Devising Cyber Security Strategy in Wake of Increased Threat of Cyber Attacks

Jagdeep Singh, Chief Information Security Officer, Rakuten India | Thursday, 31 August 2017, 13:00 IST

In an ever in­creasingly in­terconnected world, we reap the benefits of technology and automa­tion. However, we are also exposed to ever greater threats of cyberattacks and cyber­crime. I firmly believe that Cyber Security has become the core ne­cessity to run the businesses rather than a complementary function in an organization.

While many organizations still see Cyber Security as a cost to the company, there are very few, who see this as an investment, and can foresee value in it. The whole idea of looking security as an investment has had a very positive impact on fostering a strong security culture within an organization.

Leadership should follow a multi layered approach when it comes to devising Cyber Security strategies, and the organization’s overall direction to cybersecurity. I will pen down questions on areas we should assess our organization’s security posture:

Security Governance and Policy:

• Assuming the organization has Information Security Policy and Procedures, however is the implementation is appropriately measured? Is the policy reviewed and updated as per the changing context of the organization?

• Do all stakeholders understand Cyber Security Risks and are appropriately sensitized? It has been found that most people do not understand cyber risks to the business.

• Does the organization have a time bound Security Program Implementation? Does it allocate appropriate resources, and tracks the progress, while making efforts to fill crucial operational gaps from time to time?

Secure by Design:

• Does the enterprise have a well defined Security Architecture, used by its IT function to build and integrate various technology pieces?

• Does the organization understand its mission critical assets aka crown jewels and has identified the controls to protect them at all costs?

• Does the organization follow a well-defined set of security best practices in times of mergers or Spin off?

Security Assurance:

• Is Risk and Compliance are actually measured and followed? Is the department/function handling Risk and Compliance is given actual powers or is just titular?

• Does the organization consider Information Privacy and Protection as a security requirement or they just to comply with local regulations?

• Does the organization audit it’s IT infrastructure periodically with Security Specialists/Red Teams, and ensures remediation is done for the gaps found?

Vulnerability Management:

• Does the organization have a centralized Vulnerability Advisory function, which advises its stakeholders on the zero day vulnerabilities?

• Does the organization perform periodic scans on its systems to assess the vulnerabilities? If yes, is remediation done appropriately?

Incident Response:

• Assuming now that the attacker has breached our systems, what are response measures we take to come to normalcy in least time frame? Are drills performed to replicate the actual incidents, and measure its effectiveness?

• Does the organization have capabilities for near real time response to cyberattacks, in terms of Response Brokering, forensics, and breach remediation?

Security Analytics:

This area specifically assists in zero-day Intrusion Detection.

• Does the organization have capabilities to historically mine datasets, and come up with new patterns used by attackers, hunt down malicious activities not being reported by monitoring tools?

The above areas talk about both proactive and reactive capabilities, which the organization should focus on building strategically. The maturity depends on the level of implementation of specific areas and the organization’s context. It is also important to have defined performance indicators (KPIs), and organizations should course correct from time to time based on KPI evaluation results.