Parag Deodhar, Chief Risk Officer, Bharti AXA General Insurance believes that there is no limit to the security measures which you can take against the emerging threats. In discussion with Sanjay Kumar of CSO Forum, he throws light on the anticipated challenges in 2015 and how he plans to tackle them.
Information security has always been challenging. How do you see the threat landscape evolving in 2015?
Today organisations are moving towards BYOD and cloud architecture. It includes various entities such PaaS (Platform as a Service) and DaaS (Data as a Service). The access management in the cloud (Identity and Access Management System) includes both privileged users and employees. The biggest challenge is to eliminate access of the employees into the cloud when they leave the organization. This should happen before the information or corporate data gets compromised.
Do you see the role of CROs (Chief Risk Officer) and CDOs (Chief Digital Officer) gaining relevance in coming time?
The role of CDO is currently evolving. As of now, there are not too many CDOs, and only some companies have this position. But we have already prepared a route map in this direction, and very soon we will have a CDO. The CRO is important because of regulatory reasons in banks and insurance companies. There are few regulations like ‘Clause 49’, but it really does not mandate a company to have a CRO. Moreover, most of the enterprises still do not have this position.
On the other hand, if CISOs have a business background, they have a good chance to evolve into both CRO and CDO roles. Because in digital (CDO), you need to have cyber security approach with a business mind set.
What new technologies are you planning to deploy in 2015?
We are looking towards cloud and its applications, plus the Identity and Access Governance System. Additionally, we want to cover the issues of mobility and Insider threat. This is one step higher than the classic access right and management architecture. It will cover multiple password issues with a single ‘sign in’ and cloud access management. Therefore, holistically this new architecture will cover everything.
What specific challenges do you foresee for your organisation?
The foremost challenge for our company is mobility. Being a finance company, we have to be extra-cautious about customer and company data. So, data privacy and confidentiality issues are always present, and are among the biggest concerns for us. The second challenge is the on-going cloud implementation for our company. We are moving to Microsoft Office 365 and Salesforce.com. Going forward, the major task would be controlling numerous cloud applications.
Further, the third challenge is correlating all this data. As data is no longer in the office premises, the DRM (Document Rights Management) and IRM (Information Rights management) are important areas of our concern.
BYOD augments productivity and employee satisfaction. What’s your view on balancing increased productivity with the security threat?
We need to strike a balance between these two factors. Enterprises are not putting appropriate controls. First, we need to segregate the company and personal data (Sandboxing). The second important factor is access management. Access controls of an employee should be deactivated, once the employee quits the organization.
Also, productivity is only one side of the coin. We need to look into the gravity of this matter, which is 'cost of breach versus cost of controls.’ Generally, after putting an MDM, we augment it by sandbox architecture. This is further followed by implementing SIEM (Security Information and Event Management). If you take that all this into account, the cost effectiveness of this model is highly uncertain.
As a solution how effective is MDM?
There are major issues regarding the efficiency of an MDM. When it is a company owned device, MDM is perfectly fine. As in this case, company has the legitimate rights to manage it. But when the device is owned by the employee (BYOD), he/she will not be comfortable with the company managing their device.
How have you deployed your BYOD policy?
I do not want to manage multiple devices. My only concern is to supervise corporate data. Till the time that is secure, it does not matter where the data resides. Further, as new platform-based devices apart from Apple OS, Android and Windows enter the market, we will need to improvise to be in sync with them. But as of now, our concentration is mainly on Android, Windows and Apple-based devices, as they are the major ones.
Is lack of security awareness among employees the main reason for inadvertent loss of corporate data?
People are always the weakest link in any organisation. And, even if you put the best of controls in place, a single instance of password sharing can collapse the entire system. So the only solution lies in educating and making them aware about the security risk as far as possible. Basically, we need to build a culture and mindset of risk management.
What about “Insider Threats”? How are you tackling this?
The insider threat has always been a vital issue. It is human psychology, that when a person leaves the organization, he thinks that the work he has done belongs to him and not the organization. But now we have placed controls like DLP (Data Loss Prevention) system and are continuously monitoring emails & USB access.