Human factors in cybersecurity is of utmost importance. Risky cybersecurity behaviours, attitudes towards cybersecurity in a business environment, and not paying attention towards these elements result into serious lapses.
Mathan Babu Kasilingam, CISO, National Payments Corporation of India (NPCI), in conversation with Shipra Malhotra of dynamicCISO lists down his top priorities and challenges as he completes a month as the CISO of NPCI.
Among many other things, Mathan spoke about the criticality of analyzing human behaiour and pointed towards the importance of investing in analysing it. Below are the excerpts:
Shipra Malhotra: (SM) What are your top priorities as a CISO?
Mathan Babu Kasilingam (MBK): Although information security is an always moving goal post yet, as a CISO one of my biggest priorities is to ensure maintaining pace with the threat landscape. This is especially critical considering the fast pace at which the threats are evolving today. Secondly, its important for a CISO to be able to evolve with technology to the extent that he/she develops the ability to predict threats. My other key priorities are being able to provide assurance the the businesses and enhancing the overall security awareness with both internal and external customers.
SM: What information security trends do you foresee for 2018?
MBK: I foresee a lot of investments happening around studying users’ activities (behavior) and building analytics around the same as threats these days do not attempt to penetrate the robust security infrastructure that organizations deploy. They rather attempt to penetrate single user systems and can sprawl laterally to reach critical assets.
It is also important to segregate assets as appropriately and follow the basics of providing access to information only on need to know basis.
SM: What are the top three challenges you foresee for a CISO in 2018?
MBK: In the business world that is dynamically changing, the challenges also keep shifting. The challenges that were three years ago are not valid for today. In today’s digitally-focused businesses, the challenges are distinct and unique and to secure that, certain areas need to addressed properly.
Foremost, skill availability is the biggest concern. There is a significant gap between demand and supply of the right skillsets, with demand far exceeding supply. So, how do you acquire the required talent in a fiercely competitive landscape.
Another concern area that a CISO needs to fight is the lack of openness and willingness of organizations to share and spread information around the security breaches affecting them. Usually organizations are reluctant to share such information fearing market reaction. However, a culture of openness will help ensure that the same breach affecting one organization does not impact many other unaffected organizations.
The third challenge for any CISO would be building awareness around information security among the user community, which is an ongoing and never ending exercise. Therefore, CISOs need to keep their strategies constantly aligned to tackling this key challenge.
SM: According to you, what would be the biggest information security threats that CISOs need to be prepared to tackle in the near as well as long term future?
MBK: I would consider insider threats (a compromised insider or a disgruntled power user) as the biggest threat for a CISO both in the short and long term. This is because of a fundamental shift in the nature of cyber security threats from targeting IT assets to targeting users.
SM: What are your views around information security becoming a board issue and a key discussion pointer on the board’s agenda?
MBK: Infosec needs to be a board issue as breaches today have significant coverage to bring down the entire company’s brand value. The board needs to be frequently appraised of the changing threat landscape as investments needed in information security are most often immediate due to the ever changing threat landscape and board’s buy-in can accelerate investment like it is made most often in businesses.
SM: What is your one key suggestion to your CISO peers?
MBK: There are a lot of information security technologies that are being deployed (in point manner) to stay at pace with the threats. It also warrants that at regular intervals we take a break to reassess the current deployments and consolidate where it can as solution providers would have evolved to bridge the niche gap and integrate effectively.