Security awareness addresses shadow IT project risks
Gopal Balachandran, Chief Financial Officer and Chief Risk Officer at ICICI Lombard General Insurance, discusses the need for enhancing security:
Ravi Lalwani: What is your perspective on improvements in detection and prevention of malware and attacks by BFSI organizations during 2020?
Gopal Balachandran: Given the rising trend of cyberattacks and ransomware attacks, most organizations are focusing on getting their IT and security strategy right for timely detection and prevention of all security incidents. A lot of focus is on ensuring an effective Security Operations Center (SOC) with capabilities such as security automation, orchestration and response. Many organizations have started testing their incident response management capabilities with attack simulation exercises.
What types of Security-as-a-Service have proven to be technically successful during 2020? What commercial benefits of Security as a Service have been realized?
Most OEMs are now moving from a data center-focused capex-based long-term project model to opex-based services. This phenomenon is particularly on the fast track with the rising trend of adoption of public cloud services by many global and large-scale organizations.
SOC, end detection and response, web application firewall, real-time cloud posture monitoring and management, breach attack simulation, etc, are some of the successful implementations of Securities-as-a-Service.
Apart from the commercial benefits in terms of software in opex mode at extremely competitive prices, I believe the speed at which Proof of Concept (POCs) can be conducted to test and validate these services and the ease of deployment are the key benefits of this approach.
Can you comment on the differences in security cover for older applications vs newer applications?
Compatibility and integration of older applications with the latest IT and security technologies / capabilities are probably the most evident difference. A lot of customization may be required to secure older applications which on occasions may also be not technically feasible.
How is the shift to containerization changing the approach towards application security?
Keeping containers secure throughout the development life cycle represents many challenges to security and development teams. Implementing a well-defined and tested DevSecOps model is the most effective approach to addresses security in containerized environments.
Any examples of business units stepping forward to take charge of security aspects for their applications and data?
Business t eams taking l ead i n identifying new solutions to address business problems or to i mprove productivity is evident in almost every industry. This shadow IT approach does increase the risk for an organization, but we believe good due diligence, risk management and change management practices along with effective security awareness across the organization are required to address risk arising from such shadow IT projects. No specific example but we can emphasize the awareness amongst business teams to ensure security team involvement and sign off for such projects.