Cybersecurity @ the Heart of Business
“If your information isn’t safe, your future is not secure.”– Ram Kumar G, CISM, CRISC
In today’s vibrant digital scenario, it wouldn’t be an exaggeration to say that no business can stay off the grid and be untouched by the digital revolution that is underway. In an increasingly inter-connected cyber world, there lurks the danger of cyber threats and risks targeting confidential data, IT infrastructure aimed at data theft, data manipulation, disabling IT infrastructure resulting in unavailability of online/offline services, etc. These could have debilitating disruption to business operations and in extreme cases put the company in existential crisis.
Not a week passes without the news of a major cyber attack that causes data breach or cripples IT services of major marquee brands. It has to be noted that we get to hear only about cyber attacks targeting big brands and not of hundred others that don’t make it to the headlines.
In order to protect customer interests in terms of data security and privacy, many regulations have been put in place across the world and the key ones being PCI DSS, HIPAA, GDPR, etc to name a few. With the exponential rise in cyber attacks, the regulatory regime is undergoing sea change to push companies to adopt robust cyber security posture and the regulations are going to get tighter.
Cyber Security can’t be an afterthought
“Security is like brakes on your car. Their function is to slow you down. But their purpose is to allow you to go fast.”
Given the prevailing cyber threatscape, it is only prudent that companies take cyber security seriously not just for fulfilling regulatory compliance or meet customer requirements but for their own good as an ongoing business with long term commitment to protect their business, data, IT infrastructure and customer interests.
To do so, the key strategic imperative is to approach cyber security as essential component of business and not as an afterthought. In essence, this means organizations adopting “Secure by Design” principle in their business operations and processes – application development, IT network, supply chain management, manufacturing operations, etc. supported by a robust integrated security governance, risk and compliance program covering Information Security, Application Security, IT Infrastructure Security and Physical Security domains. A live and tested Business Continuity & Disaster Recovery program will help in ensuring the business is resilient in the face of disruptions/crises caused by cyber attacks, man-made disruptions like trade shut downs, transport strikes, sudden inaccessibility to business facilities, and natural disasters like flooding, cyclone, etc.
The biggest benefit in incorporating cyber security in business processes is the security aspects are in-built from day 1 and it helps avoid costly and time-consuming tasks of adding security later on and facilitates building secure process/product. For e.g., including security controls, best practices while developing applications from the initial stages enables building in secure coding principles at the coding phase itself instead of fixing security loopholes found in the testing phase will save time, effort and resources. Of late, progressive organizations have adopted DevSecOps to build in security early in their application development lifecycle.
Security is no more a necessary ‘evil’
“Cyber Security is a strategic business imperative; not an option anymore.”
In the olden days (80s and 90s) data security as it was called then was perceived more of a necessary ‘evil’ as it cost resources, money, time and effort with little tangible value add for the business. But not anymore in today’s scenario. With the ever changing cyber threat environment it is a business imperative to put in place a strong cyber security program.
While there is no such thing as absolute security and no one can assure fool-proof security, yet a matured cyber security program can help in reducing risks, minimizing impacts from security incidents, recover business operations faster and revert to business-as-usual mode.
Security is no longer an IT problem; it’s a business issue
“The question is no longer can we afford security, but can we do business without it?”
We have come a long way from the days when cyber security was viewed as an IT problem concerning only the IT staff. Today it is very much a business issue and it is viewed as a business enabler. Progressive organizations integrate cyber security with their business and the matured ones make security part of their culture.
A strong cyber security program helps the business entity meet regulatory requirements depending on the industry sector, data sensitivity and location of the business operations. Most importantly, a working cyber security program provides assurance to customers – existing and prospective enabling them to repose trust and confidence on the company’s ability to handle sensitive data, respond to cyber attacks and deliver almost uninterruptible services as per their requirements.
Given the criticality of data and its supporting IT infrastructure, it is no surprise today Cyber Security finds place in Board meeting agenda and the executive helming the organizational cyber security program often titled the Chief Information Security Officer (CISO) is finding a voice and at best a seat in the board room.
Changing Threatscape requires new approach to Cyber Security
“There are only two types of companies: those that have been hacked, and those that will be.”
– Robert Mueller, Former FBI Director
In today’s evolving cyber crime scenario, it’s a given that cyber security incidents, sooner or later, is bound to happen.
With the proliferation of end-user technology devices/services using new-age technologies like IoT, Artificial Intelligence, Robotics, Machine Learning, Blockchain, etc. the cyber security landscape is fast changing and evolving to meet the new challenges posed by cyber criminals. The cyber security research domain is vibrant and lots of new techniques, approaches and tools are being developed, tested and released for commercial use. The intent and lethality of cyber attacks may vary in degrees but there is no denying the fact that new-age cyber threats require unconventional new-age cyber security approach, defenses and response. The emergency of dark web as a haven for organized cyber crime syndicates1 has only made it worse. And the involvement of these groups with the active support of nation-states has only compounded the problem. Today, no one can prevent a cyber security incident but can build cyber security capabilities to stay resilient by responding intelligently and recovering fast from such attacks.
The way computer security has evolved over the years – from data security of organizations yesteryears to the present cyber security of businesses to tomorrow’s digital security of entire critical infrastructure of what is going to be developed as smart cities is enough proof that the domain needs new age solutions to emerging threats. In response to the prevailing geo-political cyber risk scenario threatening critical national IT assets, Government of India is considering setting up of an unified tri-services organizations to handle threats of the cyber space2. The writing is clear on the wall – the next frontier of war is going to be fought in cyber space and beyond (may be space). Already, low-level cyber firefights are underway against each others’ IT infrastructure waged through non-state actors affiliated to nation-states. It’s a lot more cheaper and effective to run a cyber war than actually putting troops on ground and roll tanks.
The right mix of people, process and technology for a well-designed cyber security program is a bulwark against cyber threats which is a clear and present danger with its ever-evolving tactics, techniques and procedures.
The Growing Cyber Crime Market
“The modern thief can steal more with a computer than with a gun; Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.”
– National Research Council, “Computers at Risk”
It is already been touted that cyber criminal activity is going to be the biggest challenge that mankind will face in the next few decades. It is estimated that cyber crimes will cost $6 trillion annually3 (up from $2 trillion in 2015) in 2021. Already, cyber crime overtook drug peddling as the most profitable illegal business4. The cyber crime ecosystem is well-oiled and data-intensive businesses are the targets.
As per the Cost of Data Breach Report, 2018 of Ponemon Institute, the average total cost rose from $3.62 to $3.86 million, an increase of 6.4 percent from 2017 and the average cost for each lost record rose from $141 to $148 in 2018. And these numbers would only grow in the years to come.
Over the years, the cyber attack surface has only grown in leaps and bounds. The concept of an organization doing business operations only within 4 walls or at least having complete visibility is long gone with the advent of data-driven digitally interconnected business enterprise. Today we operate in the age of extended enterprise where external stakeholders like service providers and vendors, contractors, etc. have access to business networks to deliver value. Plus employees are more digitally agile, active in social media networks and often we find staff using personal mobile devices to connect to corporate IT networks to perform their work. Actions by ignorant or negligent users or deliberate acts by insiders lead to data leakage or other security incidents.
If the cyber attack surface has increased, then the attack vectors have also proliferated – from emails, websites to IoT devices and weaponization of AI-enabled devices, its all-pervasive leaving them vulnerable. New age threats like ransomware, cryptojacking for cryptomining, attacks on cyber-physical systems involving critical infrastructure like power grids, transportation systems, etc are lethal as are the old methods like phishing attacks and malware infection.
The costs of cyber crimes are mind boggling – loss, theft, manipulation of data, data processing infrastructure, theft of money, identity, intellectual property, personally identifiable data, change of application functionality to facilitate fraudulent transactions leading to gaining money illegally or disrupt business operations, digital forensic investigations, loss of productivity, reputation loss for organizations, fines, penalties, damages and law suits for organizations, loss of customers leading to dip in revenues, cost of restoration activities to bring business operations to normalcy, etc. At times, business have gone belly up due to cyber attacks or temporarily suspended business services, key executives have been fired and at times jailed and received bad publicity for extended period of time.
This scenario has put huge pressure on industry players and according to Forbes the global information security spending is poised to hit $124 billion5 by 2019 mainly driven by privacy concerns and regulations.
The World Economic Forum (WEF) has listed cyber attacks are the third most likely global risk6 in 2018 and given the lucrative market for cyber criminals this is not going to scale down in the coming years.
Cyber Security Talent Shortage
In this risky scenario, the moot question is do we have enough people to rise up to the cyber crime challenge? The quick answer is, sadly, a big NO!
According to recent estimates, globally there is going to be 3.5 million7 cyber security jobs that will go unfilled by 2021. The global cyber security talent shortage is for real and it is going to impact adversely businesses capability to deploy cyber defense strategies. And small and medium businesses are more vulnerable to cyber attacks as they are cash-strapped to deploy expensive security technologies and hire cyber security professionals who command premium pay.
The skills shortage is not going go away any sooner. It will take years to develop cyber security professionals with the right skills to fill in these jobs. Fresh graduates with degrees in technology may not have the hands on skills to take up specialist positions in cyber security and hit the ground running. They need to undergo technical trainings with hands on lab exercises to pick up required skills and then try getting a break in the industry. There are very few formal degree or post-graduate degree courses that offer hands on training focused on developing niche skills in cyber security in India.
With regulatory regime getting stricter due to privacy and information security concerns (thanks to frequent data breach incidents suffered by big brands), compliance to these regulations is a challenge. Already, the information security function is regulatory compliance-mandated in some industry sectors and the omnipresent threat of cyber attacks is only making the need for hiring cyber security professionals urgent. There is a definitive demand for talented and competent cyber security professionals in India8.
Cyber Security as a domain is vast…it wouldn’t be far-fetched to say even a lifetime isn’t enough to master all the domains. Whether you are interested in technical or non-technical roles, cyber security domains has them all – positions spans across entry-level roles like security systems engineer, administrator, analyst to mid-level roles like auditor, architect, expert, forensics investigator to senior-level roles like director, head and C-level executives. Each of the cyber security domains – Governance, Risk & Compliance (GRC), IT Infrastructure Security, Application Security, Industry Cyber Security, Data Privacy, Business Continuity, Disaster Recovery, new-age domains involving artificial intelligence, robotics, machine learning, blockchain, etc entails a separate and distinct career path.
On the non-technical side roles like cyber security sales professional, security blogger/columnist, event producer, recruiter, etc. are on offer.
Cyber Security is a domain that keeps changing, evolving all the time. So the challenge and imperative here is to keep learning, unlearning and relearning all the time. So if the vibrant, dynamic nature of the field excites you and the prospect of constant learning appeals to you then probably you should consider this as your profession.
One rewarding way to validate your learning – knowledge, skills and expertise is to undergo industry-recognized certification courses and obtain the certification. Security certifications are varied – vendor-oriented to vendor-neutral, skill-based, domain-specific, etc. Though there are contrarian views regarding the value of certifications vs actual skills a candidate can demonstrate on the job, there is no denying in the fact that certified candidates command attention from recruiters and obviously are better paid than those who are not certified. Exceptions exists though.
Where are the job opportunities?
Cyber Security jobs are available across a range of companies – Consulting firms, IT sector, Non-IT sector and startup firms.
|S.No||Broad Employment Category||Industry Sector|
|1||Consulting Firms||Big 4 Audit Firms, Pure Play Consulting Firms, Certification Bodies, Research Firms|
|2||IT Sector||Product & Services Companies, Startups|
|3||Non-IT Sector||BFSI, Healthcare, Defense, Media, Technology R&D firms|
|4||Entreprenuers||Freelance Consulting, Own startup|
Other employment avenues are from well-funded cyber security-conscious non-governmental organizations like the UN and its affiliates, government organizations (PSU, nationalized banks, etc.) global NGOs and teaching/research positions with leading academic institutions.
Cyber threats are not the stuff of sci-fi movies anymore and they are a reality. We are looking at the prospect of next generation real-world conflict involving cyber warfare. And nations which have the best of hackers will have the edge over the others.
With the emergence of crime-as-a-service in a big way, cyber attacks are going to be the new normal and anyone who is motivated can launch a targeted attack on a business or an individual. The cost of mounting a cyber attack vs the cost of defending against has been irrationally asymmetrical making the defenders vulnerable to losing the battle – lose they would albeit temporarily but with a matured cyber security program the downtime can be reduced and response time can be made shorter.
A pressing need of the hour is to attract students and professionals to cyber security domain in order to take up specialist training courses or degrees to be future-ready. With a wide-range of jobs across the world offering lucrative salaries, cyber security requires talented professionals to defend against cyber threats. So the question is: are you ready to be the next gen cyber warrior?
About the Author
Ram Kumar G, CISM, CRISC, CEH, CPISI, BCCE, is a senior Information Security professional serving a leading healthcare major. His 17-year corporate stint includes setting up Information Security programs from ground up in few multi-national companies across BFSI, IT/ITES, ISP, Media & Entertainment and Healthcare industry verticals. His core expertise extends across Information Security, Corporate Security, Data Privacy and Business Continuity domains.
Ram is a published author and his book “Cyber Crimes – A Primer on Internet Threats and Email Abuses” has been published by Viva Books, New Delhi in 2006 and re-published in 2010 and 2013.
Ram served as a Mentor for the 1st batch of M.Tech/MS Cyber Security students at Reva University.
Detailed career profile available at: www.linkedin.com/in/gramkumar