Securing Digital India from FraudExperts: You Need Boards Buy-in to Create Cybersecurity Eco-System
To truly secure Prime Minister's Modi's Digital India project and "Make in India" initiative, enterprises must maximize connectivity, but minimize cybersecurity risks, given growing cyber-threats and fraud.
See Also: 2016 State of Threat Intelligence Study
How do they meet this challenge? By changing their entire approach, say security leaders who met recently and discussed these initiatives.
Enterprises must step out of their compliance-driven security mindsets, these leaders say, and start to practice self-regulated security within their organizations. They also must sensitise their boards and senior leaders to get involved in sponsoring and nurturing a cyber-security eco-system.
"It is imperative to involve the board members of all enterprises across sectors in the cyber risk discussion before evaluating various cyber risk models from other nations," says Dr. Paul Twomey, former CEO & president of ICANN.
Says Delhi-based Dr. Kamlesh Bajaj, founder and former CEO at Data Security Council of India, "Cyber experts need to first understand the Digital India program and evaluate various parameters of what is driving the need for cybersecurity and what the basic ingredients of developing a cybersecurity model should be."
This discussion arose among security leaders during the recent Cyber 360 event in Bangalore.
Experts agree that enterprises across sectors are increasingly leveraging the Internet and transforming themselves digitally. However, these organizations become tech-savvy and enable users to stay connected, they often are not concerned enough about securing their critical data against cyber-threats.
Far too many Indian enterprises are oblivious to challenges emerging from insider threats, cyber espionage and data breaches, which have grown exponentially throughout the world.
"While CEOs across sectors have taken to going digital in a big way, they are not in a position to apprehend new forms of threats and attacks and new vulnerabilities they are exposed to, nor understand the consequences of these," says ICANN"s Twomey.
Bajaj remarks that enterprises continue to live in a compliance-based rmindset, while the technology and threat landscape are evolving rapidly. "One needs to ask if security practitioners across enterprises are creating security for competitive advantage and going beyond base level security," he says.
The challenge, Bajaj says, is how and when are organizations going to drive a self-regulated environment to create a cybersecurity eco-system?
There's another challenge, says Nandkumar Saravade, chief executive officer of DSCI: "Enterprises and citizens at large are not adhering to privacy laws and also have less understanding of the frauds in social engineering and can't assess the ill-effects of these on data security."
Experts argue that enterprises are unable to measure or map risks and take appropriate remedial action and protect information assets of the digital platform.
Architecting Digital Security
India's cybersecurity experts have developed an agenda to work with industry, enabling support to sectors including BFSI, healthcare, manufacturing, energy, e-commerce, among others, to develop a resilient cybersecurity model.
Twomey says a strong cultural change has to be brought into the enterprise system and compel board members to take cognizance of security and data protection issues.
"Security practitioners must enable the board and senior management to take notice of the adversaries that get released on the enterprise security and other infrastructure and other risk management issues," he says.
Bajaj identifies four drivers of cybersecurity to enable enterprises to build a good cyber response model. They include:
- Understand that the threat landscape is changing and expanding;
- Regulatory and compliance frameworks need to evolve;
- Understand market forces that are driving the change;
- Develop an enterprise security eco-system with the involvement of key groups.
"It is critical for the government to create more laws and regulatory frameworks which will drive complex environments to respond to cybersecurity needs," he says.
Information sharing becomes an important step to aid practitioners in understanding that security needs to be looked at for competitive reasons.
"Practitioners need to develop the enterprise eco-system after having put the base level security as part of the globalization process and bring key security frameworks to protect information assets, which are central to business," Bajaj says.
He says there is a need to channelize compliance versus risk and a self-regulatory environment must be built within enterprises which can help in handling cyber-threats in the Digital India program.
According to Saravade, the key areas of security to focus on include: technology governance and management; next-gen solutions for monitoring, analysis and increased capabilities in incident response; along with forensics.
"Identity and access management is gaining prominence in tackling social engineering and financial frauds emerging through digital transformation," says Saravade.
Digital security is also skill dependent, and there is a need to fill skill gaps and build the capacity of security professionals, admits Saravade.
Plan of Action
DSCI will shortly roll out programs to train engineers in analytics, network and digital forensics, IAM, incident response, GRC, penetration testing, among others to help secure digital India.
Some of the key initiatives planned by Nasscom and DSCI task force is to encourage development of cyber security products as part of 10K start-up program.
The products will be rolled out shortly as DSCI initiates establishment of cyber security product forum, DSCI innovation box and excellence awards for security products, that will help in securing digital India.
The agenda is to build capabilities to design, develop and rollout a massive re-skilling program to train and re-skill 4-5 million people.
To support the development of India as a centre for digital innovation, experts say Nasscom and DSCI is seeking new regulations to help create a domestic market, protect intellectual property, strengthen cyber security laws and ease the creation of public-private partnerships in education.
"The council plans to build capacity, building law enforcement through its Cyber Lab Program, and also create awareness about privacy laws among practitioners and citizens to create a cybersecurity eco-system for digital security," Saravade says.