the organization.
While data has long been the currency in our digital, interconnected world, businesses face mounting pressure to protect this asset. In these times when there is an upsurge of DT, organizations must be equipped with advanced techniques and solutions to maximize data protection and be cyber resilient.
Dinesh Kumar Shrimali, Global Head Governance Risk Compliance at UPL in this interaction with dynamicCISO.com shares his views on the importance of data privacy, use of data classification tools, why a layered approach to security is essential and the best practices that enterprises can take to towards adopting a Zero Trust framework.
According to himgood cybersecurity relies on education and awareness with regular training of staff is key and should include temporary and contract staff. Excerpts:
DynamicCISO: A solid data privacy policy helps a company avoid investigations by government regulators and possible lawsuits relating to data security. What kind of data privacy and compliance policies are needed in the current times?
Dinesh Shrimali (DS): The importance of data privacy has increased as the amount of personal data created and stored continues to grow at unprecedented rates. There needs to be a Data Classification Policy as well as Data Privacy Framework that lays down guidelines for a company, and should be strictly adhered.
The objective is to ensure that basics are set right in identifying and categorizing data. Right set of process and technology should be rolled out to safeguard privacy related information from disclosure, compromise or loss.
As privacy laws and regulations may differ from country to country and even at the city council or county level in the western countries. The best approach is to have a Data Privacy Framework which is then adopted along with local requirements of the regulations at the country level and owned up locally.
DynamicCISO: What kind of automated data classification tools have you implemented to enhance your data security and privacy initiatives? Could you share some instances?
Dinesh Shrimali (DS): We have implemented Data Classification tool, DLP, IRM, CASB and encryption tools on basis of the risks identified.
First we identified Risk factors at various levels and what are the controls we can imbibe that is required at each level.
Security measures for Sensitive data: Lack of implementation of stronger security measures for sensitive and confidential data means we are at a loss Data front. In order to maintain the confidentiality and integrity of data by effective labelling. Effective labelling helped in ensuring we tag appropriate data.
The next step is taking control over accidental exposure of sensitive data outside authorized channels. This is to ensure that end users do not send sensitive or critical information outside the corporate network we implemented DLP (Data leakage prevention tool).
For ourcloud-based resources we had to enforce enterprise security policy .This is to discover cloud application, analyze risk and enforce appropriate controls for SaaS and custom applications. Cloud Access Security Broker (CASB) has been implemented to address cloud risk services that are beyond our perimeter.
Lastly to protect sensitive information from internal and external un-authorized access to secure collaboration capabilities for business-critical data sharing with third parties, Information Rights Management (IRM) is implemented that involves managing, controlling and securing content from unwanted access.
DynamicCISO: With ransomware, phishing and zero-hour attacks increasing, what kind of countermeasure have you initiated?
Dinesh Shrimali (DS): Security has to be rolled out in layers, for each layer there is a need to define the controls to be rolled out or outcome needed, and then propose solutioning with help of processes and tools to help achieve them.
There needs to be a detailed study of the top ransomware attacks and the medium of attacks with the vulnerabilities. This will help to identify the countermeasures to be rolled out in the form of processes like patch management, vulnerability management, stricter security settings and tools rollout like:
- Advanced Email APT and SPAM filtering,
- Advance Phishing controls,
- XDR tool
- WAF and IPS signatures on all perimeter devices.
As a security professional, I will stress on the importance of having the basics set right, i.e., all applications and OS should be updated. Updating the OS to the latest version and rollout of latest patches will not only fix the potential vulnerabilities but will also ensure the latest security definitions and patches are updated.
DynamicCISO: How important is it to have a good Data Governance that meets business objectives and helps achieve a higher degree of cyber resiliency?
Dinesh Shrimali (DS): Achieving business objectives and achieving cyber resiliency are interconnected.
Meeting business objectives and achieving cyber resiliency are interconnected. Based on the business objectives, one will need to define cyber resiliency. Other aspects include external risks and current scenario of attacks factors to be considered in planning for cyber resiliency. As all decisions will have impact on business.
It’s the CISO’s role to propose cyber resiliency and present to the board on how the cyber resiliency will help achieve business objectives or play a supporting role. Local as well as global laws and regulations can also be referred to for getting support for cyber resiliency.
Protecting data in accordance with its value or sensitivity is a critical part of data governance. For effective governance, the data discovery process requires an end-to-end software solution that is able to connect to any type of data source and can identify data assets – wherever they may reside.
If an unsecured data asset experiences a security or privacy breach, without proactive data governance, organisations will be exposed to significant risk. We need to be vigilant and remain cautious at all times.
DynamicCISO: Businesses have accelerated digital transformation and cloud adoption. This in turn has also expanded the attack surfaces. Under such circumstances data protections remain vital to any organization. What best practices do you recommend?
Dinesh Shrimali (DS): Digital transformation is changing the way business gets done and, in some cases, creating entirely new business avenues. With DT, companies are taking a step back and revisiting everything they do, from internal systems to customer interactions both online and in person. Security has to be embedded along with Digital Transformation.
Right from the ideation stage to design stage and onwards, information security teams should work along with the Digital team to act as business enabler. Data protection and Privacy needs to apply in all stages.
Even after rollout of a particular digital application, continuous monitoring and review should be panned and carried out. Data Flow Analysis needs to be done to review and define the classification of data in terms of confidentiality and criticality.
The aim is keeping the organization updated with the latest relevant tools and technologies as a priority to mitigate the risks. A regular review of the tools will help in reducing the attacks.
DynamicCISO: Zero Trust approach to security has been gaining traction that involves keeping sensitive data safe while staying compliant to new privacy regulations. What are some of the best practices to have a Zero Trust model in place?
Dinesh Shrimali (DS): As a result of the pandemic, decentralized work has reinforced the need for strategic, operational, and business continuity management.
The “Zero Trust” model of security takes the approach that no users or devices are to be trusted. An encrypted data can be and should be accessed only by legitimate users and systems.
Zero Trust is basically a security framework which requires all users, whether in the network or outside the organization’s network, have to be authenticated. Controlling the overhead cost for any kind of perimeter security is a challenge, with many layers to orchestrate across multiple systems. As data is still vulnerable and protective parameters are a must in any Zero trust approach, proactively we have to maintain this with required solutions and trusted security specialist.