Devising Cyber Security Strategy in Wake of Increased Threat of Cyber Attacks

Jagdeep Singh, Chief Information Security Officer, Rakuten India

In an ever increasingly interconnected world, we reap the benefits of technology and auto­mation. However, we are also exposed to ever greater threats of cyber­attacks and cybercrime. I firmly believe that Cyber Security has become the core necessity to run the businesses rather than a complementary function in an organization.

While many organizations still see Cyber Security as a Cost to the compa­ny, there are very few, who see this as an investment, and can foresee value in it. The whole idea of looking Security as an investment has had a very posi­tive impact on fostering a strong secu­rity culture within an organization.

Leadership should follow a multi layered approach when it comes to de­vising Cyber Security strategies, and the organization’s overall direction to cybersecurity. I will pen down ques­tions on areas we should assess our Organization’s Secu­rity posture: -

Security Governance and Policy: 

• Assuming the organization has Information Security Policy and Procedures, however is the implementation is appropriately measured? Is the policy reviewed and up­dated as per the changing context of the organization?

• Do all stakeholders understand Cyber Security Risks and are appropriately sensitized? It has been found that most people do not understand cyber risks to the busi­ness.

• Does the organization have a time bound Secu­rity Program Implementation? Does it al­locate appropriate resources, and tracks the progress, while making efforts to fill crucial operational gaps from time to time?

Secure by Design: -

• Does the enterprise have a well de­fined Security Architecture, used by its IT function to build and integrate various technology pieces?

• Does the organization understand its mission critical assets aka crown jewels and has identified the controls to protect them at all costs?

• Does the organization fol­lowa well-defined set of secu­rity best practices in times of mergers or Spin off?

Security Assurance: -

• Is Risk and Compliance are actually measured and followed? Is the Department/function handling Risk and Compliance is given actual Powers or is just Titular?

• Does the organization consider Information Privacy and Protection as a security requirements or they just to comply with local regulations?

• Does the organization audit its IT Infrastructure pe­riodically with Security Specialists/Red Teams, and en­sures remediation is done for the gaps found?

Vulnerability Management: -

• Does the organization have a centralized Vulnerability Advisory function, which advises its stakeholders on the zero day vulnerabilities?

• Does the organization perform periodic scans on its systems to assess the vulnerabilities? If yes, is remediation done appropriately?

Incident Response: -

• Assuming now that the attacker has breached our sys­tems, what are response measures we take to come to nor­malcy in least time frame? Are drills performed to repli­cate the actual incidents, and measure its effectiveness?

• Does the organization have capabilities for near real time response to cyberattacks, in terms of Response Brokering, forensics, and breach remediation?

Security Analytics: -

This area specifically assists in zero-day Intrusion Detection.

• Does the organization have capabilities to his­torically mine datasets, and come up with new patterns used by attackers, hunt down malicious activities not being reported by monitoring tools?

The above areas talk about both Proac­tive and Reactive Capabilities, which the organization should focus on building strategically. The maturity depends on the level of implementa­tion of specific areas and the organization’s con­text. It is also important to have defined Perfor­mance indicators(KPIs), and organizations should course correct from time to time based on KPI evaluation results.