The document discusses the importance of data security standards and certifications for businesses in light of rising cyber attacks. It notes that India has witnessed disruptive ransomware attacks that threaten heavy damages including data loss and business disruptions. The document states that CISOs must re-examine their data protection applications and build innovative applications to generate insights to make informed decisions in response to security threats.
3. Content
CONTENTS
Publisher’s Note: Wear Your Thinking Cap 04-05
Sponsor’s Note: Partnering on Security 06-07
Prologue: Setting The Context 08-09
Methodology: Our Modus Operandi 10-15
About The Authors 16-17
SECURITY STANDARDS &
CERTIFICATIONS: WHICH
ONES MATTER?
by Anil Porter, AVP - IT & GDS Services,
Interglobe Technology Quotient
18-23
DEVELOPING AN EFFECTIVE
SECURITY OPERATIONS
CENTRE
by Anis Pankhania, General Manager – IT
Delivery Excellence, Vodafone India
24-29
BEYOND THE ENTERPRISE—
SECURING THE THIRD
PARTY ECOSYSTEM
by Anuj Tewari, CISO, HCL Technologies
30-35
HARNESSING THE
POWER OF COLLECTIVE
INTELLIGENCE FOR CYBER
SECURITY
by Colonel Darshan Singh,
Vice President, ABB India
36-41
THE ART OF SECURITY
MANAGEMENT: GAINING
VISIBILITY AND CONTROL
by Jagdeep Singh, CISO,
Raukaten India
42-47
AI & MACHINE LEARNING
APPLICATIONS FOR CYBER
SECURITY
by Rajeev Verma, Deputy General
Manager – Information Security, SRF
48-53
RISK-BASED APPROACH
FOR APPLICATION
DEVELOPMENT
by Rajendra Mhalsekar, President and
Head Corporate Banking Technology,
Yes Bank
54-59
ALIGNING SECURITY AND
RISK MANAGEMENT WITH
BIMODAL IT
by Rajiv Nandwani, Director, VP – GIS &
CISO, VP – Facilities, InnoData
60-65
COMPLIANCE AND RISK
MANAGEMENT BEYOND IT
by Satyanandan Atyam, AVP, Head
Risk Management & CISO Bharti AXA
General Insurance
66-71
3
4. CISO Think Tank
“This publication
aims to spur
discussion on
some issues of
contemporary
concern and to
share knowledge
on prevalent
practices in the
cyber security
community.”
4
5. Publisher’s Note
WEAR YOUR
THINKING CAP
C
yber security has gone from the
back room to the boardroom.
And the reasons are not far to
seek. Scarcely a week passes
without newspaper headlines proclaiming
the exposure of thousands of customer
records, theft of digital currencies, or
valuable corporate IP being siphoned
away. The problem is so pernicious and
ubiquitous, that the digital crime economy
now dwarfs the illegal drugs industry.
This situation is unlikely to change
soon. As economic pressures and
customer demand compel organizations
in India to rethink and re-engineer their
business processes, the use of technology
to automate and speed operations is
increasing. Previously isolated systems
are getting linked, and new types of
interdependent digital ecosystems are
being formed. The mobile revolution,
cloud services and the advent of IoT have
also contributed to the dissolution of
the enterprise perimeter. Consequently,
traditional cyber defenses are no longer
adequate for this new digital world.
In fact, the velocity of change in
business operating models is so rapid
that IT departments are struggling to
cope. And in the haste to capture market
opportunities, security and prudence
are sometimes taking a back seat—with
disastrous outcomes. At other times,
it is the ingenuity of the attacker that
beats the best systems. Cyber criminals,
now working in concert, have developed
increasingly sophisticated exploits—and
even the best defended systems are
succumbing to their inexorable attacks.
In midst of this maelstrom are the
CISOs—aided by new technologies and
techniques—striving to avert the ever-
imminent calamity. This publication
aims to spur discussion on some issues
of contemporary concern and to share
knowledge on prevalent practices in
the cyber security community. We hope
you find the content, that has been put
together by members of the information
security community, useful and insightful.
Vikas Gupta
Director, 9.9 Group Pvt. Ltd &
Publisher, CSOForum
5
7. Sponsor’s Note
“The CISO Think
Tank in India has
been a great way
for us to engage,
collaborate and
get feedback
from our
customer CISOs
on modern day
threat landscape.”
M
icrosoft’s mission is to
empower every person
and every organization
on the planet to achieve
more. As our CEO, Satya Nadella, stated,
“Businesses and users are going to
embrace technology only if they can
trust it”, and therefore we want to make
sure our customers can trust the digital
technology that they use. We have made
investments in privacy and control,
security, compliance, and transparency,
and especially those features that matter
the most to our customers.
We’re committed to being a leader in
this space, but security is not a problem
we can address alone. Microsoft
approach to security encompasses
three pillars: Platform, Intelligence
and Partnerships. Our commitment is
to make sure our products work with
technology you already use based on
your feedback, leveraging the collective
intelligence we can build and foster a
vibrant ecosystem of partners who help
us raise the bar across the industry.
Microsoft collaborates extensively
with governments and organizations
around the world in sharing industry
standards, providing guidance on cyber
security best practices, and engaging in
protecting critical infrastructure sectors.
The CISO Think Tank in India has
been a great way for us to engage,
collaborate and get feedback from our
customers/CISOs on Modern Day Threat
Landscape relevant to India.
It has also helped us establish deep
and continuous engagement with the
CISO community to share information
about latest developments in cyber
security, impart knowledge on best
techniques and practices, and facilitate
peer-to-peer knowledge sharing amongst
CISOs and security practitioners.
Through this initiative we have also
been able to collaborate with the CISOs
on 9 cyber security whitepapers across
several critical topics like managing
security, risk, compliance, partner
ecosystems, collective cyber security
intelligence.
The CISO Think Tank digital
coffee book will further help us share
our learning and best practices with
the larger community and leverage
the digital/social tools further for
collaboration on these topics.
Thanks to all the CISOs and
9.9 Group for being part of the CISO
Think Tank initiative so far. A special
thanks to the authors of the digital
coffee book whitepapers on their
thought leadership! We look forward to
a continued strong journey with you in
our fight against cybercrime.
Vanitha Varadarajan
Director-Security Solutions
Microsoft India
7
9. Prologue
SETTING THE
CONTEXT
T
he CISO Think Tank is a
compilation of community-led
and community-driven content
that is timely, useful and
relevant to cyber security practitioners.
The main purpose of putting together
this document is to facilitate peer-to-
peer discussion and information sharing
and share the latest developments in
cyber security.
This book provides a platform for
recognizing CISO expertise.
For the CISOs, it is just the right
time to finalize their priorities. The CISO
role today is becoming more business
focused. While it is also about making
decisions, performing risk assessments
and understanding the latest technology
solutions in the market – but it is
more about influencing, stakeholder
management, positioning and
communication.
The CISO Think Tank is designed
to help impart knowledge on best
techniques and practices. It lists down
a broad set of topics for CISOs to focus
on —and sets the tone for the rest
of the year! This book also displays a
CISO’s deep understanding of the ‘what’,
and the ‘how’ of some of the most
relevant security topics. It gives them an
opportunity to address the challenges
and offer recommendations and
solutions based on CISO’s experience in
their area of expertise and interest.
This book lends some very important
perspectives from some of your peers in
the industry.
The CISO Think Tank also sets
the context for the 10th Annual CISO
Summit, where some of the top security
professionals will gather to discuss
issues of contemporary relevance that
are likely to influence the CISO’s role in
the enterprise.
9
11. Methodology
I
n the last quarter of 2017 and early 2018, a series
of meetings were organized in Delhi, Mumbai and
Bangalore with members of the CISO community
to discuss the emerging security challenges, review
the latest developments in cyber security technologies,
and share learnings on best techniques and practices.
It was soon apparent that the collective knowledge
and insights would be of great value to the entire
community—and needed to be widely disseminated.
That was the genesis of this volume.
A list of topics was prepared on the basis of
research and discussion with the Advisory Committee
Members and India’ leading CISOs. Cyber security
practitioners attending the CISO Think Tank meetings
were invited to take up a topic—and prepare a
whitepaper or presentation. Some authors opted to
work together in teams to prepare the document—
while others went solo. Advisory support was provided
by technical experts from Microsoft’s cyber security
practice.
Each author group was provided with a basic
framework for preparing the presentation, along with
guidelines for writing a white paper. All the nine teams
worked on the initial drafts—and presented their
work at a second Think Tank meeting in February-
March 2018. The teams made a short presentation
to the group at the meeting and other CISOs were
encouraged to provide inputs, advice, and suggestions
to the authors. The final version of all the presentations
was submitted in March 2018.
USING THIS BOOK
Each paper in this volume is focused on a specific facet
of cyber security and has been organized to provide
information in a concise and comprehensive fashion.
You can use this as a workbook to gauge your own
knowledge and organizational readiness—and as a
starting point to initiate action.
CISO Think Tank has been prepared with the
involvement of most of the participating CISOs in
CSOForum’s advisory board. It delves in issues of
contemporary relevance that are likely to influence the
CISO’s role in the enterprise.
CSOForum circulated a basic brief on each of the
topic to the respective chairpersons. It also shared a
framework for presentation, with full independence to
chairpersons to modify it as needed. All the CISOs were
divided into 9 working groups. Each group worked on
one specific topic, which appears as one whitepaper in
this book.
The whitepapers will be compiled and published
as a book, and sent to the entire CISO community.
The topics were decided after thorough research by
CSOForum edit team and consultations with selected
CISOs.
11
12. CISO Think Tank
MUMBAI
27th September 2017
15th March 2018
The first session of the seven-part CISO Think Tank Series organized by CSOForum in
collaboration with Microsoft commenced at the Bandra Kurla Complex in Mumbai, on 27th
September 2017. The event was attended by 25+ CISOs of leading organizations based in
Mumbai, India. They discussed the emerging security challenges and reviewed the latest
developments in cyber security technologies, during which several security topics were
prepared on the basis of research with the Advisory Committee Members and India’ leading
CISOs. And cyber security practitioners attending the CISO Think Tank meetings were
invited to take up a topic—and prepare a whitepaper or presentation. Some of these topics
were presented on 15th March 2018, during one of the CISO Think Tank workshops in Delhi
12
13. Methodology
DELHI
27th October 2017
8th February 2018
The second session of the seven-part CISO Think Tank series took
place on 27th October at The Leela Ambience, Gurgaon on 20th
November 2017. The event was attended by 25+ CISOs of leading
organizations as well as senior Microsoft delegates based in Delhi,
where they chose topics for whitepapers that they would later present
on 8th February, 2018, at the same venue in Delhi.
13
14. CISO Think Tank
BENGALURU
20th November 2017
22th February 2018
The third meet of the seven-part CISO Think Tank series took place on
20th November at Vivanta by Taj, Bengaluru on 20th November 2017.
The event was attended by 25+ CISOs of leading organizations based
in Bengaluru, where they chose topics for whitepapers that they would
later present on 22nd February, 2018, at the same venue. The delegates
from Microsoft also gave presentations on select security topics, adding
context to the series.
14
15. Methodology
KOLKATA
25th April 2018
The last session of the CISO Think Tank series commenced at The Lalit
in Kolkata. The event was attended by security practitioners across
leading organizations in Kolkata. Microsoft conducted a security
workshop and discussed a wide ranging topics including cyber security
best practices in today’s landscape, among others.
15
16. CISO Think Tank
ANIL
PORTER
AVP - IT & GDS Services
Interglobe Technology
Quotient
ANIS
PANKHANIA
Head - Products and Applications
- IT - Customer Experience
Vodafone India
2519
ANUJ
TEWARI
CISO
HCL Technologies
31
COL. DARSHAN
SINGH
Vice President & Head -
Security, India Sub Region
ABB India
37
16
17. Author’s Profile
JAGDEEP
SINGH
CISO
Rakuten India
43
RAJIV
NANDWANI
Director, VP – GIS & CISO,
VP – Facilities
InnoData
61
RAJENDRA
MHALSEKAR
President & Head Corporate
Banking Technology
Yes Bank
55
RAJEEV
VERMA
Deputy General Manager-
Information Security
SRF
49
SATYANANDAN
ATYAM
Associate Vice President
Bharti AXA General
Insurance
67
17
19. Security Certifications
B
usinesses today are realizing the growing importance of data
security. But the rising incidents of cyberattacks and the lack
of security skills within organizations is a huge concern. In
the last few years, India has witnessed disruptions from cyber
attacks through ransomware attacks such as, WannaCry and Petya,
among others. These attacks and breaches threaten to trigger heavy
damages, including loss of data and disruptions in business. They could
also include regulatory compensation. So, policy, rules, and practices
must address cybersecurity and data breaches.
CISOs must re-look at their data protection applications and
to build innovative new applications that generate rich insights
into business, industry, and customers which will enable you to
make informed decisions and quickly take decisive action as well
as to protect this data against any breach. This data protection
need is constantly evolving and becoming extremely crucial for
Indian organizations to focus not only on data protection but also
data recovery.
There are certain practices that CISOs must adopt to protect
their business from data losses. Clearly, data is changing hands from
devices to data centers to cloud, and therefore, CIOs must analyze
how fast and efficient is their data protection infrastructure or what
new elements are being used in to make it as efficient as possible?
Increasingly organizations are realizing the need to have standard
practices for not only protecting their assets, but also the importance
of data recovery.
Therefore, CISOs need to conduct a thorough risk assessment, in
turn realize that every organization’s risk profile is different, and one
size, standard or certification won’t fit every organization. A standard
control requirement may effectively close a gap in one instance, but
not work well in another. Not every risk can be avoided or effectively
mitigated. Risk management requires some level of risk to be
understood, communicated, and, ultimately, accepted.
Anil has over 20 years of
technical experience in the
field information security
function. His responsibilities
include conducting employee
security awareness training,
developing secure business
and communication practices,
identifying security objectives
and metrics, choosing and
purchasing security products
from vendors, ensuring that
the company is in regulatory
compliance with the rules
for relevant bodies, and
enforcing adherence to
security practices. Anil has
comprehensive experience
in building high performance
teams, in-sourcing vendor
operations, auditing IT general
controls, business transitions,
network security, among
others.
ANIL PORTER
AVP - IT & GDS Services,
Interglobe Technology
Quotient
19
20. CISO Think Tank
THE PROBLEM
What to protect? Too much to protect or
Too much hype!!
• The biggest challenge for CIOs and
IT leaders in 2018 is the strategic
protection of PII and data for their
enterprises
• IT skills gap–a shortfall between the
supply of qualified IT professionals
and the necessary IT skills
• Merging old and new
• Legacy process and willingness
of business to fund risk posturing
since no defined model and matrix
available
• Needless to say one size (standards
& certifications) doesn’t fit all
WHY DOES IT EXIST?
• Till date there is no defined model
and matrix which is available as a
guide to different size and class of
business
• CIOs are confused and driven more
by the hype cycle
• Threat of being out-of-date both for
CIO and technology selection
• No ROI mode available to get
funding to protect – What and Who
• Consultants will always do a over kill
HOW DO WE DEAL
WITH IT?
• KIS (Keep it Simple)
• Risk assessment of the business of all
function
• Get a heat map and relative ranking of
all risk accounted in the risk register
• If IT/Info Security/End Point
Protection/Data at various end point
gets listed in top 10, then you will
have a business buy in
CHALLENGES & RISKS
• Most of the organizations do
not accept and acknowledge the
information as risk
• Data is the core which needs
protection and has never been
classified (Including IP/IPR, Source
Code, Structure and Unstructured DB)
• Run various scenarios of data loss
or theft with key stake holders and
get their impact analysis on business
impact which should include all
aspects such as Financial, Brand,
Customer loyalty, future earnings,
stock price etc.
NEXT STEPS
Keep IT simple
20
21. Security Certifications
Needless to say
one size (standards
& certifications)
doesn’t fit all. Till
date there is no
defined model
and matrix which
is available as a guide
to different size and
class of business
The Best Practice Toolkit
Employee
Size
Risk Ranking Based on Enterprise Risk Register
Low Medium High Critical
500- Above
200-500
0-200
Complexity of IT Landscape of the Organization
Ad-hoc Prescribed Standardized Quantitative & Optimized
Ad-hoc System Hardening, AV, Firewall
Prescribed
System Hardening, AV, Firewall, HIPS, DLP, Encryption, SSO,
SIEM, Content Filtering
Standardized
System Hardening, AV, Firewall, HIPS, DLP, Encryption, SSO,
SIEM, Content Filtering, ISO 9001
Quantitative &
Optimized
System Hardening, AV, Firewall, HIPS, DLP, Encryption, SSO,
SIEM, Content Filtering, ISO 9001, ISO 27001, ISO 20000
THE BEST PRACTICE TOOLKIT
21
23. PwC
RECOMMENDS
Define your own
operating model
framework for
information
security, which
requires a deep
understanding of
the organization’s
strategy, culture,
politics, risks and
regulatory regime.
Future Forward
23
25. Security Operations
Anis has over 21 years of
rich experience in leading
the Information Security
function. He possesses
sound knowledge of ISO
Standard Audits, PCI DSS
audits, network security,
governance, IT and security
processes. Anis has held
several leadership positions
with large telecom and IT
companies in India. He has
established IT divisions from
scratch, including design
of strategy and execution
roadmap, operating
procedures, multi-site
facilities, end user workspace
for over 10000 users.
ANIS PANKHANIA
General Manager
– IT Delivery
Excellence,
Vodafone India Ltd
T
he threat environment confronting a business organization today is
daunting. Not only are data breaches growing larger, disruptions to business
operations by malevolent entities are becoming increasingly frequent and
disruptive. Organizations can no longer rely on basic security solutions
like firewalls and anti-virus software to thwart increasingly sophisticated threat
vectors. You need to employ multiple kinds of technological defences and maintain a
unremitting vigil to take protective or preventive action when a threat is identified.
This is easier said than done.
The attack surface for a medium to large organization with hundreds of
employees, multiple operational systems, and numerous offices, is already daunting.
When you add in the proliferation of new technologies such as, Internet of Things
(IoT), cloud, and fuzzy network perimeters, the risk of falling prey to a cyber-attack
increases, dramatically. So, it’s no surprise that many organizations are looking to
either implement a new Security Operations Center (SOC) or enhance an existing
one to ameliorate the risk of delays in detecting and responding to cyber incidents.
However, to create and operate a successful SOC, organizations need to invest in
three things: People, Processes and Technology.
• People: Having the right people to staff the SOC is essential to success. Team
members will need to have proper skills and training--since they will be making
security-related decisions that will impact every facet of the business.
• Processes: Having a consistent, well-defined and regularly-tested process will
ensure that the SOC is effective and efficient. Hence, before operationalizing
a SOC, proper policies and procedures should be defined, along with
responsibilities for individuals.
• Technology: Security technology is crucial to protecting data, detecting threats
and alerting teams. Often, the core of the SOC security technology architecture is
a Security Incident and Event Management (SIEM) system. It analyzes event and
contextual data from the security devices that feed into it, such as firewalls, IPS,
web and email protection tools, IdM etc. But their’ protective abilities are not the
only factor driving SOC effectiveness. In a distributed threat landscape, security
technology also needs to function as part of a collaborative architecture that
automates the sharing of intelligence and centrally coordinates threat response.
25
26. CISO Think Tank
THE PROBLEM
• Increasing attack and threats
• Managing compliance
• Business continuity and protection of
critical data
• People, process and technology
• Team knowledge and shortage of
skills
• Clarity on processes
• Segregation of duties
• Operational efficiencies and
enablement
WHY DOES IT EXIST?
• Management approach
• Increasing data volumes, variety and
complexity
• Ever changing threat landscape
• Evolving techniques and technology
• First layer of defence
• Reactive approach
• Limitations of security tools
• Security roles and responsibilities
Triad of Security Operations: People, Process and Technology
SOC Process
Preparation
Identification
Containment
Eradication
Recovery
Lessons
Learned
People
Formal
Training
Internal
Training
On-the-Job
Experience
Vendor-Specific
Training
Technology
Endpoint
Netflow
Network
Monitoring
Threat Intel
Forensics
Incident
Detection/
Management
26
27. Security Operations
CHALLENGES AND RISKS
• Budgets
• Resource crunch
• Skill deficit
• Security Operations Centre
• Adapting to changing platforms
• ROI - Maximizing the value of
security investments
THE BEST PRACTICE
TOOLKIT
• Automated analysis
• Build incident response (IR) team
• Define response team roles
• Train response team
• Identify plan gaps areas for
improvement before an incident
occurs
• Assess IR Plan effectiveness and IR
team ability to execute
• Tools : QRadar, ArcSight, Splunk
Next Steps - Align the Model
• Utilize and scale your teams to
provide 24x7 threat monitoring
• Prepare for, and proactively hunt
threats
• Apply predictive/proactive
intelligence
• Detect the unknown with enhanced
analytics
• Use artificial intelligence (AI) and
machine learning (ML) for analytics
• Extend threat visibility to the cloud
Identify threats early to
mitigate risk
• Empower IR Team
• Build communications flows and
procedures
• Define roles in the response team
• Identify gaps in response plans
• Learn from incidents and
apply findings
Invest in Success
• Automate as much as possible to
reduce the load of Level 1 tasks
• Share information and eliminate silos
between teams
• Provide threat intelligence feeds
and security tools to make teams
successful
• Retain top talent and feed their thirst
for knowledge
• Train employees, your first line of
defence
• Evolve your SOC by combining
technology and human expertise
• Do the basics well – regular patching,
hiring the right people
• Empower your resources
• Adopt a proactive approach to deter
emerging threats
• Integrate deception technologies to
bait attackers
Provide threat intelligence
feeds and security tools
to make teams
successful and retail
top talent and feed their
thirst for knowledge
27
28. SANS INSTITUTE
RECOMMENDS
As you tackle the challenge of building a
Security Operations Center (SOC), your ability
to anticipate common obstacles will facilitate
smooth start-up, build-out and maturation
over time. Though each organization is
unique in its current security posture, risk
tolerance, expertise and budget, all share
the goals of attempting to minimize and
harden their attack surface and swiftly
detecting, prioritizing and investigating
security incidents when they occur. Working
within the constraints of your organization,
while pushing the boundaries and striving
to achieve its critical security mission, your
SOC can be a critical and successful venture—
and a key contributor to your organization’s
continuously improving security posture.
CISO Think Tank
28
31. Beyond the Enterprise
A
s increasing numbers of organizations join the digital
bandwagon, the size and scope of the third-party
ecosystem is increasing. From manufacturing partners to
logistics suppliers, marketing associates to dealers, cloud
service providers to remote infrastructure management agencies—the
number of third parties that have access to your IT systems and data
continues to increase. And this burgeoning growth of ecosystem
business partners has a significant impact on the security posture of
your organization.
Exacerbating the complexity of securing this third-party ecosystem
is the fact that organizations often have multiple relationships with
one another, and the fact that organizations may have indirect
relationships with even more parties to meet business needs. In fact,
the risk to strategic data assets is not just from any single third-party,
but from the web of relationships that comprise the data ecosystem.
Organizations need to realize that managing this digital risk is
not just a compliance and contract issue, but a fundamental strategic
challenge.The first challenge is to understand the diversity of third
parties in your business ecosystem. What kinds of entities have
access to your data, information and IP, and why? The next challenge
is to ascertain exactly who is in your value chain, and what they are
doing. You need to know who is “touching your stuff”– virtually and
physically. The exponential growth of IoT and connected devices
within your value chain will create yet another challenge to driving a
comprehensive approach to security across your value chain. Finally,
what will be right way to assess the risk and implement security across
all third-party entities?
Many organizations are unaware whether their vendors’ have
adequate data safeguards, security policies and procedures to respond
effectively to a data breach. To remedy this problem, you need to
develop a comprehensive security architecture that you can share with
and deploy within your third-party ecosystem.
Anuj is a dynamic leader
in the security arena, with
specialized Information
security, risk management
and leadership experience.
His wide array of Cyber
Security experience coupled
with capabilities in business
development, personnel
management, and fiscal
planning form a unique ability
to understand and manage
all areas of the cyber security
arena. The diversity of these
skill sets has helped him
understand client business
requirements, analyze security
needs, and communicate at
all levels of an organization to
ensure effective operations,
strong client relationship, and
continued business growth.
ANUJ TEWARI
CISO,
HCL Technologies
31
32. CISO Think Tank
THE PROBLEM
Trends - Increasing
Dependence on Third Parties
• Globalization and expanded use to
support core products
• Expertise, innovation and speed to
market
• Economic pressure – need for
efficiencies and cost savings
• Expanded need for governance
models
Risks - Heightened Threats
• Third party breaches dominate the
news
• Complexity/pace of the risk
landscape is outpacing industry
response
• Likelihood of a material breach (10k or
more records) in next 2 years – 26%
• 450 global breach investigations,
63% linked to a third party
component
• Third party involvement increases
breach costs (from USD158 to
USD172 record)
WHY DOES IT EXIST?
Why Manage 3rd Party Risks?
Reliance
• Need third parties to deliver critical
specialized services
• Several industries are heavy on third
party supply chain
• Vendors globally help us achieve our
mission
Value
• Maximize value and deliver great
commercial outcomes through our
relationships
Loss of productivity
(68%) – up 10%
Increased cost
of working
(53%) – up 14%
Damage to brand
reputation or image
(38%) – up 11%
Customer complaints
received
(40%) – unchanged
Service outcome
impaired
(40%) – up 4%
Loss of revenue
(37%) – down 1%
CHALLENGES & RISKS
Third Party Life Cycle • Business request – new
contract, renewal,
service change
• Scope & gather
information
• Vendor risk
segmentation & tiering
• Perform pre-contract
assessment for high
risk relationships for
new contracts
• Business to take Go/
No-go’ decision on
the Vendor based on
results of pre-contract
assessment
• Address contractual security
requirements for Tier 1 relationships
• Incorporation of ‘Right to audit’ clause in
contracts for Tier 2,3 & 4 relationships
• Asset & data
disposal
• Access revocation
• Contractual
obligations for
high risk Vendor
• Conduct periodic
assessments based
on vendor tiers &
program guidelines
• Vendor Risk
assessment report
• Issue remediation &
closure
1Vendor
Profiling &
Classification
2Pre-Contract
Risk
Assessment
3Contract &
On Board
4Periodic Risk
Assessments
5Vendor
Off-board /
Transition
Risk
• Increased regulatory and member
scrutiny on how institutions manage
Vendor risk - operational, cyber
security, supply chain, compliance,
strategic, financial and reputational
Explain the cause of the problem:
The Impact of Disruption
Disruptions damage your brand and
your bottom line
32
33. Beyond the Enterprise
• 87% of firms experienced a
disruptive incident with third parties
in the past 2-3 years
• 70% of firms experienced a supply
chain disruption in the past year
• 66% of firms do not have full
visibility of supply chains
• 41% of those disruptions came from
Tier 1 suppliers
• 40% of firms do not analyze the
source of disruption
THE BEST PRACTICE
TOOLKIT
Risk Practices – Identify
Key Data
• Personally Identifiable Information (PII)
• Protected Health Information (PHI)
• Card Holder Data (CHD)
• Confidential, Intellectual Property,
Sensitive (CIPS) includes
• Customer
• Board / Executive
• Key process
• Human Resource
• Financial
• Partner
Risk Practices – Identify Key
Technologies
Use of certain technology platforms and
delivery channels pose additional risk
when outsourcing. These include:
• External data hosting
• Cloud for storage and data
processing, especially when PII,
• PHI or credit card data is involved
• New distribution channels for
product/service delivery such as
mobile platforms
• Use of third party custom developed
software
• Any further outsourcing to
subcontractors/fourth parties
Risk Practices – Contracts
• Assess controls based on risk of
product or service to be provided
• Terms and conditions
• Typical standard clauses:
price, liability, confidentiality,
intellectual property, information
security, incident audit rights,
disaster recovery, approval of
fourth party use, cyber-insurance,
termination, payment schedules,
escrow, maintenance schedule,
complaint handling, cross-border
data transfers ]
• Remediation of identified control
weaknesses
• Legal review, selection, negotiation
and notification
• Add third party information to
Procurement system, GRC system
and/or contracts database.
Third Party Risk Management - Lifecycle
Plan, Select
& Due Diligence
Establish
Third
Party/
Contract risk
Third Party/Contract
• New/existing
• RFx/sole source/
renewals
• Relationship owner is
the key
Risk Criteria
• Simple, clear &
consistent
• Applied at contract
level
• Due diligence
requirements
Control Assessments
• Areas to include :
security, information,
personnel, site,
business continuity,
regulatory
requirements, etc.
• Leverage industry
standards
• Capture appropriate
documentation
Remediation/ Issue
Closure
Clauses (Legal Approved)
• Right to audit
• Information security
• Physical security
• Background checks
• Business resiliency/
disaster recovery
• Fourth parties
• Encryption
requirements as
appropriate
• Termination and exit
Authorized Negotiators/
Signers
• Goods and services
• Specialized services
(real estate, benefits,
legal, etc.)
Exceptions and Approval
Leverage
• Assigned risk ranking
• Assessments and prior
reviews
Ongoing Monitoring
• Periodic validation of
risk ranking
• Frequency based
on risk and service
provided
• Agree on scope and
type of review to be
performed
• Perform onsite reviews
• Point in time
assessment move
toward continuous
monitoring
Ensure Issue
Remediation/Closure
Third Party Performance
• Scorecard program
• Reporting
Software and License
Compliance
Termination
• Normal
• Cause
• Convenience
• Breach
Asset Return
• Return and/or
confirmation of
destruction of
confidential data
Exit Strategies
• Developed internally,
not with third party
• Outlines approach to
be followed if critical
third party prematurely
terminates
• Outlines various
options to ensure
continued service
availability
Ensure Use and
Completion of
Templates and
control assessments
Standard
Contract
Language
Formalize
Oversight
and
Monitoring
Exit
Strategy
and Asset
Return
Contracts
Online
Monitoring
Terminate
33
35. KPMG
RECOMMENDS
Organizations will
need to formalize
their activities and
implement clear
owners of third-party
risk management
that are responsible
for the end-to-end
process, from due
diligence planning to
remediation activities.
Future Forward
35
37. Collective Intelligence
Colonel Darshan Singh was
commissioned in the The
Dogra Regiment ( Infantry)
of the Indian Army in 1969.
During the course of his
28 years tenure, he was
honored to take an active
part 1971 Indo-Pak war and
was also an integral part of
active insurgency operations
in J&K/Ladakh, and the
Eastern Sector of India. Since
leaving the Indian Army in
1997, Colonel Darshan Singh
has immersed himself in the
corporate world, handling
infrastructure, facilities, crisis
and security functions. He
is also actively engaged in
conducting training sessions
and audits on international
crisis and security.
COLONEL
DARSHAN SINGH
Vice President,
ABB India Ltd
T
he ‘cyberspace’ is essentially a shared environment—shared among different
types of stakeholders, across political boundaries, and between people who
want to use for productive advancement of the society and those who want
to thwart those efforts for their gains.
As the reach of digital technologies and by extension the cyber footprint spreads
beyond computers and information systems—reaching manufacturing plants to water
treatment plants; power generation stations to city transport systems—both the ease
and incentive for the forces wanting to exploit the situation negatively increases
manifold. No wonder, cyber-attacks are now not just more common and frequent,
they are often more global.
Since the Internet is owned by no one, any counter-attack strategy requires the
intended target of these attacks as well as the indirect victims and stakeholders need
to work together to nullify/minimize the impact of those attacks.
The power of collective intelligence, hence, is no more a desired good-to-have
strategy but an imperative.
Some of the stakeholders who are already actively cooperating are:
• The enterprise users
• The public sector
• The government agencies specially created to tackle computer related
emergencies
• Law enforcement agencies
• Academia and research community, especially those working in security and new
emerging technologies
• Security vendors
• Technologies companies working in new emerging technologies
However, often this sharing of information is point-to-point and as a need-
to-know basis and not seamless to be effective as a pre-emptive measure. While
some of the information sharing are now formalized, many others such as among
enterprises and between academia and enterprise are still sketchy, if at all, it exists.
From research firms to enforcement agencies, many have stressed the need for
collaboration and collective intelligence sharing.
In the era of platforms, such a mechanism should be more than the sum of parts.
37
38. CISO Think Tank
HOW TO DEAL WITH IT?
• Empowering security teams with the
collective intelligence in form of data
that can be visualized.
• Complete data modeling, analytics,
and solutions will help them steel
their systems and people against
attack, without having to sink huge
amounts of money or resources into
data warehousing, harmonizing data
streams, or generating reports.
THE PROBLEM
Physical Threats
• Attacks with drones and other
physical systems (e.g. through the
deployment of autonomous weapons
systems)
• Novel attacks that subvert cyber-
physical systems (e.g. causing
autonomous vehicles to crash)
• Involve physical systems that it
would be feasible to direct remotely
(e.g. a swarm of thousands of micro-
drones).
Political Threats
• Use of AI to automate tasks involved
in surveillance (e.g. analyzing mass-
collected data)
• Persuasion (e.g. creating targeted
propaganda), and deception (e.g.
manipulating videos)
• Privacy invasion and social
manipulation.
• Analyze and distort human
behaviors, moods, and beliefs on the
basis of available data. (e.g. public
decision making).
• Labor-intensive cyber attacks (such
as spear phishing).
• Exploitation of human vulnerabilities
(e.g. through the use of speech
synthesis for impersonation),
existing software vulnerabilities (e.g.
through automated hacking), or the
vulnerabilities of AI systems (e.g.
through adversarial examples and
data poisoning).
USD16
billion
The Javelin Strategy &
Research 2017 Fraud
Report discovered
that 15.4 million U.S.
consumers (17.5% ncrease)
lost $16 billion to identity
fraud in 2016
USD500
billion
Microsoft’s estimate
for the total potential
cost of cybercrime
to the global
community.
USD14
billion
The amount the
U.S. government
spent in 2017 on
cybersecurity.
(Source: CIO)
USD2.1
trillion
The total global
annual cost of all data
breaches by 2019, as
suggested by Juniper
Research.
USD158
billion
The collective amount
of money consumers
lost globally in 2015 due
to cybercrime. The U.S.
accounts for $30 billion
of that loss.
(Source: Symantec)
USD3.8
million
The average cost of
a data breach to a
business.
(Source: Microsoft)
Principles of
Territoriality
Principles of
Legality
Principles of
Guilt
Challenges to
preservation and
storage of digital
forensics
Challenges to
creating a global
repository of
biometrics
CHALLENGES &
RISKS
38
39. Collective Intelligence
NEXT STEPS
• Policymakers should collaborate
closely with technical researchers to
create credible pools of intelligence.
• Researchers and engineers in
artificial intelligence should take
the dual-use nature of their work
seriously, allowing misuse-related
considerations to influence research
priorities and norms, and proactively
reaching out to relevant actors when
harmful applications are foreseeable.
Best practices
should be identified
in research
areas with
more mature
methods for
addressing dual-
use concerns,
such as computer
security, and applied
intelligence, wherever
applicable
THE PRACTICE TOOLKIT
Behavioral
Analytics
Detection for
known attacks
and issues
Advanced
Threat
Detection
Identify
anomalies in
device behavior
Measuring
detection
performance
Identify anomalies
in employee and
contractor behavior
Macro trend analysis
Detect
anomalies in
the network
Assess
network
vulnerabilities
and risks
Malware
research
and
analysis
• Best practices should be identified
in research areas with more mature
methods for addressing dual-use
concerns, such as computer security,
and applied intelligence, where
applicable.
• Actively seek to expand the range
of stakeholders and domain experts
involved in discussions of this
collective intelligence.
39
42. CISO Think Tank
THE ART OF
SECURITY
MANAGEMENT:
GAINING
VISIBILITY AND
CONTROL
42
43. Security Management
O
ver the years, cyber threats have evolved
by leaps and bounds and will continue
to do so. Criminal organizations, hackers
and cyber attackers are expected to
become more sophisticated and mature in the next
few years and be able to migrate their activities
online at a greater pace. The activity among Indian
organizations is also expected to rise with more and
more organizations focusing on their core business,
thereby creating more complex and interconnected
networks with suppliers, vendors, partners and other
third parties, making them more prone to cyberattacks
and data leakages. And hence, it is imperative for
Indian organizations to gear up for the cyber security
challenge by formulating security strategies and
implementing technology solutions to monitor and
manage security risks.
So, while information security risk management is
still a lot of science when it comes to processing skills
for systematic and rigorous data driven analysis; but
it is also a lot of art. Gaining visibility into the DNA
of your organization and creating a culture that is a
perfect balance between security and convenience and
in turn, understand the risk framework that connects
them all, should be deemed as both art and science.
Jagdeep is Chief Information
Security Officer at Rakuten
India. He is a seasoned
information security
professional, with rich
expertise in running large
security programs, aimed at
building robust information
security posture for
organizations. He also takes
care of existing and future
security needs of business,
define security roadmap and
vision, and execute security
strategy that aligns with
business objectives.
JAGDEEP SINGH
CISO,
Raukaten India
43
44. CISO Think Tank
and not competes with them.
• Approach is to reach out with an
helping hand rather than pointing
fingers when security incidents
occur.
• Prepare a comprehensive security
roadmap which is realistic and time
bound. Inform stockholders timely
of the progress with the mapping
of reduction in dollar loss with the
implementation.
• Don’t shop for products just because
a sales guy is giving you for dirt
cheap, and heavily discounted.
The products should fill in some
critical gaps and align with long
term security strategy, and costs of
replacing a product at times exceed
far more than implementing them.
• Outcome and KPI driven approach
for all initiatives
• Very important to build trust with
the business, and leadership, as the
focus is to mature the organization
with Continuous Improvement rather
than mere fault finding approach
MUST-HAVES FOR
GAINING CONTROL AND
VISIBILITY
People
• Building a strong team. Look for
building core group of talented and
responsible individuals, and give
them authority.
• The core team should have really
good engineering, automation,
security Assurance, rest other
capabilities could be looked for
outsourcing or in-house with least
knowledge tier guys.
• Focus on organization-wide
programs and outreach to support
the business in building secure
products.
Policy and Process
• This includes policies and practices
which have to be followed no matter
what. Have the head of the company
or the board sign these policies.
• The processes should blend well
with the culture and ecosystem
of the organization, otherwise
people would always find ways to
circumvent it and not follow it.
• Always have a strong feedback
mechanism for the business to feed
It is important to
build trust with
the business, and
leadership, as
the focus is to
mature the
organization
with continuous
improvement rather
than mere fault
finding approach
THE PROBLEM
Security management is a unique blend
of technical, general management, and
most importantly risk management skill.
You just can’t bring people only having
vast leadership experience and with
credentials of a top B school to run the
show. Many leaders mistake to focus
only on hiring a core technical talent to
provide security to the business; least
realizing whether the new hire actually
understands the meaning of risk.
CHALLENGES & RISKS
• Old school thought process of
security as do’s and dont’s
• Security looked upon as a major cost
to the business
• Security still looked upon as a
support function
• Security function is given lesser
privileges/authority than other
business units
• Culture of the organization could be
reactive, and change resistant
THE BEST PRACTICE
TOOLKIT
• Translating both security risk and
actual compromises and into Dollar
Loss
• Practice tabletop exercises more
frequently.
• Highlight potential legal risks
and map them to security gaps,
because that’s where eyeballs get
immediately focused.
• Give trust to the business that
security team complements them
44
45. Security Management
in. This leads to driving efficiencies
while practising optimum security
posture.
Technology
• Open source capability is a buzz
word now, where readily available
tools could be utilized for a job with
little customisation and engineering
to save millions which would have
gone in buying commercial off the
shelf products.
• Build systems which talk to each
other. Now a days with multiple
products for multiple uses, work in
isolation. Good organizations make
sure the security systems intelligently
share the information, while working
on their core proposition.
NEXT STEPS
Step 1
Prepare Security and Risk Management
Teams for Bimodal IT
• Drive an education program on
bimodal IT
• Evaluate the current state of bimodal
IT in the organization
• Identify the primary skills and
technology gaps
Step2
Build additional organizational
capabilities to support increased agility
and defend against new digital risks
Step3
Manage Security throughout the Project
Life Cycle
Step 4
Maximize effectiveness with a bimodal
security program
Threats and vulnerabilities perceived to have most increased the risk exposure of the respondents, 2013–2017
Vulnerabilities Threats
% of respondents stating as top two items to increase risk exposure % of respondents stating as top two items to increase risk exposure
53%
57%
2013 2014 2015 2016 2017 2013 2014 2015 2016 2017
44%
55%
60%
51%
34% 34% 32%
44%
37%
52%
34%
48%
46%
Careless or unaware employees
Outdated information security controls or architecture
Unauthorized access
Malware
Phishing
Cyber attacks to steal
IP or Data
Internal attacksCyber attack to steal
financial information
46%
51%
44%
52%
64%
64%
32%
30%
25%
33%
41%
41%
39%
28%
42%
45%51%
41%
27%
43%
33%
44%
39%
34%
31%
45
46. PwC
RECOMMENDS
In an era where insider
threats are rising,
weak authentication
mechanisms are
CISO Think Tank
46
47. usually held responsible.
Organizations have
already put in place
controls to mitigate risks
stemming from insider
threats. However, with
advancements in tools
and techniques employed
by internal actors,
organizations need to
continuously adapt and
evolve to keep up.
Future Forward
47
48. CISO Think Tank
AI & MACHINE
LEARNING
APPLICATIONS
FOR CYBER
SECURITY
48
49. AI & Cybersecurity
Rajeev has over 12 years of
technical experience in the
field Information security
function. His responsibilities
include conducting employee
security awareness training,
developing secure business
and communication
practices, identifying security
objectives and metrics,
choosing and purchasing
security products from
vendors, ensuring that the
company is in regulatory
compliance with the rules
for relevant bodies, and
enforcing adherence
to security. Rajiv has
comprehensive experience
in building high performance
teams, in-sourcing vendor
operations, auditing IT
controls, among others.
RAJEEV VERMA
Deputy General
Manager –
Information
Security, SRF
I
t is a no-brainer that fighting cyber threats is becoming an
increasingly complex and challenging task. With attacks
becoming more and more advanced, the defense mechanism has
to keep pace.
That is what makes cyber security so different from rest of the
IT functions in the enterprise. While a good planning is half the
job for rest of the enterprise IT, it is just the baby step in security.
Cyber security is probably the only responsive function in the entire
technology value chain.
That makes cyber security one of the most suitable application
areas for artificial intelligence and machine learning.
AI can be used to collect and analyze security data from
different data repositories, track the threats, prioritize the response
to voluminous alerts. While prevention is better than cure, breaches
are a reality and quick containment can dramatically reduce damages.
That is another potential application area. Also, machine learning
can aid in analytics-based defense mechanisms to become stronger
and stronger.
However, the benefits of AI in cyber security go much beyond
fighting threats. Cyber security can be a test-bed for unleashing
the true potential of AI beyond the efficiency-driven automation
applications, which in turn, will enhance the depth of AI application in
all areas of business.
While AI is a god-send for fighting cyber attacks, it must be
remembered that it is available to the attackers as well. In fact, so far,
they have been more effective in applying AI to attacks.
Another challenge is the unrealistic expectations from AI. One
of the biggest short-term challenges is the false assumption that
application of AI to cyber security will bring down the demand
for skilled professionals. resulting in lesser number of low-skilled
professionals in the medium run. If anything, it will take up the
demand for more highly skilled professionals.
49
50. CISO Think Tank
THE PROBLEM
There’s one job where AI has already
shown superiority over human beings?
Cyber attacks. Machine learning,
for example, can enable a malicious
actor to follow your behavior on social
media, then customize the following
for you:
• Phishing tweets or emails—just for
you. A human hacker can’t do the job
nearly as well or as quickly.
• The more AI advances, the more its
potential for cyber attacks grows too.
• Techniques like advanced machine
learning, deep learning, and neural
networks enable computers to find
and interpret patterns. They can also
find and exploit vulnerabilities.
• Intelligent malware and ransomware
that learns as it spreads, machine
intelligence coordinating global
cyber attacks, advanced data
analytics to customize attacks—
unfortunately, it’s all on its way to
your organization soon.
• AI itself, if not well-protected,
gives rise to new vulnerabilities.
Malicious actors could, for example,
inject biased data into algorithms’
training sets
CHALLENGES & RISKS
• AI can be used to protect, defend
and to attack cyber infrastructure.
• AI can be used to automatically
identify the attack surface that
hackers can target.
• AI can be misused to perform
more automated and increasingly
sophisticated social engineering
attacks.
• AI-enabled cyber attacks can cause
an epidemic-level spreading of
intelligent computer viruses which
can mutate and evade Antivirus
products.
• The only solution to defend against
AI-enabled hacking is by using AI
• The worst outcome will be beyond
simple imagination, there is potential
to damage human well-being on a
global scale.
THE BEST PRACTICE
TOOLKIT
As organizations face pressure to
design, build, and deploy AI systems that
deserve trust and inspire it, many will
establish teams and processes to look
for bias in data and models and closely
monitor ways malicious actors could
“trick” algorithms.
Governance boards for AI may also
be appropriate for many enterprises.
Public-private partnerships and
public-citizen partnerships. One of the
best ways to use AI responsibly is for
What’s holding AI back in the enterprise?
Increased vulnerability and disruption to business
Potential for biases and lack of transparency
Ensuring governance and rules to control AI
Risk to stakeholders’ trust and moral dilemmas
Potential to disrupt society
Lack of adequate regulation
77%
76%
73%
71%
67%
64%
Source: PwC CEO Pulse Survey, 2017
Q: Which of the following issues surrounding AI adoption concern you the most?
Base: 239
50
51. AI & Cybersecurity
public and private sector institutions to
collaborate, especially when it comes to
AI’s societal impact.
Likewise, as more governments
explore the use of AI to distribute
services efficiently, they’re engaging
citizens in the process.
Self-regulatory organizations to
facilitate responsible innovation. Since
regulators may scramble to keep up,
and self-regulation has its limits, self-
regulatory organizations (SROs) may take
the lead with responsible AI.
NEXT STEPS
• Talent shortage in information
security: A report from (ISC)2 shows
that there will be more than 1.5
million unfilled positions by 2020 in
the field of global cyber security. AI
can help in this situation to equip the
professionals with powerful tools
• AI enables analysts to focus on more
advanced investigations rather than
spending valuable time on data
crunching.
• AI, when applied in an interactive
manner, together with humans, can
promise several opportunities for
identifying, combating, and managing
cyber risks.
• There are plenty of academic
researches about detecting cyber
attacks using artificial intelligence.
The success rate of those researches
varies between 85% and 99%.
• DarkTrace claims to have more than
99% of success rate and it also has a
very low rate of false positives.
• It is up to human imagination. For the
sake of clarity, following application
categories can be examined:
� Spam Filter Applications
(spamassassin) to detect
malicious activity and stop
attacks
� Using machine learning to
analyze mobile endpoints
� Using machine learning to
enhance human analysis
� To detect starting of any attack
and encapsulate it.
AI, when applied
in an interactive
manner, can
promise several
opportunities
for identifying,
combating, and
managing, cyber risks
AI in Cyber security: Funding (USD) million
71.1 79.4
347.2
537.1
783.7 806
2012 2013 2014 2015 2016 2017
Source: CB Insight
51
53. GARTNER
RECOMMENDS
Leaders need
to create a 10-
year scenario and
prepare for the
combination of
people + AI + robots
in the workplace and
how they will enrich
and invigorate work
dynamics.
Future Forward
53
55. Envisioning SecDevOps
A
pplications are one of the softest targets
for cyber attackers. Since most applications
have not been designed to keep the attackers
away and since they contain critical business
processes and sensitive organizational data, for the
attackers, applications are like low hanging fruits. Multi-
million dollar breaches happen through application
compromise.
Reasons are many. Application security exercises in
enterprises start pretty late in the cycle. Skilled manpower
being a scarce resource, often, a couple of security
people oversaw security of multiple development teams.
In a typical set-up, they end up getting aligned with
a few teams that they have been familiar while other
development teams manage with some basic to-do and
do-not lists.
Though the Open Web Application Security Project
(OWASP) provides a very useful list of the Top 10 web
application security flaws along with the nature, severity
and impact of each, on ground challenges remain—largely
because development, testing and security teams do not
work in tandem.
A holistic, risk-based approach that can start with basic
security sensitizations for developers and quality teams
while doing periodic assessment based on learning can go
a great length in preventing and remediating application
breaches. Detection time and cost of remediation are
usually directly related. The earlier is the detection, the
lower the cost of remediation.
The author gets deeper into why there is a pressing
need for this approach and how organizations can proceed
on the path.
Rajesh has over 22 years of
technical experience in the
field of program management
in all phases of the software
development life cycle (SDLC)
from requirements gathering
to actual implementation.
He has international
exposure in system study,
client requirements
and specifications, and
implementation. Rajesh is
also proficient in analysis,
design and development. He
has pioneering API banking
in the Indian context and has
won several awards for the
organization. He also has
excellent understanding of
business flows particularly in
manufacturing, telecom and
financial services including
insurance and banking.
RAJENDRA
MHALSEKAR
President and Head
Corporate Banking
Technology, Yes Bank
55
56. CISO Think Tank
THE PROBLEM
• 2017 saw various cyber security
attacks, ransom ware and malware,
globally
• Emphasized the need for an
enterprise-wide strategy to deal with
such situations, both preventive as
well as reactive
• Application security layer is the
hardest to defend
• Highly important since core business
logic resides in application
• 37% of all the risk attacks are aimed
at the Application layer
• SQL Injection and cross-site scripting
are the commonest attacks
• Attackers can potentially use many
heterogeneous paths through
application to harm the business
• QA & software teams lack the
knowledge and incentives to
address vulnerabilities early in
the SDLC.
• Earlier the detection, lesser are the
costs for remediation.
CHALLENGES & RISKS
Challenges to secure application
development
• Developers are not security experts
Threat Agents Attack zones Security weakness
Technical
Impacts
Business
Impact
1 Attack1 Weakness1 Asset1 Impact1
2 Attack2 Weakness2 Asset2 Impact2
3 Attack3 Weakness3 Asset3 Impact3
4 Attack4 Weakness4 Asset4 Impact4
5 Attack5 Weakness5 Asset5 Impact5
• Hackers are becoming more and
more aggressive
• Incentives in organization work
against strong emphasis on security
– faster delivery is more appreciated
• Resource crunch for security
initiatives
Attackers can potentially use
many heterogeneous paths through
application to harm the business. Each
of these paths need to be analyzed and
risks assessed and then remediated
based on priority.
Major vulnerabilities
• SQL injection
• LDAP injection
• Cross-site scripting
• JSP file inclusion
• Remote code execution
Inventory – Attributes
& Risks
• Name of application
• Business owner
• Creation date
• Customer facing? Internal?
Partner facing?
• Functional complexity
• Infrastructure complexity
56
57. Envisioning SecDevOps
• Age in production
• Platform (web/mobile/c-server)
• Compliance requirements
• Reputation risk
• PII
• IP
• Legal obligations (HIPAA/PCI)
Next step would be to assess risk
for each attribute. Relevant stakeholder
participation in this exercise is a MUST.
Application Security Testing
• White-Box analysis – static analysis
• Dynamic analysis – simulates
many of the techniques used by
cybercriminal and hackers
• Interactive Analysis – Glassbox
analysis- combination of both inside
and outside impact
• Mobile app analysis to detect client-
side vulnerabilities.
Feature of Testing Solution:
• Vulnerability testing throughout
SDLC
• Scalable
• Accurate
• Covers modern and complex sites
and major code changes
• Equipped to detect mobile
application vulnerabilities.
Risk Determination and
Prioritization
• Determine risk rating for each of the
applications. These applications and
the individual risk could be classified
as critical, high, medium, low.
• Create remediation plans based on
priority which will align with the
overall risk strategy
• Focus on preventing breaches that
might have bigger business impact
- may put in some compensating
controls.
NEXT STEPS
SMART: SMART working is a
security journey
• Systems driven
• Measured progress tracking
• Analytical supported
• Resources intensive in terms of right
technologies or resources
• Time measured to control the
deviations.
Application Monitoring in
Production
• Detected vulnerabilities can be
shared with an IPS and IPS may
protect from attacks aiming to
exploit these vulnerabilities.
• Information available should be
shared among various relevant
stakeholders for effective in control
of any breaches.
• Database vulnerabilities can be easily
pinpointed by such sharing.
• Would help in strengthening the
WAF in terms of security patches.
Stride
• Spoofing identity
• Tampering with data
• Repudiation
• Non-repudiation refers to the ability
of a system to counter repudiation
threats
• Information disclosure. Information
disclosure threats involve the
exposure of information to
individuals who are not supposed to
have access
• Denial of service
• Elevation of privilege.
Attackers can
potentially
use many
heterogeneous
paths through
application
to harm the
business. Each
of these paths need
to analyzed and
assessed for risks
57
59. Immature application security initiatives
in many organizations aren’t effective at
combating risk. Additionally, the proliferation
of new and updated applications can introduce
new vulnerabilities into ambitious product
release environments that are fed by end-user
demand for fresh versions and functionality.
In fact, 56% of respondents stated that the
pressure to release new applications quickly
was a significant barrier to making their
security posture as effective as possible.
Application vulnerabilities represent risk
vectors that cannot be ignored. As the number
of applications that your company releases
grows, the situation will only become worse —
especially if it isn’t addressed immediately.
PONEMON INSTITUTE
RECOMMENDS
Future Forward
59
61. Bimodal Security
Rajiv is Director, VP - Global
Information Security &
CISO, VP – Facilities at
Innodata, with offices in
US, Israel, Philippines, Sri
Lanka and India locations.
He leads the data security
and data protection practices
at the organization. He
is in charge of all the
security requirements and
compliances covering project
delivery and all support
functions. He also takes
care of Information security
requirements of General IT
controls in Sarbanes Oxley
compliances.
RAJIV NANDWANI
Director, VP – GIS &
CISO, VP – Facilities,
InnoData
T
he security challenges around traditional
legacy systems in Mode 1 are already familiar
to organizations. However, Mode 2 offers the
kind of agility and flexibility that organizations
require today such that they can focus on data and
information security.
With the help of bimodal IT, organizations can now
secure their assets across both legacy systems and
cloud. This means that the demand for both, securing
information and data flow, are met. As a result, security
and risk leaders no longer have to deal with the two
entities in isolation. They must also understand the
link between Mode 1 and Mode 2 in order to carry out
risk assessments of how data moves between the two
environments from the start.
This bimodal strategy allows organizations to
turn risk management into a continuous and ongoing
process, tightly knit into the organization’s security
framework.
Bimodal IT has the power to transform how
organizations operate. It impacts technology as much
as how IT operates. It also dramatically changes how a
business runs. Don’t try to retrofit security to a bimodal
IT environment once the data is flowing; it will be a
nightmare. Use biomodal to focus on pulling IT and
business together to collaboratively innovate and bring
new products and services to market quickly.
61
62. CISO Think Tank
evolution of products and
technologies (Mode 1) with the
new and innovative (Mode 2) is the
essence of an enterprise bimodal
capability. Both play an essential role
in the digital transformation.
HOW DO WE DEAL
WITH IT?
Under the Gartner’s model - We can
divide a big chunk of enterprise IT into
two kinds of systems:
• Systems of record - It manages the
sensitive data that is most valuable
to our organizations (like bank
account information)
• Systems of engagement - a set of
public-facing systems through which
customers access our services
This approach creates two separate
groups: a fast team that focuses on
digital exploitation and a separate
traditional IT group that focuses on the
classic back-office systems of record.
CHALLENGES & RISKS
1. From a one-size-fits-all model we
move to a two-sizes-fit-all model
2. The risks inherent in building and
evolving systems of record are
better managed through waterfall,
though changes to the systems
at the heart of many enterprises,
usually decades-old COBOL software
running on mainframes or packaged
software built by vendors, is painful,
expensive and risky.
3. Agile methods are more suited to
building and managing systems of
engagement, investment needs to be
done to maintain systems that will
become increasingly complex and
fragile over time, while failing to gain
the expected return on investment
from adopting agile methods.
4. Create a two-class system that adds
complexity and kills culture. At a time
when businesses need to drive speed
and agility, it makes no sense to have
two groups competing for funding,
resources, skills, and the business’
attention.
5. Focuses on a technology-centered
model that does not connect to
customers. Firms are explicitly
linking performance metrics to
improvements as a way to break
down the silos and drive more
aligned behavior in service of the
customer.
6. Perpetuates the myth that back-
end systems can be left as they are.
What is Biomodal?
Run Differentiate Innovate
Source: Gartner
Mode 2
(Exploratory, adaptable,
no fixed rules, risk taking)
Mode 1
(Predictable, reliable, risk-averse,
standards-oriented, rigorous governance)
THE PROBLEM
Bimodal - the practice of managing two
separate but coherent styles of work
1) Focused on predictability
2) Focused on exploration
Mode 1 is optimized for areas
that are more predictable and well-
understood. It focuses on exploiting
what is known, while renovating the
legacy environment into a state that
is fit for a digital world. Mode 2 is
exploratory, experimenting to solve new
problems and optimized for areas of
uncertainty.
WHY DOES IT EXIST?
• Both modes exist and are essential
to create substantial value and drive
significant organizational change.
Neither of these models is static and
both models are evolving.
• Marrying a more predictable
62
63. Bimodal Security
While some systems may change
less frequently, they need to evolve
quickly when they do change.
Customers’ expectations necessitate
the streamlining of operational
processes and systems, while digital
disruption forces organizational
simplicity and agility.
7. Engages and energizes the C-suite
and board. The technology’s role
in improving customer experience,
differentiating products and services,
and building partner ecosystems.
8. Empowers business leaders to take
ownership. Leading e-commerce,
field service, and product
development groups take a more
activist role in a BT strategy.
CHALLENGES – SECURITY
1. Continuous delivery - DevOps is a
key component of IT delivery.
2. Cloud service integration - The
potential security weak link here is
the integration and communication
between the cloud services and the
existing in-house systems of record.
3. Shadow IT (systems and solutions
built and used inside organizations
without explicit approval) – Gartner
estimates that just over a third of the
money spent on cloud is being spent
on shadow IT.
4. Integration of multiple cloud
suppliers - Putting the cloud at the
forefront of service delivery means
organizations will have to integrate
and manage many more suppliers
than before.
5. Increased risk of reputational
damage - By using bimodal IT to
deliver more digital services this in
itself increases security risks.
6. The number of mobile devices the
staff uses to perform their jobs on a
daily basis will continue to proliferate,
as will the breadth of the application
ecosystem.
THE BEST PRACTICE
TOOLKIT
Step 1. Prepare security and risk
management teams for bimodal IT
• Drive an education program on
bimodal IT
• Evaluate the current state of bimodal
IT in the organization
• Identify the primary skills and
technology gaps
Step 2. Build additional organizational
capabilities to support increased agility
and defend against new digital risks
Step 3. Manage security throughout the
project life cycle.
Step 4. Maximize effectiveness with a
bimodal security program.
NEXT STEPS - ALIGN
THE MODEL
1. Customer-led, through fused design
thinking and an agile methodology
- Success starts with an outside-in
focus on delivering new sources of
value to customers in both a B2C
and B2B
2. Insights-driven, with new skills and
systems of insight.
3. Fast, by closing the speed gaps - The
faster you execute, the more quickly
you will win customers over.
4. Connected, through APIs, modern
architectures, and ecosystems
5. Continuous risk management -
After the initial risk assessment
for bimodal IT a set of control
requirements can then be defined
and improved on continuous basis
6. Automation - Automation is
absolutely essential to addressing
bimodal IT security issues.
Application and data monitoring and
automation of the risk management
processes ensure they can be
operationalized in an easy and
repetitive manner.
7. Encryption - There is a greater
requirement for encryption
technologies in bimodal IT delivery
to remove some of the risks posed to
the data as it flows across public or
private clouds and in-house IT.
8. Identity - Identity management is
essential to enforce the appropriate
levels of trust and verification.
After the initial
risk assessment
for bimodal IT, a
set of control
requirements
can be defined
and improved
on a continuous basis;
thus enabling periodic
checks and balances
63
65. GARTNER
RECOMMENDS
To support bimodal initiatives, risk and
security leaders must take steps to
prepare security and risk management
teams for bimodal IT. Learn about
bimodal IT, evaluate where your
organization is on the bimodal journey,
and identify the primary skills and
technology gaps. They must build
additional organizational capabilities
to support increased agility and defend
against new digital risks, understand
the higher-risk appetite represented
by Mode 2 projects, and adapt security
practices to the pace of Mode 2 projects,
with laser focus on low interferences
during early stages and continuous
monitoring of security debt.
Future Forward
65
67. Managing Compliance
T
here is little doubt that companies across all industries are
confronted by a proliferation of regulatory requirements,
stakeholder expectations, and business model changes.
Not only are organizations expected to comply with laws
and regulations, but they also have to be mindful of being ethical in
behaviour and protecting their brand.
These challenges are even more acute in highly regulated
industries such as financial services, telecom, health care, life sciences,
travel and hospitality, where the information security needs have
evolved beyond mere compliance to include strategic issues such as:
• Analyzing the impact of emerging regulations on business models
and on existing processes and systems
• Ensuring proper roles and responsibilities amongst legal,
compliance, audit, IT and business functions
• Driving a culture of compliance across diverse geographies,
functions and operational teams
• Managing remediation in more complex and diverse environments
• Ensuring that the compliance program keeps pace with the
evolution in the organization’s business strategies
The scope of Governance, Risk & Compliance (GRC) doesn’t end
with just governance, risk, and compliance management—it also
includes assurance and performance management. This means that
the GRC framework is further getting extended to information security
management, quality management, ethics and values management,
and business continuity management.
For CISOs, sustaining a continuously evolving information security
GRC program in a changing risk landscape while meeting multiple
compliance requirements represents a significant challenge. Since
managing risk is a reality of doing business, it is essential that cyber
security practitioners look at implementing a comprehensive risk
management program that can be integrated into all layers of the
organization, and in all functions.
Satyanandan is Chief
Information Security Officer
(CISO) for Bharti AXA
General Insurance. Prior to
this, he was leading the Risk
Management function at
Bharti AXA General Insurance.
He comes with 13+ of years
global experience, across
various industry domains viz.
Insurance, Capital Markets,
Automotive and in multiple
geographies like Europe,
Middle East and in Asia
Pacific in Enterprise Risk
Management ,Operational
Risk, Financial Risk,
Information Security, IT Risk
Management, Data Privacy,
Data protection, Business
Process Design, Risk advisory,
IT audit & Outsourcing risk
SATYANANDAN
ATYAM
AVP, Head Risk
Management & CISO
Bharti AXA General
Insurance
67
68. CISO Think Tank
makes an enterprise digital platform a
must. What was within the enterprise
premise (or an extended physical
premise) has moved beyond boundaries.
The situation has become more complex.
Because
• The traditional IT architecture is
challenged by the emerging cloud
computing paradigm
• There is a plethora of devices from
many access points and on multiple
platforms
• Multiple stakeholders, each one with
unique ‘interaction requirements’.
Enterprise platform is opened for the
customers from a customer service
or ecommerce perspective.
• Multiple and ever growing
applications meeting the unique
requirements of the stakeholders
THE PROBLEM
• Aadhaar Data
• Business processes that are
capturing customer Aadhaar
• Employee Aadhaar collected by
HR
• regulation
• Business should onboard to cloud
services within India jurisdiction
• Sensitive Personal Data
• Many businesses operate with
integration with multiple vendors
and partners. Regulation requires
insurance, banking and telecom
companies to protect sensitive
personal data
• Existing risk management
framework is not comprehensive
to validate controls across all the
third party frameworks. Robust
implementation is limited to
internal company systems and
processes
Why Does It Exist?
• Digitization and automation are
driving business operations
• Data safeguards important from
competitive and regulatory
perspective
• The IT as a custodian of business
data needs to align with compliance
and risk management requirements
• Risk and compliance requirements
for business should be embedded
through IT controls
THE CHALLENGES AND
RISKS
Let’s see the bigger context, which
Information Governance Program Must Incorporate Different Needs
Compliance
perspectives
Business
Perspectives
• CFO
• HR
• Business Units
• End-users
• CIO
• Storage
Administrator
• Application
Administrator
• Message
Administrator
• General
Counsel
• Litigation
• Compliance
• Risk
Management
• Audit
• Info, Secturity
• Records
Management
Legal
Perspectives
Technology
Perspectives
68
69. Managing Compliance
Digitalization
and automation
are driving
business
operations
and the legacy
enterprise
platform is
becoming inadequate
to meet the emerging
priorities for CIOs.
• As a result of multiple devices, users
and applications data is exploding,
data flow across the enterprise
boundaries
• Increasing pressure for speed,
compliance, security and governance
The legacy enterprise platform
is becoming inadequate to meet the
emerging priorities for the CIOs.
THE BEST PRACTICE
TOOLKIT
• Automated analysis
• Build incident response (IR) team
• Define response team roles
• Train response team
• Identify plan gaps areas for
improvement before an incident
occurs
• Assess IR Plan effectiveness and IR
team ability to execute
• Tools : QRadar, ArcSight, Splunk
NEXT STEPS
• Utilize and scale your teams to
provide 24x7 threat monitoring
• Prepare for, and proactively hunt
threats
• Apply predictive/proactive
intelligence
• Detect the unknown with enhanced
analytics
• Use artificial intelligence (AI) and
machine learning (ML) for analytics
• Extend threat visibility to the cloud
Identify threats early to
mitigate risk
• Empower IR Team
• Build communications flows and
procedures
• Define roles in the response team
• Identify gaps in response plans
• Learn from incidents and apply
findings
Invest in Success
• Automate as much as possible to
reduce the load of Level 1 tasks
• Share information and eliminate silos
between teams
• Provide threat intelligence feeds
and security tools to make teams
successful
• Retain top talent and feed their thirst
for knowledge
• Train employees, your first line of
defence
• Evolve your SOC by combining
technology and human expertise
• Do the basics well – regular patching,
hiring the right people
• Empower your resources
• Adopt a proactive approach to deter
emerging threats
• Integrate deception technologies to
bait attackers
Information Governance Program Must Incorporate Different Needs
• IT Risk Management
• Portfolio Management
• Project Management
• ISMS
• VAL IT/COBIT
• ITIL
• Six Sigma
• Master data
Management
• Data Quality
• Data Architecture
• Data Security
Management
• CISO & DPO Interface
points for Data
Governance
• Compliance Risk
Management
• Regulations and
standards
• Statutory
Requirements
IT
Governance
Data
Governance
Risk
Management
& Compliance
69
71. GRANT THRONTON
RECOMMENDS
To move beyond compliance, risk
management functions need to
understand the need for efficiency. By
embracing new capabilities, such as
distributed ledger technologies, and by
streamlining processes, risk managers
can do more with less and meet the
financial expectations of shareholders.
Data analytics is foundational to the
final step, helping the enterprise to
anticipate and address non-financial
risks, especially those introduced by
digital business models. This will require
dedicated C-level risk leadership and
the willingness to invest in the tools and
capabilities necessary to empower your
risk function to drive real value.
Future Forward
71