CISOs face vendor delivery gaps despite rising IS budgets
As information security issues are getting complex, CISOs discuss crucial measures to bring in effectiveness:
As information security issues are getting complex, CISOs discuss crucial measures to bring in effectiveness
Information security is among the top challenges that banks and financial service institutions face today. The challenge has become all the more critical as these enterprises speed ahead on their digital transformation journey. It is imperative that organizations need to ensure that their risk exposure is adequately contained even as they get into the digital ecosystems.
Information security in today’s times is highly specialized as attacks are getting to be precise and organization-wide with the impact causing alarming damages, including disruption in operations, financial losses and reputational damages. It is therefore vital that organizations, especially banks and financial services institutions have a comprehensive realization of the threats and their evolution and how to create an environment to withstand the threats.
Even as the threats loom large, security perspectives have become increasingly complex for those combating these threats in organizations - the CISOs, the CIOs and the CTOs. In one sense, this complexity by itself creates security weaknesses. Banking Frontiers interacted with senior CISOs of the financial sector, with an idea to de-mystify the perception and evolve a common understanding, which can lead to a more robust security. The discussions covered standards-related, vendor-related, technology-related, blockchain-related, security policy-related, innovation-related and cost-related issues, while the CISOs also expressed their personal opinions and issues in general.
Standards help create a convergence that aligns more resources and thereby drives faster maturity of solutions. It also helps in the long run as non-standard solutions would run out of steam much faster. We began our study with this question.
Vivek Gupta, CISO at Allahabad Bank, touched on standards-related issues in depth. Responding to the query on what new protocols and standards (eg SAML, OpenID, OAuth, FIDO, etc) he sees as improving security in a substantial way, he said: “In case of internal access to servers, as is the case of most of the banks, the use of open standards for authentication is very limited, where the same is carried out through an internet enabled website. However, FIDO can be integrated internally, where a USB token is used, and some other standards can be internally set up in internal servers and use of the same is expected to go up. Use of authenticator apps through mobile phones is on the rise, as they eliminate the need for OTP. The mobile phone of the user with any suitable authenticator app works as second factor authentication. Evolving standards and protocols such as Fast ID Online (FIDO) for strong authentication, XML based Security Assertion Markup Language (SMAL), Open ID and OAuth2 for exchanging authentication and authorization of data leading to Single Sign On solution will avoid storing multiple credentials in multiple databases. If the single proof of identity or
authorization is from a trusted & reliable source, it would improve the security in a substantial manner.”
As regards the query on some countries like Japan, Korea and now Singapore have mandated that organizations have to isolate networks separating internet and intranet traffic, he felt the approach of these countries is quite prudent and secure as it provides enhanced security, through clear air gap, not only for the employees, but also for the organization. “The likelihood of a security incident is also minimized. However, with use of modern technological solutions like NGFW, Proxy, WAF, Anti APT, DLP, NBA, NAC etc in strict monitoring and controlled manner, limited access to certain sites and corporate emails. Actually internet and emails are main source of security risks, which if exploited cause multifarious compromise and damages. Different policy for various network zones and based of type users should be defined and implemented. Similarly, continuous monitoring and damage control capacities should be developed within the organization. In absence of which, air gap, USB block etc are really for the betterment of security status,” says he.
CISO and his/her team may be the masters, but this is one area where they have to depend on external experts to deliver. No bank expects its CISO to create all the required solutions internally. So vendor dependence is very high in this domain, and the resulting issues are that of delivery models, gaps between promise and delivery, handing the growing number of vendors, and so on.
Commenting on vendor-related issues, Nabankur Sen, CISO, Bandhan Bank, says managed security services (MSS) including VA/PT and AppSec, anti-phishing and brand monitoring are the most desirable security services as compared to purchasing products and licenses. The biggest gaps between promise and delivery by prominent eSecurity vendors, he says, are closure of vulnerabilities identified, transparency in alert generations and reporting and addressing false positives / false negatives.
Sen also says the biggest frustration with vendors of non-security products is that applications are not tested and made security bug-free before delivery. He would foresee a model where fewer number of multi-solution eSecurity vendors to which BFSI sector would move in the near future.
Prateek Mishra, CISO, IDBI Federal Life Insurance Co, feels automatic ticket creation and closure tool and Network Access Control (NAC) as the items preferred as services rather than products. He is of the view that security vendors are not able to cope when the volume increases, and they are re-branding the same products by putting AI/ML tags. He also sees reluctance on the part of vendors of non-security products for strict adherence to security policies.
Mishra sees the model of an increasing number of specialist eSecurity vendors as emerging for the BFSI sector in the near future.
Gupta of Allahabad Bank says MSS through qualified, experienced and sufficient support team on a 24x7 basis with network, email, user and database security, along with secure configuration are more meaningful than procuring and installing security products alone. “Frequent VAPT and IS audit, supported with balanced and quick compliance of the same is another important pillar of strong security basis of an organization. Moreover, security services such as availing anti-phishing, anti-malware, website monitoring etc can be outsourced to professional vendors having world-wide tie-up arrangement for taking down fake sites, which are otherwise not cost effective when handled in-house,” says he.
As regards the biggest gaps between promise and delivery by prominent eSecurity vendors, he says the critical one is about adhering to a time schedule. “A delayed project offsets other projects and sometimes offsets initial advantages. Lack of ability to warn against new type of cyber attacks and also lack of ability to handle any unseen / new type of cyber attack on the system are also impediments. In addition, quality, experience, expert level training, attrition, attitude, integration with the organization, SLA implementation etc are serious concerns while taking services of a security vendor,” says he.
Gupta maintains that non-security vendors do not have any provision for recovery of damage due attacks and they provide only one option of restoring any old / previous backup. Coordination between engineers of various service providers, version control and testing and compliance to security and information systems audit are big concern for banks, he says, adding: “A major role is played by CBS, internet banking, mobile banking, CTS, SWIFT and help desk application vendors and the scope for dissatisfaction, scope to set right the key issues on urgent basis go the same way”.
He also sees the a fewer number of multi-solution eSecurity vendors as the ideal engagement model for the BFSI sector.
A CISO of a public sector bank, who does not wish to be named, felt security audit services, cyber security training, anti-phishing, anti-rouge, anti-trojan and managed security service are better availed as services rather than buying as a product/license.
PROMISE VS DELIVERY
He is of the view that the biggest gaps between promise and delivery by prominent eSecurity vendors pertained to understanding the requirements properly, compliance to the standards and effective dashboards for proper visibility.
Non-involvement of IS requirements from the beginning of the project and non-deployment of enough skilled staff, according to him, were the biggest frustration with vendors of non-security products. He also felt an increasing number of specialist eSecurity vendors as the preferred vendor engagement model for the BFSI sector.
Speaking on emerging areas where security automation can make a big difference, Mishra of IDBI Federal Life Insurance says automatic ticket creation and closure is the key area. Says he: “Security devices are generating huge amounts of logs which gets integrated with SIEM. L1 analyst spends a major amount of their time in identifying the anomalies and raising tickets for the same. Same is the case with threat hunting from historical logs. A solution is needed to automate the identification of such anomalies by correlating with historical data and subsequently ticket must be raised. Historical analysis is missing as of now.”
Deception, NAC and adherence to the basic security hygiene, according to him are among the most effective of the emerging security technologies.
Gupta of Allahabad Bank is of the view that complete security automation could be an ultimate goal to meet the everrising security and complex requirements and practices. “However, the task is not so easy and cannot be achieved in shorter timeframe or with restricted efforts. It involves integration of complex solutions, configurations, intelligence sharing, auto updation, etc. Software solutions are available and are being used. Most of the banks are to plan in this direction,” says he.
CX/UX VS SECURITY
On the topic that customer/user experience is often in conflict with security, Gupta says it was traditionally believed that enhanced customer/ user experience leads to compromise with security. He pointed to the fact that in the recent past, a number of applications / Android based mobile apps with appealing features have taken their way to deliver various BFSI services to the customers. “As a recent innovation, these apps are subjected to various security analyses and testing as well as user acceptance testing in test environment with involvement of ultimate users to achieve the twin objectives. BHIM UPI, banking sites, password managers, authenticator applications for second factor authentication, mega eCommerce portals like Amazon, Flipkart, Snapdeal etc, travel and ticket booking sites as well as on mobile apps, have shown regular integration and updation of security and user experience enrichment,” says he.
He feels for the banking sector blockchain technology, use of artificial intelligence and security orchestration would go a long way in delivering products and solutions pertaining to security of financial assets.
The CISO of the public sector bank felt automated security configuration, deception technology, etc as the emerging areas where security automation can make a big difference. Similarly implementation of PIM solution has improved the user experience without compromise in security.
According to him the most effective among the recent and emerging security technologies, it is deception technology.
How should companies fine-tune their security policies to account for multi-cloud scenario, ie the company will not have complete security control when using cloud applications like O365 cloud, Salesforce, Cornerstone, etc?
Sen of Bandhan Bank responds: “I would recommend that logs be shared by the cloud service providers with individual companies to enable them to integrate these logs with their SIEM so that any untoward incident can be identified first hand and suitable alerts generated. This practice, if established, will go a long way in companies adopting cloud services more and more.”
Allahabad Bank’s Gupta feels use of strong public and private encryption mechanism, ensuring data at rest, in motion and in process to highly secure, cloud computing can be explored. Without this, the cloud computing may not be secure, says he.
“Similarly, DLP, ISO certification, frequent security audits, compartmentalization of resources and support, strong localization of data etc in cloud computing would leverage proper use of vast potential and comfort of installation, migration and usage, in addition to being very cost effective in shorter run,” he adds.
Mishra says it cryptically: “Cloud Access Security Broker (CASB), which is on-premises or cloud-based software, must be appropriately implemented by assessing each cloud scenario.”
SOURCE OF INNOVATION
To a query on what has been the source of the most innovative ideas relating to eSecurity, both Mishra and Sen say it is web resources. The CISO from the public sector bank listed these sources as information security team members, other employees in the company, vendors, seminars and
conferences and web resources. Gupta too maintains that these are seminars and conferences and web resources.
COMMON SENSES MEASURES
Which according to the CISOs are common sense security measures but which are still not being implemented in many BFSI organizations?
Gupta gives a detailed response: “Uses of dual authentication in internal environment without exceptions, use of remote access of sensitive servers from less secured and controlled environment, use of emails or USBs in privileged systems, common user set in help desk/ service support systems which run in shifts, various policy validations including domain and groups, management of secured configurations, usage made by super users (if PIM is not implemented), managing various vendors, version control and weaker security of test systems/ networks/ data/ users/ backup etc are some of the measures which are very essential but are not implemented often by BFSI institutions.”
He lists suggestions for enhancing security that do not involve the use of any security specific technology:
Use of secure & closed network (Air Gap) within the organization Awareness of users about the uses of password protected systems Segregation of applications and their modules to the specified users only Restriction of free usage of emails on every system inside the organization by each and every employee
Second factor authentication for systems and applications
Regular VAPT and security audits and quick compliance of the same
Properly managed security team and regular reviews of exceptions and processes
Excellent top level support for security team
Sen says scrutinizing logs carefully, configuration of alerts through SIEM not by default and implementing security policy strictly are the areas that BFSI organizations commonly neglect. He is of the view that periodic risk assessment, not allowing applications with security bugs in production environment, rectification of vulnerabilities in a time-bound manner or else penalize those concerned and period check of firewall rules are some of the minimum measures needed to ensure security.
For Mishra the measures that are routinely forgotten are automated inventory management (of CCTVs, desktops, printers, servers etc), thorough user access management (access given to employees along with those given to the vendors), secure configuration and patch management across all the systems, metrics on the effectiveness of individual security controls and improper API inventory and API assessments.
He suggests innovative ways to impart user awareness and creating security metrics for board perusal as the 2 measures that can enhance security without the use of technology.
With Bitcoin and its likes in the news every day, one question that many people think about is whether it will empower criminals more than honest citizens. All the 4 CISOs here unanimously agreed with this sentiment. So policy makers and decision makers should definitely factor this in their future plans.
Another issue of public concern and debate is about the race between social engineering being used for cheating and crime and technology being used to counter it. The CISOs representing the PSU banks believe that technology will overcome the challenges of social engineering, while the other two CISO believe otherwise.
One factor that affects the performance of CISOs is whether managing their team is becoming a more complex task, or is the complexity declining. 3 out of our 4 CISOs say that team managing complexity has increased. The dissenter is the CISO of a PSU bank.
The final question that we considered which is on everyone’s mind is which is the greater eSecurity threat – an insider within the organization or some predator beyond national boundaries. Mishra believes that the internal employee is the great threat, while our other 3 CISOs fear the external forces outside the country.
Vivek Gupta feels complete security automation could be an ultimate goal to meet the ever-rising security and complex requirements and practices in BFSI sector
Nabankur Sen foresees that BFSI sector would move to a model where there would be fewer number of multi-solution eSecurity vendors
Prateek Mishra advocates implementation of CASB by assessing each cloud scenario in order to ensure security in a multi-cloud scenario