As the threat landscape expands exponentially and the threat vectors grow in sophistication, the task cut for the CISOs today is anything but easy. Anuj Tewari in a freewheeling chat with dynamicCISO talks about the issues that concern today’s CISOs and from where the next big threat is coming.
Shipra Malhotra: As a CISO what information security trends do you see dominating in 2018 and beyond?
Anuj Tewari: The year 2018 is going to be dominated by GDPR and privacy trends. From the cyber aspect, cyber resilience is coming up and picking up well. A lot of customers in Europe, especially, are talking to me about cyber resilience now. We have always talked about business resilience and business continuity traditionally, but not cyber resilience. Now we see people talking about not just doing the traditional risk assessments but also conducting cyber risk assessments, understanding what the threats are and that resulting into a cyber resilience plan.
In essence if we break down security, it essentially boils down to Confidentiality, Integrity and Availability. While continuity or resilience has mostly been linked with availability, the good thing about cyber resilience is that it focuses on all three aspects. In my personal opinion it is going to be the thing of the future because businesses cannot survive without having the data protected well, keeping it confidential, making sure that it is available at the right time (which is the availability aspect) and making sure that whatever was stored is what is being retrieved, i.e. the integrity of the data has not changed. So, cyber resilience focuses on all three aspects.
SM: Where do you see the next big threat coming from?
AT: I hate saying humans every time, but the next big threat is going to continue to be from humans – whether out of negligence/ignorance or due to malicious intent, i.e. insider threats. Somebody who has the rightful access may end up exploiting that access to use it for personal reasons or financial gains or if it’s a disgruntled employee may want to shame the company. That is where typically we want to ensure that their colleagues can understand any anomaly in behavior an employee who is becoming a threat to the organization. The key is to identify the anomalies in the employees’ behavior. While there are cybersecurity based tools available, which can tell if somebody in the organization is behaving outside the normal range of behavior, its also crucial to create awareness among employees to identify anomalous behavior among their colleagues.
Here is an example. For instance, if a business analyst works 9 am to 5 pm for most of the days in a month and for a few days may stretch for another two hours or so, that would be normal and nothing outside the ordinary. But, suddenly when on notice period in the last 30 days he/she logs in to the server on a Sunday and starts downloading pretty much all the documents, that could be a very good indicator of an insider threat and something that the machine could catch. On the other hand, if somebody is printing out some confidential information, that would require his/her colleagues who are trained to understand that this is confidential information and somebody should not have been printing it, and hence be able to report the incident.
Ultimately, it will take a healthy mix of human intelligence and machine intelligence to provide actionable results. Ultimately, addressing the threat from the human element boils down to awareness – either the machine has to be aware or the individuals have to be aware.
SM: What are the non-human threats that organizations should be wary of?
AT: On the non-human front, the next big threat will be from the neural networks and Artificial Intelligence (AI), which if not controlled or designed right, can result in harm. We all heard about the incident at Facebook where two of the chatbots it created for research started communicating in a language which only they understood. The programmers or the humans who designed them were not able to understand the output but they were actively communicating. It reminds me of the movie Terminator. This is exactly how it was – a neural network which was able to think and take decisions on its own.
SM: So, between the humans and machines who would be a bigger threat?
AT: Even as we make progress in the area of neural networks and AI, humans still continue to be the biggest threat. I don’t think machines have either matured or we have enough use cases in the industry where we really have autonomous neural engines taking decisions. Till such times humans are completely controlling the machines, I would rate humans a bigger threat and would suggest investing on them more than investing on just the tools.
SM: Despite spending millions of dollars on cybersecurity tools and technologies, organizations are still never 100% secure? How do CISOs optimize and prioritize their security investments for maximized results?
AT: Its very important to first acknowledge that we cannot protect everything. Identify the crown jewels and what are you really trying to protect versus what are the trade-offs that you are ok to live with. Once the crown jewels are identified, its important to containerize and logically segment them and apply those dollars in those values or in those ways that they are best optimized. All data doesn’t require the same level of security. Treating all data equally will mean too many false alerts and too many things that you don’t want to look upon as they take up your time, resources’ time and management’s time. There are only finite number of resources and there is finite focus that can be put in. So, use it wisely by segmenting and prioritizing the risks right and hence optimizing the investment.
Having said that, it is also critical to let the the leadership or board know what they are unable to protect. It makes driving the security strategy a lot easier. It is equally important to have the strategic callout around what is not covered and what are the tradeoffs and associated risks.Opinions expressed are personal and not that of any organization, individual or participant in the event