INTERVIEW OF THE MONTH
INTERVIEW WITH MR. RUDRA MURTHY K G,
Chief Information Security Officer,
Digital India,
Ministry of Home Affairs
1. As organizations become increasingly reliant on technology to run their business and with the adoption of digital including Internet of Things, what do you believe are the most common vulnerabilities and challenges that they face?
The Digital adoption is going beyond the usual imagination and predictions of human kind and industry research. Consequently, associated risks are also following the same trend. Having said that, serious risks are relating to privacy and protection of critical data. The most common vulnerabilities of digital adaption including IOT and IOET are insecure interfaces, inadequate encryptions and insufficient authentication mechanisms. Insecure interfaces can be present at Web, Cloud and Mobile layers. When such insecure interfaces are present, the common weak spots relating to account enumeration, improper account lock and weak credentials lead the way for an intruder to take advantage. These intruders aren’t necessarily only external parties. So far, studies prove that the threats from internal users are as significant as those from external users. Unfortunately, the intruder is able to detect issues relating to these interfaces quite easily. Even in a manual and automated way, they are able do it without much effort. On several occasions we’re under the false impression that internal networks are very secure and cannot be breached. But, some internal wireless networks are potentially very weak. This risk relating to data protection on networks if not managed well, could lead to a significant damage for the organization. Several organizations still fail to have an effective Identity and Access Management. Authentication and Authorization deficiencies are often found across several interfaces and could be easy to discover.
2. What good practices have you seen in terms of how some businesses have planned and prepared for such growing digital risks? What recommendations would you have for enterprises build “digital resiliency” into their organization systems and processes?
Organizations should always focus on being framework driven than tools driven. They should embrace adoption of new innovations to improve their service or product delivery. In several organizations the focus of CIOs, CISOs, CROs are only either IT or Compliance driven. Digitization requires a slightly different perspective. To draw an analogy, it is something similar to the kind of maturity lifecycle that Virtualization and then Cloud platforms underwent, where they eventually matured with time. We now fully understand the technology and all possible risks associated with virtualization and cloud platforms and accordingly the enterprise frameworks and architectures are updated. Similarly, we should have a right strategy and frame work for the Digital adaption, otherwise unknowingly we would end up in huge risks. With all the significantly massive initiatives such as Smart Villages, Smart cities and internet to every home, mobile to ever individual initiative etc, it would be just crazy to secure individuals, enterprises and nations, if we don’t visualize them in a strategic way.
3. What do you believe is the role of a Chief Digital Risk Officer in a business and what scope, mandate and skills does a person need to play such a role well?
I don’t think we need to create more roles as part of Digital transformation. The current roles played by CIO, CISO and CRO should embed Digital transformation skills as an intrinsic part of their role. Digital is another form of computation and automation of business and end user process. By creating too many roles we might end up in in creating un-necessary complexities, which could come in the way of ensuring effective execution and rapid technology adaption. It doesn’t matter what the title is, but it does matters who owns the responsibilities and whom does he / she reports to in the organization hierarchy. The challenges related to digital needs to be directly visible to the top management in order for timely action to be taken. For example, in most of the organizations, the CISO role is limited to only Policy and Compliance and with reporting to CIO. This needs change as the Cyber Security or Digital Security needs to be under the direct visibility of top management.
4. What kind of role have you seen does analytics play in the management of digital risks and how have businesses leveraged it for better planning and execution?
Yes, analytics does play a very important role. If we pay attention to the trend of innovation in computerization, we would obviously agree that we are in the midst of a significantly high digital complexity. We are in a confused state as there are too many conversations within technology units itself. We are not sure what the technology is trying to convey while it is functioning and additionally, we have to deal with ample number of devices in the network that are generating significant amount of talks in the form of logs. It is quite impossible for human kind to digest, understand and derive insightful information from all the logs that these devices are generating. In order to address this complexity, the only way is to have analytical engines running on these logs to produce meaningful and actionable information for us to digest and act upon. These analytics help enterprises to understand risks in totality, and come up with possible and effective remediation to address business risks in a timely manner. The days of running correlations and cross relations on the logs to alert us on risks is a thing of the past. We now have smart technologies which can act on the risk by itself and pass the actioned information along with suggested future course of action. Smart analytics are able to achieve this by spotting trends and patterns together with a suggested action plan.
5. How do you believe nations should protect themselves from cyber espionage and put plans to counter a nation/state cyber-attack?
There should be a dedicated ministry for every nation which should own the strategy and execution of the nations’ cyber security and cybercrime. Every other ministry and states should work under the guidance of this dedicated ministry for all cyber Security and cybercrime initiatives. The strategy should allow innovation and change adaption, but the execution should be standardized. There should be a security framework, which takes into consideration all the industry sectors including water management, power management, food management, agriculture, IT, automobile, telecom, defense etc. This is highly important as we move to digitization and automation. At this point, security is unfortunately not receiving the emphasis as it should except to highlight in the media to grab attention as part of marketing.