From SECURITY to TRUST
Just having strong security systems is not enough. Such systems should also create a strong trust among the users:
The year 2020 with the onset of covid brought with it a host of sudden changes many of which are likely to stay onboard as the ‘new normal’. The World Bank’s latest Economic Outlook from the OECD shows how covid’s impact has been both widespread and devastating across sectors and countries. From business owners facing supply chain disruptions, liquidly crunch to salaried individuals facing the harsh reality of a sudden red slip, the times are both uncertain and challenging. To ride the tide, enterprises, especially in the financial sector, are embracing a new digital normal that can help them minimize any likely losses and continue operations balancing security, safety and technology.
The silver lining amid the dark pandemic clouds has been the role of technology. The digital ecosystem has emerged as the ‘new normal’ especially in the financial world. For example, there has been a massive increase in uptake of Microsoft’s low code Power Platform aimed at enabling rapid development. Likewise, Microsoft Learn, a platform to acquire, update and certify Microsoft skills, has witnessed a 25% increase in the number of users post covid lockdown. The stats are similar for other software and cloud service providers underlining the digital disruption as the new norm.
KuppingerCole Analysts, one of Europe’s leading analysts on information security in the era of digital transformation, traces how even some of the most conservative organizations are now adopting a ‘cloud first’ strategy without bothering about any time-consuming proof of concept trials. So, while covid is endangering lives and scarring livelihoods, it is also opening up avenues for a tech enabled resurgence remapping the ‘new normal’ for the future.
While the medical world fights against time to come up with a vaccine which is both safe and effective, the new normal for enterprises is likely to stay for good. Changing consumer consumption
habits, more reliance on work from home (WFH) even in sectors it was alien before the pandemic, acceleration of digital transformation, reliance of automation and technology are some of such new normal.
Here is a look at the lifecycle of new digital ‘normal’ emphasizing on tech enabled security and trust as new normal pillars in the financial world.
REBUILDING TRUST IN THE NEW DIGITAL ERA
There is no denying the fact that the covid crisis has shaken a number of things and one of the essential elements is that of ‘trust’. Thankfully, a deep dive into the financial sector shows the trust element in the Indian BFSI ecosystem to be intact compared to some other countries across the globe. With various people from clients, customers, staff, industry stalwarts each having their own definition of trust and security, rebuilding any loss of trust in this new digital environment remains a top priority for many organizations especially in the banking and financial world.
Security and trust are very interrelated shares Sridhara Sidhu, CISO at Wells Fargo. With the context of business execution changing in a post covid world, risk lengths for businesses have also undergone a relative change. “To understand the new risks coming into play and how they may impact the end customer trust remains paramount,” says Sidhu. Every organization today has its own internal dynamics focusing on plugging in new emerging risk factors and so each organization has ever emerging challenge on the trust aspect.
Digital gives value to business but also opens up risk avenues like phishing both in terms of websites and mobile applications underlines Nagaraj Solkar, CISO, Bajaj Allianz General Insurance for Microsoft Learn, tracing risk in the insurance sector. For any organization, especially in the financial domain, to keep their trust element intact requires constant monitoring of any such fraudulent activities ensuring customer safety, he adds. Maintaining trust therefore is more relevant for financial enterprises over building long term trust.
A crisis like covid is the perfect opportunity for bad guys to find a crack and breach the financial security shield feels Agnelo Dsouza, CISO for Kotak Mahindra Bank. “There has been an exponential rise in phishing attacks in a post covid world across the globe,” says he. With a digital push enabling first time non-tech savvy customers to adopt digital means, the risks are high for them to fall for such attacks making it a huge challenge for banks.
Echoing similar sentiments expressed by Sidhu, Manish Pal, Sr VP - Information Security, HDFC Bank, says building trust remains the key. Secure delivery of services has always been priority for banks and financial enterprises, says he, adding the onset of digital in the post covid era is adding extra emphasis on security which was always in place at the organizational level for most BFSIs.
IS AWARENESS CAPPING DIGITAL FRAUDS?
Increasing number of cyber and phishing attacks also mean increasing consumer awareness towards such frauds. Agnelo Dsouza sharing his experience feels that cyberattacks today are well funded helping the fraudsters to adopt new technological means and exploit loopholes to make inroads. “The challenge for security experts is that they have zero margins for error and they need to be 100% all the time while the hacker needs to be successful in only 1 out of 100 attempts to undo all our good work,” stresses Dsouza. What’s worse, says he, is that the organization faces a trust deficit by the consumers as an aftermath of a cyberattack. This will undo years of good work and lead to an instant trust deficit. It is for this reason that most BFSI organizations remain extremely concerned about cyber security and treat it with at most priority, he insists.
“Cybersecurity continues to hold an important space in the discussion in almost all board meetings and management reviews,” he explains, emphasizing the criticality of the need.
Givi ng r i g ht f e e dback to t he management is one of the fundamental security aspects, believes Manish Pal. “It’s not a question of whether you will be hacked. It is a question of when and how you will realize you have been hacked,” he stresses, highlighting how digital security remains paramount for consumers along with organizations and security experts. Advanced persistent threats, which were earlier a buzzword, is now a routine in the life of security experts managing sensitive data and financial i nformation, he points out.
Manish Pal recalls that delivery of service, which hitherto was a mixture of physical and digital, is 100% digital in a post covid world and this sudden digital push has brought a huge emphasis on trust since many customers, especially in the financial space, continue to be sceptical of technology. “To optimize the digital push without compromising on the trust deficit is tight rope walk that most BFSI enterprises are currently embarking upon and customers can often turn out to be the weak link, enabling hackers to gain an easy access even as the overall ecosystem remains tightly secured and waterproofed,” he adds.
CRISIS MANAGEMENT PLANS
Most organizations and business entities have had a crisis management plan but covid forced organizations to implement the same instantly without notice, says Manish Pal, pointing out that board members, who were till now used to periodic updates on security, are suddenly tracking security and risk mitigation measures on a daily basis. The more frequent the updates and communication between the crisis management team and
the respective boards, the better it is for the overall security system of an organization, he emphasizes.
What the board does in the current scenario can make or break a company’s risk mitigation. Seeking assurances from the risk management team or proactively tackling risk factors may well determine how well the organization is ready to tackle security, which can impact their trust ratings.
The one thing majority of board members across organizations are aware of is data breach analysis and report, says Sidhu of Wells Fargo. The stark reality, he says, is someone could well be sitting inside the security systems observing the happenings and waiting for the right moment to attack. There are ample security tools to handle and tackle any data breaches by tracing data movements. However, there are only limited tools available in case the hacker is only an observant or does nothing, says he, and this makes it hard for security teams to track them down.
Sharing an interesting insight Sidhu mentions that 99.6% of data breaches over the last 10 years have happened due to simple vulnerabilities that were left unpatched for over 90 days. This is known to most CIOs and CISOs but underlying challenges, lack of consistent processes and poor monitoring all add up for such a breach possibility, he warns, suggesting that CIOs must, instead of worrying about future breaches, take care of what is known and ensure patching of all such common vulnerabilities. This can ensure a much tighter ecosystem, he adds.
BOARD MANAGEMENT AND RISK MITIGATION
With many board members being nontechnical, explaining to them and bringing them onboard can often be a lesser talked about challenge for security teams and experts.
For example, email and social media data breaches and landing of data on the dark web are not a common topic for discussion, but these continue to be major risks for enterprises even with timely patch updates. Nagraj shared a dark web vulnerability case study about how an individual user had 16 different passwords in the last 10+ years, yet the data was still leaked in 4 unique attacks and was freely available in a hacker’s database. “Weakness in the systems is one thing but credentials are already available freely in the dark web for the hacker to exploit,” says he.
Communicating to the management about technology weaknesses and vulnerability of data and convincing the members to tighten the loose ends is easy, feels Nagraj, insisting that offering detailed data with solutions is what helps in most cases.
Manish Pal is of the view that the board on its part needs cyber security training. As a CISO or information security practitioner, training the board must be part of the plan. With many third-party entities, including government entities offering such trainings as a service, this goes a long way in making board members to understand risks and proactively adopt security solutions.
Having a cyber security specialist on board or in the management team helps an organization to be more aligned with the strategy and security, feels Sidhu, who has years of experience dealing with various board and management teams. In fact, many global organizations have already implemented such a move, he reveals and believes this is a way forward for Indian enterprises as well.
IN-HOUSE VERSUS 3RD PARTY PRODUCTS
Just about every enterprise has a secure, laid down lifecycle procedure for an in-house product or service policy, says Manish Pal. An in-house software development team developing service or products needs to refurbish the same with changing times and technology. Likewise, information security teams also need to update security checklists and all such software changes must adhere to security protocols as relevant then, he insists.
It is very possible that technology limitations may not allow implementation of security protocols as desired. Older applications are therefore not always 100% complaint in terms of desired security protocols. Hence, having a technology obsolescence plan in place is a must where the older software or service is replaced as the gap between offered and desired security widens, explains Manish Pal. Monitoring software or services which are ranked low in compliance and yet to be replaced is what the security teams must really f ocus on to avoid any unpleasant breach.
Each organization must plan based on types of product, technologies used at the backend, security protocol compliance and eventual replacement, he adds, as a golden rule to follow for in-house developed products.
Agreeing with this contention, Agnelo Dsouza says in today’s agile world with security patches being released often on a daily basis, the security practitioners need to be agile to assess the risk before time. Automating DevOps and security for example is the way ahead to counter this eventuality so that security teams remain a step ahead in checking possible loopholes and communicating the same with the development teams. He says off-the-shelf products or products from third parties are often major security challenge, he adds. He believes many such companies lack a security-first mindset. “While they may be very good at coming up with services and innovative products, this lack of emphasis on security can often go undetected,” he says.
Even when security teams find vulnerability in a product, the product manufacturers are slow to update taking as much as 1 year for next update to breach the vulnerability. This leaves
parent companies at high risk for data breaches which shows up with 99.6% of breaches being s i mple risks, elaborates Dsouza on challenges faced by security teams.
Mis-configuration or time gap between patch release and patch fixing is what leads to high risk vulnerabilities, agrees Nagraj.
SECURITY PARTNERS AND TRUST OFFERINGS
With most BFSI and financial entities relying on third party experts when it comes to handling security needs, is it time for having a measurable trust element over and above the security parameters?
When a CISO speaks to a product vendor, it is time for them to discuss with product developers and engineers and not just the sales people, suggests Sidhu. Such an interaction by itself can go a long way in enhancing the trust aspect of the product. Getting insights about product roadmaps, enhancement cycles, technological aspects all ensure maximum trust, he adds.
The work of a CISO or IT team is not just to get the new solution in place. What matters is adoption, says Nagraj. Buying a product with 30 features after long evaluation makes no sense if not all features are eventually to be installed. Monitoring of adoption for any new solution will help escalate the trust element substantially, says he, adding: “Adoption must be one of the biggest parameters for effective trust building.”
Looking beyond the sales pitch and features is necessary, keeping in mind an organization’s own security architecture, asserts Manish Pal. This, he says is the way to escalate trust mapping. “Unless a partner has similar synergy towards security, the tool alone may not be much good for the future. In a world where companies are acquired or brought out by rivals, security focused companies are more likely to retain the trust element,” says he.
A software or a product vendor or a sales team usually promises the moon but that alone should not be the only buying criteria, says Dsouza. “Understanding what one needs as a buyer is essential before short-listing the right product available in the market,” says he. As an example, he shares how getting too many products is a common mistake made by enterprises, which eventually end up without having internal compatibility between the products and services.
Mapping the product software with an organization’s security architecture, understanding risks and solutions for various product lines is the best way forward, says Dsouza, maintaining that understanding what a product cannot do is just as important as what it can do. “Red team exercises based on frameworks can all help give companies a holistic view of risks and product limitations,” says he.
User convenience versus security battles is often a buying point for many products, according to him and the Red team exercises can therefore help balance these protocols helping pick a desired product which is both secure and optimum.
He says in his experience as CISO with Kotak Mahindra Bank he understands that while a CISO’s role is to educate the management and the board, security must be understood as a business risk and not just an IT risk alone. “Once that culture is embedded in an organization’s DNA, the chances of it having successful trust driven partnerships increase exponentially,” he argues.
Trust is linked to people and not the product in most cases. Having as perfect secured product being delivered by a nontrustworthy team does not do any good. Ethics and mechanism of the people handling the product must play a decisive role in inking a partnership or avoiding it. An organization must therefore ensure synergy with the product development team and management as a whole for a long-term collaboration emphasizing mutual trust, security and long valued business partnership.