Akhilesh Tuteja, Global Cyber Security Practice Co-leader, KPMG in a freewheeling chat with Rahul Neel Mani, Editor, dynamicCISO and Shipra Malhotra, Executive Editor, dynamicCISO gives insight into how cybersecurity is becoming an end-to-end digital problem that requires CISOs to change their whole approach and game plan. Read on the interview to know what Tuteja feels Indian enterprises and CISOs are doing wrong and his advice for course correction.
dynamicCISO: How has the cybercrime scene really changed over the years?
Akhilesh Tuteja: One of the big changes happening is that earlier a lot of cybercrime was not motivated by an organized criminal group, which has changed now. We are seeing a large number of organized criminals working both in the enterprise as well as the personal space as far as computer crimes are concerned. Also, in the past we were talking about fragmented systems. But, today with full digital end-to-end systems being completely automated, cybercriminals have a far greater ability to make money by breaking into an organization.
DCISO: Given the growing sophistication of both the threat actors and threat methods used for attacks, how do you see the evolution of cybersecurity practices among corporates?
AT: From being just a perimeter security problem to being an endpoint security problem to then being a data problem, cybersecurity has evolved to become an end-to-end digital problem today. Considering the sophistication of the kind of attacks and the depth of attacks, one got to protect organizations end-to-end. As a result, the one big change we are seeing is around how to manage identities because with the growing advent of not just the users but also technologies like IoT, one won’t know what can go wrong unless one can protect and prevent what goes where in the organization. So, a big change is happening in terms of having very strong mechanisms and technical safeguards on managing, authenticating and monitoring the identities.
The second big trend we are seeing is that the ‘one size fits all’ approach to security, which essentially means applying all safeguards to all data systems, no longer works. With storage and throughputs becoming much cheaper, organizations have created enormous amounts of data both in both central storage and end points and following this traditional approach can be quite bad because you can’t protect all kinds of data assets with the same degree of protection. Also, you don’t have to because sometimes the cost of protecting the data can far exceed the value of the data itself. So, the big evolution underway right now is a data centric security approach in terms of identifying what is the best and most valuable data and how to provide a higher degree of assurance and control over it versus trying to do ‘one size fits all’.
DCISO: Do you think that the digital end-to-end ecosystem and the resultant threats of the future require CISOs and security leaders to change their whole approach towards cybersecurity?
AT: Most organizations look at cybersecurity as a loss prevention problem, which is a very classical approach to cybersecurity that underlines the principle that do this or else lose the money/face a big risk. My personal advice is that the time has come when cybersecurity is no longer for just loss prevention or cost minimization or risk reduction. Actually, if you do it well, cybersecurity can be a big driver for organizations to make more money and profits. I’m not suggesting as a competitive advantage, but create the cyber capability which is so strong in your organization that you can go faster. CEOs and CXOs in your organization can actually drive a lot more passion and growth in their digital initiatives because they don’t have to worry about whether the cyberattacks will happen or not. So, the overall approach to cybersecurity should be more about driving profits and not just risk minimization.
Also, organizations generally do a good job of preventing things from going wrong through technological controls. But, in the future the risk is going to be less from technology vulnerabilities and more about people, which will cause the most damage So, its important for organizations and their CISOs to really address this key aspect of how to prevent things going wrong because of human ingenuity or stupidity. They need to actively engage and focus on not just educating people but also advocating people for having the right cyber behavior.
DCISO: In your opinion, where do organizations tend to go wrong and what is the course correction?
AT: Organizations mostly end up having a disproportionate amount of focus on preventive controls than detective controls. Research shows that most people try to put in lot of money and effort into stopping bad things from happening, but don’t spend as much time, money and resources when things go wrong. I’m not suggesting that we reduce the spend on preventive controls, but we need to have a good balance between preventive controls and corrective, reactive and detective controls because as much as we like to prevent, things will go wrong. So, you have to be prepared.