Takeaways From Mumbai Breach, Fraud SummitNeed for Collaboration & Information Sharing, Key Messages at ISMG Event
ISMG's Data Breach & Fraud Prevention Summit in Asia, came to a successful close on 8th June with the primary focus being to promote themes around collaboration, information sharing, and resilience. Judging from some of the feedback that I had a chance to glean from the attendees through the course of the day, these themes shone through to a decent degree.
There where close to 150 security practitioners and professionals in attendance at the premier security conference; the third such that ISMG has conducted in the past year in the region (see: Data Breach, Fraud Summit Asia: First Impressions).
We need to promote originality in security thinking, if we are to break away from the inertia and jaded discourse that afflicts the growth of capacity and skills in the country
The experience has been encouraging each time, and traction is getting stronger, driven by the focus on content that ISMG summits take. This is in lieu of the awards, theatrics and other distractions that many other security events in the region have used over the past several years to attempt to draw the attention of the security practitioner.
While these work in the short run, the long-term expectation for practitioners attending such conferences - in India and even elsewhere, in my opinion - is to have concrete takeaways that can be cycled back into their organizations. Things that will help them address the dynamic challenges being thrown up by the threat landscape every day, or help them see things from a different perspective. Especially in the face of the usual pandemic lack of guidance at an industry or national level (see: Searching for Cybersecurity Leadership).
Need for Collaboration
Be it the opening keynote by the director of the NCIIPC, Sachin Burman, or the spotlight session by Dr. Amiruddin Wahab, CEO of CyberSecurity Malaysia, the need for collaboration was an oft repeated theme at the summit (see: Cybersecurity Malaysia: Lessons in Building Capacity).
Given how well-organized the adversary seems to be, and the relative lack of awareness, skills and technology infrastructure in the country to thwart determined threat actors, attendees have been vocal in their demand for action and actionable guidance. That which can be applied now. And many felt some of the topics at the summit were apt to address this.
Berjes Shroff, Assistant General Manager Information Security at Godrej Infotech, for instance, who was also one of the panelists on one of the discussions on insider fraud, was happy with the outcome. A close examination of these themes in the Indian context and the dissemination of this information in the community is today's top priority, he says.
That said, there are still others I spoke to that felt that the Indian security community is still cagey when it comes to sharing hard takeaways and real-world action points. As Dinesh Bareja, thought leader and founder of Open Security Alliance, points out: The excessive secrecy that the Indian Infosec practitioner is inured to means that in many instances even details of an organization's security policy remain confidential - and therefore ineffective and inaccessible to those who need it!
How Can It Be Done?
There is a clarion call being heard now from platforms such as this conference and other that the establishment, regulatory bodies, industry, and even the media need to work toward facilitating this need for collaboration and information sharing.
Burman's session, for instance, was an eye opener for many. Two things that Burman shared stand out for me. One is that incident reporting is mandatory in India under the IT Act, as per him. I say "as per him" because it is popular wisdom that India has no mandatory breach disclosure. And second that the NCIIPC is now providing a service where incidents, breaches and vulnerabilities can be safely reported without fear of prosecution - which is also a somewhat contradictory possibility under current interpretations of Indian law, and tends to hold back many from reporting issues.
NCIIPC is willing to take that bullet for vulnerability reporters and may or may not add attribution, as requested, according to Burman. He invited all the attendee to participate and contribute. A modest start, but with far-reaching implications if NCIIPC is able to generate the necessary visibility around the initiative. More details here.
Coming to Dr. Wahab's session, Malaysia's successes in cybersecurity are being acknowledged by the world, and Dr. Wahab in his session shared some of the recipe that brought about this success. Partnership is key; a public-private model can work if the right impetus is given by the establishment - as in Malaysia's case - and the industry. For India, this of course, will also have to be a prerequisite for building the capacity needed as the foundation for the India's aspiration to become a global security hub (see: 'Made in India' Cybersecurity: Why Not?).
The third session I'd like to touch upon is the one by Gigi Joseph, the CISO at the Bhabha Atomic Research Center - India's Lawrence Livermore-like nuclear research institution. Joseph was the most popular speaker at the conference after he delivered his session on role-based behavior analytics and identifying patterns and anomalies in user behavior as indicators of attack. Why this is significant is because all the security technology used at BARC is indigenously developed.
Joseph himself is known to have made significant contributions in the indigenization of networking and security devices. His brass tacks approach was a refreshing departure from usual tone prevalent in security - much of lexicon of which comes from technology vendors. I feel that it is incumbent upon the community to promote Joseph's work and that of practitioner's like him, if we are to break away from the inertia and jaded discourse that afflicts the growth of capacity and skills in the country (see: How Will India Get 1 Million Cybersecurity Professionals?).
On a final note, the summit was good, but the ones that follow can and will be better. The next ISMG summit the region is to be held in Singapore, and then Dubai. I'd love to hear from those who have attended. What do you want to hear about? What issues can we help you address? Do write me, or tweet to @APACInfosec.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.