In Nilesh Jain, Country Manager, India & SAARC, Trend Micro speaks on changing security perspectives with evolving roles of CSOs and CIOs and key technology, security and collaboration trends at Trend Micro's CloudSec India 2017 event in Mumbai.
Excerpts from the interview:
Do you think that security is still a tactical issue in an organization and especially an Indian organization?
Not at all. There was a time when organizations used to look at security as an inhibitor. Security now is an integral part of business. This is because most of the organizations, whichever business you are in, FMCG or consumer durable or banking or services, if they want to survive, strive and excel in the competitive environment today; they have to adopt the new technology. They have to go for big data wave. They have to embrace artificial intelligence, robotics or cloud. Whenever you are adopting those technologies you are opening up your peripheries. You are letting your internal users go outside your periphery; your servers are moving out; your mails are moving out. Basically you are adopting the flexibility to adopt the new technology. So whenever those technology landscape changes, it brings in new security issues. If organizations have never thought about security, it becomes a business problem. It’s neither a security problem nor an IT problem. However, when they are looking at adopting new technology and if they have taken care of security, security becomes the enabler. So there are two organizations: let us say for example organization A, who is looking at adopting a cloud but since there is competitive environment, they want to go faster to the customer and consumer. But then they adopted the cloud without thinking about security. After moving to the cloud, they thought there is a security issue. Once when they were hit with some attacks then they started realizing that security should have been taken care of. Then there is an organization B who made sure that security measures and policies are in place and they can immediately move to cloud. The first organization always looks at security as an inhibitor while the second organization looks at security as an enabler. So it’s a perspective. Most of the times if the organization wants to succeed in adopting the technology they have to make sure the security have been the first thing that they have to take care of.
Some organizations have embedded security as a strategic function to their organization. In the beginning of 2017 when WannaCry and then Petya happened, it did not really impact us so heavily, as per some Trend Micro reports. But it taught us a lesson for sure. Now if you could tell us what has been the scenario, with regards to not-so-mature companies, which have been concerned like: What am I to do now and how do I get my systems updated? What are some of the questions and concerns that you keep hearing in your conversations?
WannaCry and Petya have actually made a few customers aware. Not that the problems were not there. Not that security was ever a concern. Security has always been a concern. Those customers were agile and conscious and were already adapting to it. They were already doing all the patching. But those customers who always thought that security is the last thing on my check list, they were always caught off-guard. And then it becomes a pain for them. That is why IT security team is the team who always works for future. Today you should be talking about how you are going to help your organization at the new technology. Further, when a new technology comes in, the relevant security measures need to be considered. So those are the key KRAs for organizations today rather than WannaCry and Petya. That’s the reason many organizations were not worried because they were already agile. I wouldn’t say all of them but lot of them were agile and they took precautionary measures and were not impacted. Those who were impacted learnt the lesson the hard way.
I think this is more for the mature organizations that they are always trying to valuate control versus convenience. I am sure you have had a lot of conversations. So what is the way out? How much can you actually balance?
I would say convenience is something that has no boundaries. There were organizations which never used to allow USB, mobiles and Internet. However, for them in commercial business, it would be very difficult for them to survive and excel. Thus, they have to let users start using their mobile because at the end of the day you want them to use applications when they are roaming. You have to identify what level of boundary you need to give them. Controls are something which you can inculcate as part of your process. Then once you start following it, it is no more a control. It becomes a business habit. Therefore, security has to be part of the DNA. It is something they have to understand and when they start following, it is no more a control. It becomes a lifestyle for them.
So you are basically saying that it has to be a culture?
Yes, it has to be.
Organizations who have figured that out are actually in that space right now.
It is not just a CSO job. It is everyone’s job who is working in the organization. Each and every employee is responsible for security.
Banks were always very proactive with their security measures. But the role is also changing. Till now you were just talking to the CIOs and CSOs who were not really the key decision makers for a long time. If you look at it now, how do you think the security conversation is changing because of the evolving role?
I agree a lot. Earlier I remember CSOs were the people who were just there to do the compliances. With IRDA, RBI, PCI, BSS coming, their job was to make sure that they keep the compliance team happy and all the tick marks are taken care of. As long as those people are happy and you are meeting your compliances, CIO doesn’t worry and he/she doesn’t provide you any more budget. He/she says your compliance has been made and that’s good enough money for you to invest in security. Now it is no more about compliance. They have moved beyond compliance. Compliance is one part of it. But there are two things that they are now worried about. The first thing is worrying about losing their reputation, data and businesses and you get compromised if you are a big bank. You can’t afford to do that because you lose the trust from your consumers - the users who are using your services. The other thing is if you don’t have security measures, you won’t be able to adapt the new technology. And if you don’t adapt the new technology, you won’t be able to compete in the market. Hence survival in the market becomes difficult. Because your competitors have adopted the technology, consumers are getting better services with them and you lose your competitive advantage. Now even the boards are more eager to invest money in security rather than just looking at compliance perspective.
What are the top three important trends you see yourself focusing on in the next few years, from the technology, security and collaboration perspectives?
One of the biggest roles that we see we playing in the next 3 years is how we can help organizations understand the changing landscape well. The moment they are moving to cloud or adopting new technologies, they are losing the basic principle of security which is getting visibility in terms of understanding what exactly is happening in the network. You move to Office365, your mills are outside; you move to AWS, your servers are outside; you move to mobility, your end points are roaming everywhere and then you might not even have one tool which can give you visibility of what exactly is flowing around within the network and within the end point. So our job is to work with customers and give them the latest technology which helps them look at the visibility of the basic hygiene of security. Where we need to excel is to prepare customers to adopt new technologies. So that’s where we are going to work with most of the organizations and that is how we in India not only work with customers, but also work with cloud service providers like AWS and SGore and even VMware. We keep on working with them closely. You might see VMware and most of the cloud service providers are coming here. So we see that in isolation of ourselves, we can’t do our job. We have to work with those people and have a partnership and provide a solution to the customer and make sure that they are prepared for tomorrow. We are also preparing ourselves with regards to IoT. We have a lot of investment going on. We will be talking about and educating the customers about threats in IoT. But it’s going to take some time. Right now we have few things which our customers are pretty much worried about and we are addressing those, such as targeted attack, cloud security, etc. CIOs and CSOs are also concerned about end point remediation. Thus, we need to take an integrated approach to make sure they have all the required solutions.
Add new comment